Isolate Adobe Flash by Using Google Chrome
On 7 February 2013, Adobe released an important security fix for Flash Player on the Mac, Windows, Linux, and Android. This release fixes a vulnerability that is actively being used to exploit both Mac and Windows users through Web browsers and via malicious Microsoft Word email attachments (with Flash embedded). While we at TidBITS don’t know currently the details of the Mac exploits, Adobe clearly states Macs are actually being attacked.
Under normal circumstances, we recommend updating immediately whenever an important security patch is released, but in this case, we have a somewhat different recommendation. Instead of leaving Flash on your Mac, you can instead isolate it and thus reduce the attack surface available to the bad guys. This is both easier and requires far less fuss going forward than you might think, and it is how I’ve been using my Mac for the past year or so.
The first step is to uninstall Flash by using Adobe’s official uninstaller application. This completely removes Flash from your operating system, making it impossible for an attacker to target it.
“But wait,” you say, “my kids will kill me if they can’t play those Flash-based Disney games.” Not to worry, there is an easy solution, thanks to Google.
The free Google Chrome Web browser includes its very own integrated version of Flash. Better yet, starting back in November 2012, Chrome sandboxes Flash from the rest of your Mac. This doesn’t mean that Chrome’s version of Flash is invulnerable, but an attacker must first compromise Flash and then break out of the sandbox to attack your Mac. This extra barrier makes it a lot less likely you will be compromised even when vulnerabilities are discovered in Flash. Plus, since Chrome automatically updates itself, you never have to fuss with the Flash Player installer again.
My recommendation is to install Google Chrome, even if you don’t plan on using it as your primary Web browser. Then simply launch Chrome whenever you want to see Flash content. I originally got this idea from John Gruber of Daring Fireball, and over time I’ve found that this simple method of isolating Flash to Chrome works great, especially since an ever-increasing number of sites push HTML5 video to Safari automatically if Flash is missing.
Personally, I decided to switch to Chrome completely since it is, overall, the most secure Mac browser on the market, especially once Google sandboxed Chrome’s version of Flash. After installing Chrome I do two things:
First, I go to Preferences > Settings > Show Advanced Settings > Privacy and disable everything except “Enable phishing and malware protection.” That reduces Google’s tracking, although turning off those other features also slows down both Chrome’s page fetching and your Web browsing speed.
Second, I install the following Chrome extensions (just click each link within Chrome, and then click the Add to Chrome button in the Chrome Web Store page that loads):
- Adblock Plus to remove ads (especially Flash ads)
- Ghostery and DoNotTrackMe to improve privacy and reduce tracking
Blocking ads and Flash trackers also reduces your attack surface, since ad networks in particular are targeted and sometimes used to distribute malware through banners on legitimate sites.
As I noted, Chrome automatically updates itself by default, which is generally good for security, although there can be a lag between Adobe Flash updates and when those are integrated into Chrome. Fortunately, the sandbox is still there to help protect you.
And that’s it! The entire process of uninstalling Flash and installing Chrome for those sites that still require it takes only a few minutes, and it provides a ton of extra security.
This is a good strategy, there is also ClickToPlugin:
http://hoyois.github.com/safariextensions/clicktoplugin/
I like it because it makes flash easy to run when you need it, plus it allows you to whitelist specific sites. (e.g. I have Hulu whitelisted along with Youtube and a few others.)
It also can block Java and Silverlight if you'd like.
The problem is Chrome is 32 bit browser and JAVA can only run on 64 bit browsers. That means you need two browsers Chrome for Flash, and whichever other for JAVA.
I tried using Chrome as my main browser. The problem with it is that all video streaming is choppy. Even YouTube, which is strange since Google owns YouTube. I stopped using Safari as my main browser because the tabs don't show loading indicators anymore, so I can't tell when work is completed (e.g. a compile returns a done status) in other tabs. Chrome has awful video streaming on YouTube, Netflix and Hulu. So I've been using FireFox lately. I would prefer to use Chrome if the video playback issue is ever resolved.
I've not experienced choppy video streaming in general, though I can't say that every video on every site is perfect.
I can't stand Chrome; I use Firefox. I'm already having problems with Apple disabling the Java from Oracle on my iMac. That should be MY decision; if Apple doesn't like Oracle's version of Java, why did they stop making their own version and tell us to USE Oracle's?! Apple should concentrate on replacing the crappy Lion and Mountain Lion versions of Mac OS; the best was Snow Leopard. Maybe if they did that, they could concentrate on good implementations of Flash & Java rather then grafting iOS junk onto Mac OS.
You can always wipe your system and downgrade.
I was a bit hesitant in trying this but the people at TidBits are pretty trustworthy and quite knowledgeable. The one thing I feared was losing the inability do download some video files for later viewing. I tried the download add on in Chrome, but Google apparently blocks any download from YouTube.
Went back to Firefox and installed the download helper and it worked fine as the video was rendered in HTML 5. Not sure what will happen with a Flash only video. Will try the Chrome add on and see if that works.
Overall I agree with Adam, I notice no choppy streaming on the sites I tried.
I always wince a bit at suggestions to block ads; many sites are dependent on ads for income so that the content can remain free.
I do understand the reasons for ad blocking. I hope that users will remember to join subscription programs to support the sites they use.
TidBITS is just one such site that while it does run locally served ads, also has a nifty membership option: http://tidbits.com/members.html
what about Camino ?
Camino has no integrated Flash like Chrome, so it will rely on the system copy like Safari and Firefox.
Terrific post! Had been trying to figure out how to get by without flash since it won't let me interact w/gmail properly. Had no idea Chrome was the solution. So cool.