Getting Rid of Flash

Its been a long time since I posted, and I know I never finished my series of posts about DNS, NFS and NIS. I promise I will get to it soon! For now however, I have decided to post about my attempts to get rid of flash from my web browser, once and for all.

In case you have not already heard there have been two critical vulnerabilities (both 0days) discovered in flash within the past week. These were both discovered in the leaked data exfiltrated from Hacking Team by an anonymous hacker(s). You can read more about them here and here.

If you continue reading Krebs’s blog you will very quickly see that flash is often the subject of the week, with a critical vulnerability putting all its users at risk. Just look at this list, in the past month flash has over 35 vulnerabilities with a severity score of 10.0! Thats just scary! So after doing lots of reading about how people have dealt with moving off flash, and some inspiration from Krebs, I decided to try to slowly wean myself off flash.

Youtube now has support for HTML5 and you can also make use of Viewtube to play files with the browsers built in HTML5 player so it was very easy to stop using flash here. However there are many sites on the internet that still require the use of flash to function properly. To deal with this, I decided to create a low resource usage VM that I would use to browse websites that required the flash plugin. This means that the browser running on my host will not be vulnerable to any flash player exploits, and the browser in the VM will require an attacker to break out of the VM before they can do harm to the host. To further increase the security, I applied an apparmor policy to try and restrict the browsers functionality as much as possible.

For now I think this will work fine, I have tested with some websites and the results look promising. Stay tuned as I will post again on how I am faring without flash on my host browser. I hope to eventually find non flash based alternatives to the websites that require them.

Update: Just look at this, the average CVE score for flash is 9.3!

Source: http://www.cvedetails.com/cvss-score-charts.php?product_id=6761&fromform=1

72

Advertisements
This entry was posted in Linux, Security and tagged , , , , , , , . Bookmark the permalink.

2 Responses to Getting Rid of Flash

  1. Pingback: Getting Rid of Flash – After 3 Weeks | Information & Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s