# Flash Security

## phishintrip007

I have a question about Adobe Flash and security. I want to use adobe flash because Gnash and swfdec don't seem to work on a lot of sites but I am concerned over the security warning. What exactly is the security issue? Is it within the adobe flash package itself or is it a gentoo specific issue? Is there a way to still use adobe flash and isolate it from anything else critical/personal/confidential on my machine or is it one or the other?

----------

## ChrisJumper

Hi phishintrip007!

Lets talk about it. Adobe Flash is a grow old, piece of Software. I don't take a look at code myself but read and hear about people that worked on it or wrote exploits. Adobe Flash have major bugs -by design-, one is that it try to support old versions/formats/standards. To run nearly everything that was developed and supported by flash from 1992 up to today.

It also implements some codecs for sound, images and video formates about the years. And that make it so dangerous to use it.

Its just a question about time to find a new exploit. Mostly the exploits grants user access on your machine, which execute the browser that run the flash-plugin. From the users point of view its easy to go ahead, attack your Sound or Videocard-driver.

Thats why it is so dangerous. So use a flashblock addon to deactivate flashcode, that you don't need. For it you will get an Play-Symbol on youtube for example that you have to click before you start that code. Its also nice to deactivate some advertising banner.

This is the true reason why apple and others will not have flash on there systems, sometimes its about jail breaking too. If you have your own squit-proxy Server you could take a look at the blitzableiter project Blitz is the german word for flash and blitzableiter is a lightning rod or lightning conductor.

I see now that this project supports some plugins for firefox too. It go some steps further and try to analyse the implemented flash object's for "bad stuff". As far as i memorize its not a black white list like virus scanners... oh just read this from the wikipage:

 *Quote:*   

> The Blitzableiter is a defensive solution for Adobe Flash Rich Internet Applications. It realizes the protection by applying a process of normalization through recreation.
> 
> Blitzableiter protects against attacks using Adobe Flash application files in SWF format. It can prevent attacks targeted at exploiting memory corruption vulnerabilities in the runtime environment as well as attacks using the runtime environment's native functionality maliciously.
> 
> Section 2 will give an overview of the general approach and the Flash file format. Section 3 provides information about the code structure and organization. Section 4 gives advise on how to test and debug the library.

 

 *Quote:*   

> Is there a way to still use adobe flash and isolate it from anything else critical/personal/confidential on my machine or is it one or the other?

 

You will never get 100% safety. So no. But.. i use it too, til HTML5 will be reach our present.

Good guy say: Oh you could use this flash object cause this website is serious.

Bad guy thinks: Cause they don't know that i got access (or a man in the middle) and exchange there flash objects.

Every reduce of flash objects in your internet enjoyment make your computers integrity for you saver.

Hope i could help you.

Chris

----------

## cach0rr0

an alternative to a separate plugin - for chromium at least, there is a "Click to Play" feature you can enable

it basically functions the same way as flashblock

and can be used for things like java as well

----------

## phishintrip007

Thanks for the response guys! I really like that flashblock plugin for several reasons, mostly blocking the flash i dont want to see (ads). I know you can't protect people from themselves so I am fine with it allowing me to play whatever I click on and blocking everything else. I just don't want the browser autorunning everything.

----------

