Wednesday, October 18, 2017

[How-to] Disable Flash Completely in your browser (Chrome, Firefox, Edge, IE)

Flash needs to die, it needs to die hard. I've said this for years, sadly my last remaining holdouts are usually corporate related applications - and in my case the VMware vCloud Director and vSphere Web Client. This week it was found that the latest version of Flash (read: fixes a security exploit [CVE-2017-11292] already in the wild) also breaks these two tools. The official fix [KB 2151945] is not pretty at all - while we await a fix from Flash [Update 2017-10-31 - the full fix is public - download any version of flash 27.0.0.183+ https://get.adobe.com/flashplayer/ ] , here is the summary of the work around - revert to an older "compromised" version of Flash. Ouch.


Now this doesn't sit well with me, but I need to be able to use tools, while also remaining secure. So I'm sharing a little tip I've been using for a good year now - which is to have a "Flash Only" browser that you only use for your "trusted" corporate applications. Of course this could also be used to browse sites you feel are are flash safe, but anymore even the most secure sites are not safe from some malicious party so I'd just say don't use Flash EVER.

In my case I disable flash completely in Chrome, Edge and IE, then enable it in Firefox and only use Firefox for my legacy Flash tools. I'll show you how to disable it in every browser below, but for this to work you need to keep your "primary" browser(s) safe and flash free, while some browser you can live without your "Flash Zone". In a perfect world this would be Edge or IE but as Edge and IE doesn't work with 75% of the things I need it so it's pretty much sits unused - I just lock it down to be safe (and because Windows 10 randomly opens things in Edge when you are clicking from certain Windows 10 items, and I want to remain safe for the 10 seconds it takes to copy the link, close Edge and open the link in Chrome).

So bottom line: 
  • Pick your safe browser(s) - disable Flash. Use these daily, stay secure. Get an I Hate Flash sticker, put it on your laptop while we all countdown to Flash's Death!
  • Pick your single flash only browser - leave flash enabled. Never use this except for the tools you need, submit endless feature release requests to these apps to move to HTML5 and ditch flash.

Disabling Flash on Chrome [Win]:

Tested on Version 61.0.3163.100 (Official Build) (64-bit)

1. Click the three dots in the upper right corner of Chrome, then Click Settings


2. In the Settings Search Box - type Flash, click the Content settings option (with the "Flash" highlight)
4. Click the Flash - Block sites from running Flash option (should be highlighted as shown)
5. Toggle the Allow sites to run Flash button off, note this will change the text to Block sites from running Flash when off, and back to Allow sites to run Flash when on.
6. Close the Settings Tab, Open a new Tab and test flash is disabled with your favorite web based test site such as IsFlashInstalled.com.

Disabling Flash on Firefox [Win]:

Tested on 56.0 (64-bit) and ESR 52.4.0 (32-bit)

1. Click the three lines in the upper right corner of Firefox, then click Add-ons.
2. Click Plugins on the left, you should see Shockwave Flash in the list, click the activate pulldown to the right and select Never Activate - Flash will move to Disabled and become grayed out.

3.Close the Add-on Tab, Open a new Tab and test flash is disabled with your favorite web based test site such as IsFlashInstalled.com.

Disabling Flash on Edge:

Tested on 40.15063.674.0

1.Open Edge, if you don't use it that often be prepared for Microsoft to beg you to switch to their "better browser"; when it lets you click the three dots in the upper right corner, then click Settings in the list.

2. Scroll to the bottom of the Settings screen, under Advanced settings click the View advanced settings button.

3. On the Advanced settings screen, under Use Adobe Flash Player click the option from On to Off.

4. Close the Settings window, and test flash is disabled with your favorite web based test site such as IsFlashInstalled.com. Edge is suppose to always prompt (i.e. always on is never allowed) so if you don't get a prompt to enable flash and it says NOPE! you are good to go.

Disabling Flash on Internet Explorer:

Tested on 11.674.15063.0

1.Open IE, click the Gear in the upper right hand corner, then click Manage add-ons menu option.
2. In the Manage Add-ons screen, under Toolbars and Extensions, find and click Shockwave Flash Object to expand the details below, click the Disable at the bottom.
3. Close the Manage Add-ons window, and test flash is disabled with your favorite web based test site such as IsFlashInstalled.com.


Optional - Remove Flash completely:

Chrome and Edge use an embedded version of Flash - while we've already established my dislike of Edge and it's ability to run most of my Flash enabled corporate applications it is possible that you can secure your system further by making Chrome your "flash only" browser, then not only disable in the other browsers but then go into Programs and Features and complete uninstall Adobe Flash Player which will further secure your system at least in IE and Firefox.

No comments:

Post a Comment