Here’s why disabling Flash in your browsers may not be enough…

Adobe FlashPoor old Adobe Flash. The seemingly endless cycle of zero-day vulnerabilities, in-the-wild exploits, and rushed-out patches has given the software something of a bad name.

It’s no wonder that people are calling for it to be killed off.

Flash’s funeral might still be some way off, but there are plenty of computer users who are choosing to control its functionality through Click-to-Play or ridding it from their browser entirely.

But, as security firm Fortinet explains, even if you turn off Flash support from your browser that doesn’t mean your computer can’t be hit by a Flash attack:

Sign up to our free newsletter.
Security news, advice, and tips.

“Flash files can not only be embedded in a web page but also in various document formats such as Microsoft Office documents and PDF files. Even if you have disabled Flash in your browsers, Flash exploits can still leverage Flash player vulnerabilities through software like Microsoft Office and Adobe Reader.”

They’re quite correct.

A Flash vulnerability doesn’t have to be exploited through poisoned webpages (although this is a common vector for infection). Attacks can also be launched against targeted computers by tricking computer users into opening a file which has Flash content embedded inside it – such as a Word document, a Powerpoint presentation or Adobe PDF file.

Embedded object

System administrators responsible for security their company’s computers would do well to remember this. To best secure your systems, adopt an approach of layered protection, reducing the chances of successful exploitation and ensuring that Adobe Flash is always running the latest security updates.

Alternatively, if you don’t think you can manage that, consider banishing Flash entirely from ever getting anywhere near your computers.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “Here’s why disabling Flash in your browsers may not be enough…”

  1. Gil Favor

    Uh-oh…this is not good. Removing Flash altogether is not an option for me, because a proprietary application I occasionally need to run relies on Flash. The application itself is secure, and I'm using click-to-play for browsers, but if Flash's exposure hazard includes MS Word and PDF documents, we're talking major suckage here. I use MS Word and PDF files daily.

    I'm already very cautious about Word files, but PDFs are so ubiquitous…how can one be sure a PDF hasn't been loaded with a dog's egg into which one can unwarily step? Do Flash exploits require the user to click on a link, or can they run automatically, just by opening a containing document? I can inspect links before clicking, but if these nasty bits can execute upon merely opening a Word or PDF document…aaarrrggghhh!!!

    Damn and blast! I feel myself being drawn into the ranks of those who wonder why Adobe doesn't just put Flash out of its perpetual misery.

  2. Andy Lee Robinson

    WTF is Flash and objects doing inside a PDF?
    PDF is, or should be a portable document formant, ie static and dumb apart from the ability to annotate.

    1. I remember thinking the same thing 20 years ago – although then it was WTF has Microsoft put an auto executing macro language into Word docs?

      1. Coyote · in reply to Graham Cluley

        Me too. And then (this is a rough guesstimate) about 10-12 years ago they decided it would be a good idea to have executable code in graphics (but maybe they figured this wasn't a good idea at some point down the road ?). I remember discussing this with some friends about how on Earth could an image have malware. I suggested to them the answer and of course it was exactly that: the fact the viewer would execute code from the image itself is hard to fathom (but that is Microsoft for you, eh?); it is one thing for scripting language for filtering (image filters) and the like, but there is no need for an image to have executable code! POC (in this case it might be both POCs but I refer to proof of concept) or not is immaterial.

        And Andy (…) you have part of it right:
        "ie static and dumb"
        Indeed dumb. Statically dumb, even. The static part only refers to that dumb is part of it; these 'ingenious' ideas won't exactly improve; that is, they will continue and some of them will be worse (see part about images above).

  3. Frank Pod

    What do you propose to replace it with. Hulu needs it to show videos and many yahoo articles use it to display video. Just fix it and shut the hell up!

    1. Coyote · in reply to Frank Pod

      Yes, that would be a good idea, wouldn't it, to fix it? Try telling that to Adobe though. I think we all wish you good luck; you'll need it. As for what to replace it with – HTML5 maybe ? It would depend on what is required (of the service). But it has a terrible record with security, and I don't see it improving.

  4. alan burnett-provan

    could some one please tell me how to down load play and click adobe flash, or is there a safe way to watch the video links my friends send me. many thanks.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.