Adobe Flash is, in my opinion, the most ubiquitous spyware in the world and no products detect it as such. The reason it goes undetected is that it also has numerous legitimate uses, however, there is growing evidence that indicates significant abuse. This will be the first in a series of blogs in which I will try to help you understand the threats and help you get a handle on the beast that is Flash.
If you have Adobe Flash on your computer, and most of you do, you are probably being spied on and Adobe does their best not to let you know or do anything about it. Fundamentally, rich video content is only the drug Adobe wants you to get hooked on, but make no mistake, one of the main purposes of Flash is apparently to secretly compromise your privacy. Flash cookies allow online advertising networks to covertly and uniquely track your internet use. This is not only a PC problem, but affects Linux, Mac, and mobile devices that support Flash. Flash cookies provide advertising networks with much better tracking than normal cookies do. Because a Flash cookie can effectively identify you (or your computer) uniquely it becomes very easy for internet ad agencies to profile you specifically.
Perhaps the only thing that Flash threatens more than your privacy is your security. Flash has been riddled with exploitable vulnerabilities. I want to help you get better control of your security and privacy, so this first blog will focus on the basics of getting you up to date and teaching you some Flash configuration. Start by making sure that you have the most current version of Flash by going to http://www.adobe.com/products/flash/about. The page will tell you the version of Flash you have installed and the current version for some operating systems, but not for Android phones. Remember, if you use multiple browsers you need to check Flash in each browser to make sure that it is current. Updating Flash in Firefox does not update Flash in Internet Explorer.
The next step is configuring the Flash player. In the next blog I’ll give an alternate means of configuring Flash, but let’s start with the “normal” way of configuring Flash. There should be a tool on your computer to configure Flash, but Adobe doesn’t work that smart. You need to go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html in order to configure the Flash Player. This happens to be a fairly unintuitive site designed to discourage users from configuring Flash, but I’ll help explain how it works. When you land on the web page and have Flash installed, you will see the following screen.
This actually is not simply text, this is the tool you need to use to configure Flash player. Note that this is not going to be enough to prevent Flash enabled websites from spying on you, but it is a start. Each of the links on the left under the words “Settings Manager” is an active link that controls Flash. I’ll explain a bit about each of the screens you see when you use the Flash Player Settings Manager tool. The first screen is the “Global Privacy Settings panel” which you see below.
Use of the global privacy settings panel does nothing at all to stop sleazy online ad agencies and other scum from using flash to track you individually. This is actually not a global privacy setting at all, it is simply a control for your webcam and microphone. By default if a Flash application wants to use your camera or microphone it has to ask, but you can choose to always deny the request. The proper setting for this panel is whatever you want. This isn’t about privacy at all, this is simply do you want to the choice to share your webcam or do you want to make sure it is never used and you are not asked. Calling this the “Global Privacy Settings panel” is an example of the devious and deceptive nature of Adobe.
The Global Storage Settings panel has more to do with privacy than the webcam. This is also an example of how confusing Adobe tries to make Flash to understand. An LSO is a local shared object and this panel controls LSOs, but rather than tell you that you are allocating SHARED space, Adobe calls it STORAGE. An LSO can contain a lot of data. If you set the storage to zero you might break some sites, but you limit how much data can be stored on your computer. I set mine to zero because Flash is simply too dangerous and deceptive to trust with storage on a global basis. I chose not to allow third-party Flash content because I do not wish to have unknown third-parties spying on me. Disallowing third-party flash breaks the Disney site, but then Disney is being sued for allegedly abusing Flash LSOs to illegally spy on people. Breaking the Disney website is probably a very good thing. I can live with it. This actually breaks a lot of embedded Flash movies, but if more people complain that third party flash videos are not showing, maybe Adobe will redesign Flash to respect privacy. The option to store common Flash components to reduce download times is something else I disable. My reason for disabling local storage is that I expect this “feature” to be exploited at some point in time. I suspect that there are or will be attacks that will take advantage of stored content.
The Global Security Settings panel shows how little security Flash actually has. Global security for Flash controls one thing – whether or not older, even more poorly designed Flash components can gain unauthorized access to your data. I set mine to always ask because I want to know when I come across such a site, but then I also know that the correct answer is to deny access. For most people I recommend selecting “Always deny”.
The Global Notifications panel is used to show how bad Adobe is at effective communications. When a site wants to access your webcam and you have the control set to ask, you get notified. When a third party site wants insecure access to your data and you have Flash configured to ask, then you are notified of the request, but that isn’t what this panel is about. This is how you set the interval for how often Flash checks for updates! This really should be called the Update Settings panel, but perhaps Adobe thinks it may one day be used for other things too. The default setting is probably good. If you want to check more frequently I’ll tell you how in a future blog.
The Website Privacy Settings panel is similar to the Global privacy Settings, except it allows you to control the behavior of web sites after you have visited them. If you visited a web site that uses Flash, it will be listed here. From this panel you can choose to always allow the site to access your webcam, always deny access to it, or leave the default of ask permission each time. The panel would be far more useful if you could add websites without having to visit them, but that functionality doesn’t help Flash to spy on you, so don’t look for the functionality anytime soon.
The Website Storage Settings panel is similar to the Global Storage Settings panel, except that it is used AFTER Adobe let a website spy on you. When you visit Flash enabled website they will show up in the box at the bottom of the panel and then you can select each website and adjust how much local storage (shared objects) you want to let the website have on your hard drive. Once again due to a design that favors privacy compromise over user choice, you can’t add websites first and assign settings, you have to browse to the website first and use your default settings. After visiting the website then you must return to the Flash settings manager
The Peer-Assisted Networking panel lets you prevent Flash from sharing your internet connection. There may be no security or privacy risk at all, but I really can’t say authoritatively that there is no risk. There is probably no benefit that makes it worth taking the chance. Choose the check box titled “Disable P2P uplink for all" and don’t look back.
The Protected Content Playback Settings panel is generally of no significance to anyone. Most companies realize the DRM (Digital Rights Management) was almost as successful as the war on drugs. A few people out there may have files that are protected and when some obscure problem crops up, after hours on the phone with technical support you may be asked to reset the license files, otherwise you can pretty safely ignore this panel.
One of the other ways to configure flash is to right click on a flash animation on a web page. The problem is that you have to know that it is a Flash file and not an animated GIF or other graphic, then after some spying has been done you can say stop.
If you choose “Settings” you get to disable or enable hardware acceleration. If you choose Global Settings then is takes you to the Flash Settings Manager panel which we have just gone over.
Next blog I’ll show you another way to configure Flash. A way that you can block virtually all LSOs, truly control Flash, and probably not get to see many Flash animations at all.
Director of Technical Education
Author ESET Research, We Live Security