Update: Adobe has released an update to counter the zero-day exploit

[balloonshark]

How do I disable flash not working when firefox and palemoon deem it vulnerable. I want to update when I feel like it, not when my browser forces me. I have several security layers so being outdated isn't a problem.

I tried this in about:config.

plugins.hide_infobar_for_outdated_plugin true

 

[Ketchup]

FYI, I told Flash to update this morning, and I am now at 16.0.0.305. No further warnings. Hopefully the zero-day exploit was taken care of.

 

[nemesismk2]

I wish I could just ditch Flash, but unfortunately many news sites I view use flash for their videos. HTML 5 needs to come out full swing!

i decided that if a website uses flash then i don't visit anymore. fof example if anandtech used flash only then i would delete my anandtech account.

 

[Chiefcrowe]

I agree here, I see the same thing on FB and it is kind of annoying.

Of course, though I wish that blocking solutions would receive more development attention because 'ask to activate' in FF is rather hit and miss, especially on Facebook (integrated videos don't work a lot of the time and I had to open the link in a new tab for it to consistently work).

 

[John Connor]

Only to the extent that it would block flash being loaded. It does not make the use of Flash after it's already been loaded more secure. As I've said before, using Flash in the confines of the Chrome sandbox is the most secure way to use Flash.

I use Sandboxie.

 

[John Connor]

Admittedly I can't think of a way to answer this question, but I wonder how likely it is for a Flash exploit to be included as part of a Flash clip that a user actually wants to view.

AFAIK, I would expect the most likely sources of exploits to be a) adverts or b) phishing sites.

If I'm correct, then NoScript would probably provide better protection than anything else out there (assuming the user hasn't done something stupid like "enable JS globally" or, if there is such an option, "enable non-third party JS globally). Alternatively, the "Ask to activate" plug-in feature would also provide better protection than say Chrome sandboxing.

PS - I realise that in the case of the "phishing site" scenario I mentioned, a user might well get duped into loading dodgy JS / plug-in exploits, but it's (NoScript/Ask to Activate) still an additional hurdle for malware designers to overcome.

In NoScript you can block the plugin and collapse the block. To activate you have to click the little box and a confirmation comes up.

 

[PliotronX]

What I don't get about how insecure flash is, is why does the flash application even have code that allows those things to happen? Flash is basically a client to display information. It should not actually be able to DO things that change your computer. It should only be able to display you content.

Another one that always gets me even more is PDFs. Those are basically glorified images that require an overcomplicated viewer. Why is there so many exploits in those products?

Throw java in there too. Don't think about it, it only hurts your head. A popular vehicle I am seeing besides fake java and flash updates is unofficial chrome and Firefox installers loaded with malware. A couple of systems were booting to the black screen with a cursor.