Protect yourself from Flash attacks in Internet Explorer

Protect yourself from Flash attacks in Internet Explorer

Summary: By failing to deliver the latest critical security updates to the Flash Player in Internet Explorer 10, Microsoft has left Windows 8 users exposed to online attacks. Here's how to protect yourself.

SHARE:
TOPICS: Security, Windows
40

Update, 11-September: Microsoft reverses course, will deliver critical Flash updates "shortly."

As I reported last week, Microsoft has chosen to delay shipping a critical update for the Flash Player code in Internet Explorer 10 until the General Availability of Windows 8 in late October. Those security fixes, which were delivered to users of all other modern browsers on August 21, are not available to Windows 8 users who use Internet Explorer 10.

That means, if you are using Windows 8 in either a production environment or for evaluation purposes, you face an unacceptably high risk of being targeted by in-the-wild exploits aimed at those Flash vulnerabilities.

So what can you do? The obvious alternatives are to stop using Internet Explorer 10 until that update is released, or to stop using Windows 8 altogether. If you choose to use an alternative browser, I recommend that you disable the Shockwave Flash add-on in IE completely. (Other Windows-based browsers use the Flash plug-in, which is up to date. And the ActiveX-based Flash code in earlier versions of Windows, including IE9 in Windows 7, was updated in timely fashion.)

To disable Flash completely, click the gear icon in the upper right corner of the IE 10 window and then click Manage add-ons from the menu:

eb-disable-flash-1

That opens the Manage Add-ons dialog box, shown below. Select the Shockwave Flash Object add-on and note that it is identified as a Microsoft Windows 3rd party Component. Also note the file date, which is a month before the relevant security fixes were available:

eb-disable-flash-2

Click Disable, and then click Close. You are now safe from any exploits that rely on vulnerabilities in Flash. Any Flash-based code, legitimate or otherwise, will not run in Internet Explorer 10 when this add-on is disabled.

But what if you prefer to use Internet Explorer, or if your evaluation requires you to test IE using real-world web sites? In that case, you can take advantage of an extremely effective security tool that’s built into Internet Explorer versions 9 and 10.

The feature, called ActiveX Filtering, blocks all ActiveX controls on all domains in Internet Explorer. Because the built-in Flash Player in IE 10 is implemented as an ActiveX control, this feature disables it completely while still allowing you to decide, on a case-by-case basis, when you want to allow a trusted site to display Flash-based content.

To turn on ActiveX Filtering, click the gear icon, click Safety, and then click ActiveX Filtering. The check mark to the left of this setting means it is enabled.

eb-filter-flash-1

When ActiveX Filtering is enabled, you’ll see this blue icon in the Internet Explorer address bar when you visit any site that uses the ActiveX-based Flash control:

eb-filter-flash-2

For sites that use Flash to deliver ads or other non-essential content, you can go about your business securely. If you encounter a site that uses Flash to do something meaningful and you trust that site, click the blue icon to display this box.

eb-filter-flash-3

Click Turn off ActiveX Filtering to allow Flash to work on the current domain. Note that this setting applies to the entire domain and is persistent. If you turn off ActiveX Filtering for example.com, you’ll be able to use Flash-based content on all pages on that domain, in the current session and in future sessions. For sites you don’t anticipate visiting again, you can click the blue icon in the address bar again to re-enable ActiveX Filtering for that domain.

(Of course, ActiveX Filtering blocks all ActiveX controls, not just Flash. That’s a benefit, for the most part, but it might be an issue if you use a corporate server that has proprietary ActiveX controls, or if you use Office 365 or other web services that use Office ActiveX controls.)

If you’re comfortable exploring the registry, you can inspect (and edit) the list of sites that are subject to ActiveX Filtering. Open Registry Editor (Regedit.exe) and look in HKCU\Software\Microsoft\Internet Explorer\Safety\ActiveXFilterExceptions.

This doesn’t have to be a short-term workaround. Given the steady stream of security issues associated with Flash, it might be a prudent strategy for everyday browsing, even after Microsoft finally gets its Flash-patching issues sorted out.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion
  • There's an easier way

    Step one: open Internet Explorer
    Step two: install Chrome
    Step three: never open Internet explorer again
    45yoyos
    • Except . . .

      Except IE is still being used by other applications and is still vulnerable, so you still need to take these steps.
      CobraA1
    • Sometimes I wonder why I bother

      I put this RIGHT UP FRONT. Which means that you decided to troll without even bothering to read this post.

      "If you choose to use an alternative browser, I recommend that you disable the Shockwave Flash add-on in IE completely..."

      I support freedom of choice. I'm happy to support your right to choose another browser. BUT YOU SHOULD STILL DO THIS.

      Better trolls, please.
      Ed Bott
      • LOL!

        "Better trolls, please."

        LOL! XD

        Trolls will be trolls, heh.
        CobraA1
      • were can i download IE10

        ed you did not give the link as to where I can get IE10 I'm still using IE9 and Firefox. Doing a quick search I cannot see where I can get ie10 id love to check it out
        DeathDealer35
        • Not available to the general public - yet

          You can only get IE10 in Windows 8 - for now. After Windows 8 GA (general availability for the public - October 26th), the desktop version of IE10 will be made available for Windows 7. There is no known release date yet though. It has not been announced that it will be available for Windows Vista at all though, so it might be prudent to get the $40 upgrade to Windows 8 Pro to get more mainstream support for your OS since Windows Vista mainstream support looks like it's pretty well done. When mainstream support for an OS ends, Microsoft no longer backports new features. You will only get security update hotfixes during the extended support phase. Microsoft made it clear that new OS features won't be available for Vista anymore now that Windows Essentials 2012 isn't supported on it, and Windows Server 2012 Essentials requires a minimum of Windows 7 because the connector software needs .Net Framework 4.5 and that update won't be available for Vista. XP's complete support ends early 2014, so after that, it won't be secure to use online because there will be NO security updates made for it after the End-of-Life date.

          My thoughts are that by the end of this calendar year, if you haven't even thought about updating to at least Windows 7, you're already behind. Take advantage of the Windows 8 $40 upgrade though because after January 31st of next year, the price is going to skyrocket. It's noticeably faster than Windows 7 on all the machines I installed it on, especially when working in the desktop (Office 2010 programs launches way faster than before too). File copy processes, even to USB 2.0 thumbdrives, are far quicker. And having the built-in ability to mount ISO's means I no longer have to install 3rd-party software. Also, Microsoft has their own PDF reader which is both fast, and NOT updated by Adobe with bundled crapware. I don't use a huge number of RT apps, but I also don't find task switching jarring either. I do find Search to be handy, and I use RT IE as much as possible. I certainly don't want to give up the performance benefits by going back to Windows 7.
          Joe_Raby
      • Better Trolls, Please!

        See, this is why I've been reading your articles for about 20 years!

        Thanks, Ed!
        GoodThings2Life
      • Don't feed the trolls, please...

        Also, great article - very useful.

        Thanks.
        jeremychappell
    • RE: There is a harder way

      Use Apple II
      Use IBM PC
      Use Unix I

      No browser, no virus. You are just going to have to write code for everything you need to do, no problem for a person who wipes the floor with us in computer knowledge.
      edkollin
  • Easier option

    Use RT IE instead. It only supports Flash on whitelisted websites. Security researchers should check to see if any of those safe-listed sites have been compromised though - there are some ad networks in the safe list.
    Joe_Raby
    • Also...

      Does Flash in RT IE also benefit from the app sandboxing in WinRT apps?
      Joe_Raby
      • or browse in a hyper v machine

        I have not played with this in Windows 8 yet, but when I get my bigger hardware set up I most certainly will. I have been using Hyper V machines as sacrificial whipping boys on Windows Server 2008 desktops for a few years. You can always roll back to a snapshot.
        Schoolboy Bob
    • Useful in some scenarios

      I use the Windows 8 non-desktop browser occasionally, regularly for some sites. But there are too many sites that use Flash and Silverlight. Ironically, I've had some Microsoft.com pages that warned about requiring plugins and tried to switch you if you visit it using the plugin-free browser!

      It is a good strategy, I agree.
      Ed Bott
      • It only asks though

        I have seen a few Microsoft pages with Silverlight too. Fortunately, RT IE never switches automatically, and only prompts the user.

        In a company where extra browser plugins aren't required for the sites that they allow users to visit, using a GPO to disable desktop IE is good option too. It certainly helps for all of those Java exploits and Mindspark/Conduit toolbar, nee browser hijackers, as well.
        Joe_Raby
    • Hmm...

      You'd think there was a registry setting somewhere to turn that feature on in Windows 8 wouldn't you? Maybe some research is required here...
      jeremychappell
  • Good Recommendations

    Thanks Ed for the recommendations of disabling Flash while the security update is pending. ActiveX filtering is already a technique that I use for daily browsing that reduces my attack surface a little.

    I don't consider Microsoft's delay of this Flash update serious since if you are evaluating Windows 8, you should already have enough knowledge to know how to disable a plugin.

    You should also realize that Adobe made this update available for non-Windows 8 users last month. If someone using Windows 8 didn't realize either of these points, they are not as informed about technology (tech savvy) as they would like to think.

    If they didn't see the news about the Adobe update last month, they are equally unlikely to see this article about disabling Flash in Windows 8.
    JimboC421
  • Install newer version

    or si8mply remove the buildin version and install the version 11.4 from Adobe:

    http://social.technet.microsoft.com/wiki/contents/articles/13434.remove-adobe-flash-from-windows-8-or-update-adobe-flash-in-windows-8-en-us.aspx
    IDontWantAUserName81
    • This article has already been pulled

      Ripping out an integrated component from an OS-supplied application using an unsupported third-party hacking app is a dumb idea. You're probably worse off doing that than actually not having the patched version of Flash.
      Joe_Raby
  • What about Flash delivered through Word?

    The exploit of this vulnerability was delivered as a swf file embedded in a Word document.
    http://blogs.technet.com/b/mmpc/archive/2012/08/28/a-technical-analysis-on-cve-2012-1535-adobe-flash-player-vulnerability.aspx

    Does disabling Flash in Internet Explorer also block this?

    The exploit uses heap spraying. Would the changes to the heap in Windows 8 prevent the exploit working?
    http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-malware.aspx
    Dax1792
    • Does Word allow Flash to execute in downloaded documents by default?

      I’d be surprised if Word allows Flash content to execute by default in downloaded documents. I’ve never seen a Word document with embedded Flash, so I don’t know, but it usually pops up warnings and requires explicit consent for content that can execute code (e.g. macros).
      WilErz