Fed up with Adobe Flash? Make it safer

If you're sick and tired of constantly patching Adobe's fatally flawed media player, here's how to disable it -- or at least minimize how often it's used.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Updated: We're addicted to Adobe Flash, and it's time to break the habit. In the last three months, multiple Flash security holes have been found and exploited. In the last two weeks alone, security expert Brian Krebs has reported that Adobe has released three emergency Flash security patches. Enough already.

It's time for Website administrators and advertisers to stop using Flash and replace it with HTML5. It's time for users to disable Flash as much as they can on their Web browsers.

There's nothing new about the idea of flushing Flash once and for all. Steve Jobs declared Flash obsolete in 2010. By 2011, Adobe itself had decided to put its mobile video efforts behind HTML5. In 2014, the Interactive Advertising Bureau, with the support of AOL, Conde Nast, Forbes, Google, The New York Times, and the Wall Street Journal, urged advertisers to upgrade from Flash to HTML5. Starting in January, if you use Internet Explorer (IE) 11, Chrome, or beta Firefox, YouTube started delivering YouTube content to you in HTML5.

Despite all this, and despite one Flash zero-day bug revealed in early February, another in late January, and four critical vulnerabilities patched in mid-January, companies still persist in presenting content in this fatally flawed format. If you're sick of this, if you're tired of constantly patching Flash, here's what you need to do.

First, you can try just uninstalling Flash from your Windows, Mac OS X or Linux PC. If you use Internet Explorer 10 or 11 on Windows 8.x or higher or the Chrome Web browser on any desktop operating system, Adobe Flash functionality comes built in and you can't get rid of it. There are, however, other ways of disabling it.

If you want to keep Flash around, but minimize how often it's used, you can set most browsers so that Flash content will only play when you want it to. When you do this, Flash content in your Web browser will show up as a gray or white box with the inscription: "Click to run Adobe Flash Player." It may be ugly, but it's a lot safer.

The one exception is IE. IE 10 and 11 won't run Flash unless IE is "fully patched." In addition, Microsoft has a black list of sites that IE won't run Flash on at all.

Here's how to block Flash in IE: From the Options menu, click Safety, then click ActiveX Filtering. According to Ed Bott, "Because Flash is implemented as an ActiveX control, it is blocked in all web pages you visit when ActiveX Filtering is enabled. You see a blue icon in the taskbar. Click that icon and you have the option to enable Flash content for that site."

On Chrome, you enable click-to-play by closing all windows and going to Setting. Once there, you click on "Show advanced settings." Once in this menu, hit the radio button for "Content settings..." Within this menu, go down to Plug-ins and activate "Click to play."

This may also have the beneficial side effect of speeding up Chrome for some users. Many people have reported that with multiple tabs open with Flash running, Chrome consumes too much memory and starts to slow down.

For Firefox, open a browser window and type "about:config" in the address-bar. This will bring up a warning about voiding the warranty, ignore this and proceed. You'll then see a display of the user-settable configuration settings. Here, look for "plugins.click_to_play" and then double click the entry so that the "value" column changes from "false" to "true."

An alternative method, recommended by a Firefox engineer, is to select "Add-Ons" from the Firefox menu. Then, choose the "Plugins" category and switch "Shockwave Flash" from "Always Activate" to "Ask to Activate."

If you're an Opera user, you can protect yourself by typing "Ctrl+F12" at the same time. In the resulting menu, press the "Advanced" tab, and click on the "Content" option on the left-hand menu. Here, you'll want to click on the "Enable plug-ins on demand" option.

In any case, if you ever plan on using Flash, you should always make sure you're using the latest version. With Chrome and IE you're automatically updated whenever you patch or update the browser.

None of this is ideal. The real fix needs to come not from users, but from the vendors who insist on still using Flash for their content. After innumerable patches and fixes, it's clear that Flash will never be safe. But until Flash is put out to pasture for good, we will still need to keep our guard up against Flash-based attacks.

Related Stories:

Editorial standards