Getting Rid of Flash
Its been a long time since I posted, and I know I never finished my series of posts about DNS, NFS and NIS. I promise I will get to it soon! For now however, I have decided to post about my attempts to get rid of flash from my web browser, once and for all.
In case you have not already heard there have been two critical vulnerabilities (both 0days) discovered in flash within the past week. These were both discovered in the leaked data exfiltrated from Hacking Team by an anonymous hacker(s). You can read more about them here and here.
If you continue reading Krebs’s blog you will very quickly see that flash is often the subject of the week, with a critical vulnerability putting all its users at risk. Just look at this list, in the past month flash has over 35 vulnerabilities with a severity score of 10.0! Thats just scary! So after doing lots of reading about how people have dealt with moving off flash, and some inspiration from Krebs, I decided to try to slowly wean myself off flash.
Youtube now has support for HTML5 and you can also make use of Viewtube to play files with the browsers built in HTML5 player so it was very easy to stop using flash here. However there are many sites on the internet that still require the use of flash to function properly. To deal with this, I decided to create a low resource usage VM that I would use to browse websites that required the flash plugin. This means that the browser running on my host will not be vulnerable to any flash player exploits, and the browser in the VM will require an attacker to break out of the VM before they can do harm to the host. To further increase the security, I applied an apparmor policy to try and restrict the browsers functionality as much as possible.
For now I think this will work fine, I have tested with some websites and the results look promising. Stay tuned as I will post again on how I am faring without flash on my host browser. I hope to eventually find non flash based alternatives to the websites that require them.
Update: Just look at this, the average CVE score for flash is 9.3!