New Flash Player Security Controls

Product Alerts

While Adobe announced its plans to stop updating and distributing Flash Player at the end of 2020, we continue to work hard to find and implement tools to help protect users until that time. Over the last few product releases we have deployed several new security controls for our customers to help ward off potential attacks.

When Adobe issues a zero-day (0-day) security update, we always issue security updates for all browsers out of an abundance of caution. We do not assume that the initial exploit sample we see is the only variant that may exist, and we also know that new variants may be introduced as details of the exploit become more widely known. However, when reviewing the recent history of Flash Player 0-day vulnerabilities, the initial 0-day samples we have received consistently targeted either Internet Explorer or Office.

To help provide enterprises using these applications with options, Adobe introduced a control in Flash Player version 27 in November 2017 that allows administrators to make Flash Player click-to-play in Internet Explorer via the mms.cfg file. Administrators can apply this setting either globally or selectively for specific domains. This allows enterprises with legacy software that requires Internet Explorer to help limit their exposure to Flash Player attacks. Details of this setting can be found in the Flash Player Administrators Guide. Modern browsers, such as Microsoft Edge, have a click-to-run experience built-in and can therefore better protect you from these types of attacks.

In addition, Adobe has made Flash Player click-to-play across all versions of Office with the latest Flash Player release (version 30). This will help prevent Flash Player exploits from automatically running when a document is opened and offers an opportunity for the viewer to realize that a document may be malicious. For users of Office 365, Microsoft plans to begin blocking Flash Player and other plugins altogether. This change will help protect users going forward, and Adobe’s change will help to protect people using older versions of Office.

In addition to the changes discussed above, the Flash Player team has been closely watching the research around the recent vulnerabilities in modern processors. Adobe has made several changes in an effort to help reduce the risk of Flash Player being used as a potential platform for these attacks. One of the changes made is disabling SharedByteArray functionality. We have made additional changes which mirror what the browser community has done to reduce the accuracy of timers within our platform.

These protections aim to reduce the attractiveness of Flash Player as a target for attackers. These efforts are all part of our ongoing commitment to keep our customers as safe as possible as we wind down use of Flash Player.

Peleus Uhley
Principal Scientist


Product Alerts

Posted on 06-27-2018