Department of Homeland Security Warns Users to Disable Flash

Adobe has vowed to fix a critical security hole in its Flash software within a week. But the Department of Homeland Security (DoHS) has taken the extremely unusual step of advising users to switch off the feature until the patch is available.

The hole can be used for so-called 'drive by' attacks occurring when a user simply visits an infected website. However, the relevant code is also shared with Adobe's Acrobat software, meaning it can cause security problems through PDF documents which have Flash embedded in them for greater interactivity. That technique had already been criticized as a security risk.

The problem can theoretically affect Windows, Linux and Mac computers. To date, it's only confirmed that hackers have exploited it on Windows machines running Adobe Reader 9.

Critical Fix Due July 30th

Adobe says it expects to have a fix for Flash Player 9 by next Thursday (July 30th) and for Adobe Reader and Acrobat the following day. In the meantime, Adobe advises users to exercise caution visiting websites they may not be able to trust, to make sure antivirus software is up to date, and to consider using User Account Control mode if running Windows Vista.

The firm also suggests users block access to the file named authplay.dll that ships with either Adobe Reader or Acrobat. The easiest way to find this file is to use Windows Search (Start -> Search), type in the filename and search for it.

Once the file is found, rename it to authplay-old.dll (for example), then rename it back to the original filename once the fix has been released. While the file is renamed, users will get an error message and possibly a crash when opening a PDF document with Flash embedded, but the risk of infection will be negated. (Source: adobe.com)

Government Calls For Stronger Action

That advice doesn't go far enough for the Department of Homeland Security. Its Computer Emergency Readiness Team (CERT) advises users to "Disable Flash Player or selectively enable Flash content" until the patch is released. (Source: us-cert.gov)

That would certainly do the trick, though it would mean many web features, including videos on YouTube, would become inaccessible. Depending on the browser/operating combination, users may be able to stop their computers running Flash content by default, while simply clicking to access any content they trust.