On 7 February 2013, Adobe released an important security fix for Flash Player on the Mac, Windows, Linux, and Android. This release fixes a vulnerability that is actively being used to exploit both Mac and Windows users through Web browsers and via malicious Microsoft Word email attachments (with Flash embedded). While we at TidBITS don’t know currently the details of the Mac exploits, Adobe clearly states Macs are actually being attacked.
Under normal circumstances, we recommend updating immediately whenever an important security patch is released, but in this case, we have a somewhat different recommendation. Instead of leaving Flash on your Mac, you can instead isolate it and thus reduce the attack surface available to the bad guys. This is both easier and requires far less fuss going forward than you might think, and it is how I’ve been using my Mac for the past year or so.
The first step is to uninstall Flash by using Adobe’s official uninstaller application. This completely removes Flash from your operating system, making it impossible for an attacker to target it.
“But wait,” you say, “my kids will kill me if they can’t play those Flash-based Disney games.” Not to worry, there is an easy solution, thanks to Google.
The free Google Chrome Web browser includes its very own integrated version of Flash. Better yet, starting back in November 2012, Chrome sandboxes Flash from the rest of your Mac. This doesn’t mean that Chrome’s version of Flash is invulnerable, but an attacker must first compromise Flash and then break out of the sandbox to attack your Mac. This extra barrier makes it a lot less likely you will be compromised even when vulnerabilities are discovered in Flash. Plus, since Chrome automatically updates itself, you never have to fuss with the Flash Player installer again.
My recommendation is to install Google Chrome, even if you don’t plan on using it as your primary Web browser. Then simply launch Chrome whenever you want to see Flash content. I originally got this idea from John Gruber of Daring Fireball, and over time I’ve found that this simple method of isolating Flash to Chrome works great, especially since an ever-increasing number of sites push HTML5 video to Safari automatically if Flash is missing.
Personally, I decided to switch to Chrome completely since it is, overall, the most secure Mac browser on the market, especially once Google sandboxed Chrome’s version of Flash. After installing Chrome I do two things:
First, I go to Preferences > Settings > Show Advanced Settings > Privacy and disable everything except “Enable phishing and malware protection.” That reduces Google’s tracking, although turning off those other features also slows down both Chrome’s page fetching and your Web browsing speed.
Second, I install the following Chrome extensions (just click each link within Chrome, and then click the Add to Chrome button in the Chrome Web Store page that loads):
- Adblock Plus to remove ads (especially Flash ads)
- Ghostery and DoNotTrackMe to improve privacy and reduce tracking
Blocking ads and Flash trackers also reduces your attack surface, since ad networks in particular are targeted and sometimes used to distribute malware through banners on legitimate sites.
As I noted, Chrome automatically updates itself by default, which is generally good for security, although there can be a lag between Adobe Flash updates and when those are integrated into Chrome. Fortunately, the sandbox is still there to help protect you.
And that’s it! The entire process of uninstalling Flash and installing Chrome for those sites that still require it takes only a few minutes, and it provides a ton of extra security.