Sign up to our newsletter
The latest security news direct to your inbox
In the first two parts (Part 1, Part 2) of this series I discussed some of the privacy issues associated with Flash and also explained the configuration options that Adobe offers. If you are willing to go through the hassle of creating an mms.cfg file and maintaining it then you really do have the ability to still use Flash and maintain some control, but it is not realistic to think that many people will do this.
Using Adobe’s configuration options and trying to maintain some privacy is a difficult balancing act, but there are some tools that will allow you to better balance privacy with functionality. It is important to note that there is a significant difference between prevention and clean up. Sometimes clean up is simply enough.
I have recommended SandboxIE (www.sandboxie.com) in the past. While it is not designed to clean up Flash cookies (LSOs) specifically, whenever you delete the sandbox it does just that. There are many other benefits to SandboxIE as well.
Typically I steer clear of the browser wars, and I’m not about to tell you to dump Internet Explorer for security reasons, it just happens that both Firefox and Chrome offer tools to help you deal with a bunch of security and privacy issues, including removing or preventing LSOs.
I’ll start with the Google Chrome browser. There is an add-on for Chrome called Click&Clean that not only removes LSOs, but can be configured to delete temporary files, empty the recycle bin, remove Silverlight cookies (perhaps another blog) and a whole lot more. If Chrome is your browser of choice then you might just like this add-on. This does not prevent LSOs and other privacy threats, but it does allow you to make sure they don’t get left behind. This is probably the easiest approach if you want to balance functionality with privacy. There are probably other useful add-ons for Chrome, but I don’t often use Chrome and haven’t spent much time looking at what is there.
For Firefox there are a number of add-ons that you may find useful. Let’s start with AdBlock. AdBlock is designed to prevent advertisements from showing Firefox. The practical result of this is that AdBlock will prevent Flash based advertisements from writing their LSOs in the first place. These are probably among the riskiest LSOs from a privacy perspective. AdBlock also can help improve your security by blocking malicious ads that appear from time to time.
NoScript is another add-on that is quite useful. With NoScript many Flash files are blocked until you allow them. This also can help prevent LSOs from being written. NoScript also can help improve security in at least a couple of ways. NoScript has some built in protection against cross-site scripting attacks. If you allow a website you trust to run scripts it will still block the scripts placed in advertisements from third party websites. In terms of privacy, in addition to preventing some LSOs from being written, it also allows you to prevent sites like Google analytics from collecting data about you. When you do allow flash animations, then LSOs will still be written.
Flashblock is another add-on that will prevent LSOs from being written unless you choose to let a Flash object run. This also balances privacy with functionality.
BetterPrivacy is a cool add-on that allows you to manage LSOs, as well as a few other things. You can set it to automatically delete LSOs on exit, a few minutes after they are written, or on application start. BetterPrivacy also deletes DOM cookies (an HTML 5 object), but both Firefox and Internet Explorer will natively allow you to disable DOM storage. BetterPrivacy is a great tool for balancing functionality and privacy. BetterPrivacy does also allow you to delete the Flash default cookie, however if you do not use the default settings for Flash then deleting the cookie will also revert the Flash settings to their default. That is where the mms.cfg file can be pretty handy.
So, what more is there left in this series? Probably a lot, but I only plan to post one more short blog on Flash… the spy isn’t only in your computer…
Director of Technical Education
Author ESET Research, ESET