Sign up to our newsletter
The latest security news direct to your inbox
As I previously pointed out http://www.eset.com/threat-center/blog/2009/08/04/calling-adobe%E2%80%99s-bluff, Adobe is at best deceptive about claims of the security and privacy of Flash.
Even if you do not know what flash is or how to find it, you probably have it on your computer. If you open control panel and go to the “add or remove programs” application you will probably see it listed there. There could be a few entries. There is “Adobe Flash Player 10 ActiveX” for Internet Explorer and “Adobe Flash Player Plugin” for Firefox. In my limited testing, it appears that configuring Flash in one browser takes care of both if you have multiple browsers installed.
If you click on an Adobe Flash Player entry in add or remove programs, then you will see a link that says “Click here for support information”. Clicking that link will bring up a box with the version information. It is a good idea to make sure that you have the most current version.
Flash has had vulnerabilities that were real security problems for people. Flash is installed without regard to user privacy. Flash can be configured, but most people do not know how. In fact you have to go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html in order to configure your Flash player.
If Adobe cared about privacy and security then these settings would be presented upon installation. These settings should be configurable from your computer without requiring web access.
Once you go to the settings manager at macromedia.com then you need to go through several steps.
The “Global Privacy Settings Panel” allows you to prevent access to your microphone and web cam, or be prompted each time there is an attempt to access these devices. The panel does not show which option is currently enabled, even after selecting an option.
The “Global Storage Setting” lets you specify how much space a new website can use on your computer. Some space is required at times. Additionally you can prevent 3rd party websites from storing Flash content on your computer by unchecking the box that says “Allow third-party Flash content to store data on your computer. Finally you can choose whether or not to store common Flash components to reduce download time. For more information about these choices, read the information under the settings manager.
The “Global Security Settings” panel allows you to prevent one website from letting another website access your computer. For both privacy and security I recommend against allowing this.
The “Global Notifications Settings” panel will allow you to change the default time period for checking for updates. I set mine to every 7 days since there is not an option to check every day. Given the rash of vulnerabilities recently found in Adobe products it is prudent to update as frequently as possible.
The “Website Privacy Settings” panel allows you to set specific camera and microphone settings for websites you have already visited. If you trust a website that uses your microphone and camera, then let that one access the devices, not all websites.
Finally, the “Website Storage Settings” panel allows you to delete all of the cookies and other stuff you never authorized to be stored on your computer in the first place, and Adobe didn’t think it was important to let you choose if this could happen when you installed Flash.
I choose to be prompted before a site can store data on my computer. I also choose not to let one website let another website access my computer. If it breaks a Flash application then I simply didn’t need that application enough to use it.
Director of Technical Education
Author ESET Research, ESET