Adobe Flash, The Spy in Your Computer – Part 2

In the first part of this blog I told you how to use the basic Flash configuration utility. This blog is for the techies. This time I’ll share with you how to shut the doors on Flash and only open them to the sites you want to trust.

Very few people seem to know that you can actually configure Flash through a configuration file. The configuration file is meant for network administrators to be able to deploy Flash and control how it works, but you can use the configuration file on your own PC as well. By using this configuration file you can stop the online advertisers from spying on you, however, to do so means that a lot of websites do not work properly. Of course, if “works properly” means they get to spy on you then it isn’t such a compromise.

You can find the details for the configuration file in a document that Adobe publishes at http://www.adobe.com/content/dam/Adobe/en/devnet/flash/articles/flash_player_admin_guide/flash_player_admin_guide.pdf

There are far more settings than the mostly worthless, online Flash Settings Manager allows. You can block ALL flash and then make exceptions for sites you trust. There are far too many settings for me to explain each one. This blog is not going to be a tutorial on the configuration file. If you have the skills to use the file then you can figure it out for yourself.

For an example, I created a configuration file with the following content:

LocalStorageLimit = 1
AssetCacheSize = 0
ThirdPartyStorage = 0
AssetCacheSize = 0
AutoUpdateInterval = 1
LegacyDomainMatching = 0
LocalFileLegacyAction = 0

This configuration stopped Disney, MTV, ESNP, and ABC (all defendants in privacy violation lawsuits) from writing LSOs to my hard drive. Sites, such as Disney were pretty unusable in terms of viewing graphic content. Sites like ABC broke in some, but not all cases.

There is one spy aspect of Flash that this configuration did not stop. Adobe has a default cookie that records each Flash enabled site you visit. Using the web-based Flash Settings Manager, if you go to the website privacy settings or storage setting panels and delete all websites it will delete this history from the default cookie, but what if you don’t want the sites written at all? I decided to see if I would prevent this from happening. The default cookie is called settings.sol and its location depends upon your operating system and version. I first use the web-based panels to configure flash how I wanted and then marked settings.sol as read only.  Next I went to sites that use flash and went back to check the settings.sol file. I think it is appropriate to mention here that “SOL” in English is an acronym for Sh*t Out of Luck. I do not think this is a coincidence. When I went to look at the sol file I discovered that Flash had written a file called settings.sxx that contained the website I had visited. After marking both the sol and sxx files as read only, Flash finally stopped tracking the websites I visit.

The least intelligent readers will assume that if you have nothing to hide then there isn’t a problem with Adobe creating a list of websites you visit. The more astute readers will realize that this list can be used for targeted advertising. Additionally, if you click on a poisoned search result from Google and get redirected to a porn site that contains child pornography, the sol may be used as forensic evidence that you visited that site.

The MMS.CFG configuration file is a powerful tool for techies to control Adobe Flash. The functionality should be an integral part of Flash for everyone. Flash should never, ever install without configuration options, but that would detract from the spy capacity of Flash and I don’t think Adobe has any desire to put privacy into the hands of the average user.
 
The next blog will discuss some tools that people can use to make some compromises that allow them to use Flash enabled sites and to some degree limit the spying. Currently there is no real balance, Adobe needs to redesign the Flash model from the ground up if Flash is to be better than a spammers tool of choice.

Randy Abrams
Director of Technical Education
ESET LLC
 

Author ESET Research, ESET

  • Philip

    Thanks for a lot of clear information.
    Do you think it would be possible to use an alternative .swf player, instead of the Adobe Flash Player, as a means of avoiding some of these issues?

    • Randy Abrams

      I’ll have to research this. I suspect that even alternate players would still have to support LSOs, but I’ll check it out and report my findings in part 3 or 4 of this series.

  • Katherine

    Sounds like a good idea.  I mean, people are already ahead of Adobe with PDf support, so why should this one be any different?  Just another fun project. 

  • Christian

    Where would I go in the online configuration panel to set settings.sol and settings.sxx to read only?

    • Randy Abrams

      You can’t do that from Flash, you need to do it from the command line or from Windows Explorer

  • Mark Rucker

    Yes–in follow-up to Philip's comment,  the option for an alternative would be ideal, whereas even if one doesn't cruise YT or other video portals for sheer entertainment, some of us who deploy video as part of our online business need to render much of it, though not all– in Flash. Then, we need to be able to freely watch the results of a newly-filmed file uploaded to the server, and monitor it running well. To work with Flash productively while maintaining the level of privacy (I prefer as much as you do), will appear to require going in and changing these settings frequently. It looks like one big hassle for people with small businesses who are still doing their own webmastering, and can barely find time enough for their workload as it is.   

  • Don Hanson

    I can't find mms.cfg on my win7 64 system. I am logged in as Admin with Show hidden files, folders and drives and Hide protected operating system files unchecked. I've looked in the location given in the Adobe pdf and also did a search on the C: drive. Perhaps related, I found settings.sol but not settings.sxx. The paranoid me says it's a conspiracy.

    • Randy Abrams

      mms.cfg does not exist on your computer until you create it. settings.sxx only is created if Flash cannot write to settings.sol. If you mark settings.sol as read only anf go to a Flash enabled site then settings.sxx will be created.

  • FLORENCIA LOPEZ

    Es casi imposible para una persona común y corriente detectar cualquier fraude o como se le llame  incurrir en los errores en los  que no deberíamos caer; la gama de conocimientos nunca es tan amplia como para salvarse de cosas indeseables a nivel cibernético; eso es para profesionales especializados en informática ;pienso que existen demasiados vacíos legales; veo que esto es un nuevo tipo de sociedad en la que abran personas buenas y malas  actuando según sus principios; agradezco por mi parte el hecho de poder dar una opinión y de recibir de uds. las alternativas para mejorar el buen uso de los distintos servicios; al final ya cuesta saber quien es quien,gracias por todo.

  • X

    The MMS.CFG file is to be found/placed in the WINDIR%System32MacromedFlash folder

  • jason

    I'm disappointed to see you chasing, and recommending, such a convoluted path in dealing with the Flash issue. The  Firefox addon "Better Privacy" and /or free CCleaner utility from piriform.com nicely handle cleanup across browsing sessions.
    Kudos — mentioning the creation of a *.sxx file was a nice detail. Better would be a walkthrough of the dizzying array of registry keys created during Adobe/Macromedia Flash install (Shockwave Director also, if you're feeling particularly ambitious).
    Cut your nose off to spite your face? That's what your "I can live with it" Disney example amounts to.
    While you're chasing "issues", crossdomain.xml sharing is more extensive (and invasive IMO) than LSOs, so how about let's see a blog article on that topic.

  • Layne Chin

    That is why apple support no flash.

    • Randy Abrams

      Apple supports Flash, just not on iOS. Flash works on a Mac Computer

  • Layne Chin

    Sorry.  But I did mean it for iOS. 

  • Magister Max

    I tried to access the advanced Adobe page you mentioned, but it seems the rotters have removed it. Any idea on access now?

    • Randy Abrams

      The link works for me.

  • Tania Guachi

    Hola me gustaria saber como cargar la imagens en un archivo de flash swf desde un archivoo txt en donde esta en el path de las imagenes porfa se que lo hay y se puede pero no c en donde se configura se lo agradeceria mucho

  • Me

    I assure you, this is being used for more than just a spy for ads. Big brother is always watching.

  • Mark

    Randy,
    I just had a big problem and had to preform a system restore point to fix it.  A Icon called "internet security" appeared in my task bar and prevented me from opening any programs including IX and Even task manager.  When de-minimizing it from my task bar to see what it was, it was doing a complete system scan.  Except, no buttons would work except the stop scan.  It looked like a regular norten antivirus pane, with setting buttons and everything, except no buttons would work save, "Register Now" option.  I immediately unplugged my cable connection, and shut down the computer.  Tried reboots, a few times, opened in safe mode to look around, but I couldn't find anything…no new programs downloaded, no security program to un-install in the control pannel.  I was at a complete loss.  After the system restore point was finished, it gave me the message after it restarted windows that a file had to be renamed.
    that file was c/documents and settings/administrator/application data/macro media/flash player/macromedia.com/support/flash player/sys(2)   And inside that folder was guess what…."settings.sol" file.  Well, I deleted that file…it sits in my trash can now…computer seems to be running fine now.  Don't know where I got it, or how it got past antivirus, I think it is to blame for this "internet security" icon which took over everything.  Am I crazy or what?

    • David Harley

      Mark, I’m afraid Randy is no longer with ESET. I haven’t done the research into Flash that he did, and I can’t tell you exactly what it was you saw. It doesn’t sound like “real” Flash behaviour, more like a fake AV pop-up, but I can’t say whether it had anything to do with the file you deleted. Sorry I can’t be more helpful, but I don’t doubt your sanity. :)

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

5 articles related to:
Hot Topic
06 Oct 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.