If you’ve upgraded to Chrome 56 or higher you may notice that Adobe Flash is blocked by default. Chrome now uses HTML5 by default and disables flash, most likely because of several high-profile and danger vulnerabilities in Flash.
While this is a good thing, some website still use flash and simply won’t work right without it. Here is a way to enable Flash for only certain website that you know and trust.
What’s wrong with Flash?
Plenty! Flash vulnerabilities and patching have become an inside joke in IT Circles, with announcements of new zero day exploits coming in droves. In late 2015 Adobe announced 13 (yes thirteen) new vulnerabilities in one day, five of which were rated ‘critical’ – the highest rating.
What’s worst, since Flash sits in most browsers and across Windows, Mac and Linux platforms it gives hackers access to a wide array of users in a single attack vector – almost too juicy to pass up. In fact, in 2015, Flash was awarded the ‘most hacked’ prize with 8 out of the 10 most common attacks targeting Flash (PCWorld)
It has gotten so bad that most major web browsers are now disabling Flash by default, defaulting to HTML5 for dynamic content instead.
According to ZDNET; “And because it’s (Flash) been widely declared obsolete by the vast majority of new websites, more often than not the only benefit in keeping it around is to serve up advertisements. Really, the web won’t suddenly become pitch black if you uninstall it.”
So while it is generally agreed that Flash is a bad thing, it is still used by a small portion of websites, less than 10% by some estimates, in some cases (especially with websites that aren’t updated often) Flash is still needed to access the site.
So what is a security minded administrator to do?
A Better Way
A better way to handle Flash is to only enable it for the specific sites you know that you need it on.
- From within Chrome go to ‘chrome://settings/content’ by typing it into the address bar
- Scroll to the ‘Flash’ section
- Select “Ask first before allowing sites to run flash.” You will be prompted when a site wants to run Flash and you can decide to allow it for the particular site
While this article is about Chrome specifically; here are the instructions for Firefox and IE as well
- From within Firefox click the Menu button and select “Add-Ons”
- Click “Plugins in the sidebar”
- Scroll to find “Shockwave Flash” in the list and select “Ask to Activate” from the options. This will prompt you when a site asks to run Flash and you can decide to allow it for the particular site.
- From within IE, select the Gear icon and select “Manage Add-Ons”
- Locate the “Shockwave Flash Object, right-click and select “More Information”
- If you see a ‘*’ on the window labeled “You have approved this add-on to run on the following website” this means Flash can run without your permission. Click the “Remove All Sites” button to remove permissions from all sites for running Flash without your permission so you will be prompted each time a website decides to run flash and you can decide to allow it for a particular site.