I recently used iTunes to subscribe to a WNYC radio podcast. In the description of the first podcast was the statement, "if you do not see flash audio player, please install the latest flash player." I had no idea what Flash Player is, so I used Spotlight to determine that I do not have it installed. I did recall that I recently read that the iPad has been criticized for not using Flash so I Googled it and learned that a new version is compatible with my OS 10.6.3 and, moreover, that Adobe says that it will give me "unprecedented creative control with new expressive features and visual performance improvements ..." Now, that sounded cool, but still I wasn't sure I needed it. Turning to Wikipedia I learned: "The Adobe Flash Player is software for viewing animations and movies using computer programs such as a web browser." Again, that sounded good, but I kept reading and was stunned to read this:

Edit by moderator: inserted this link to quoted text to provide full attribution. Wikipedia: Adobe Flash Player

"Flash Player is an application that, while running on a computer that is connected to the Internet, is designed to contemporaneously interact with websites containing Flash content that are being visited online. As such, under certain configurations the application has the potential to silently compromise its users' Internet privacy, and do so without their knowledge. By default, Flash Player is configured to permit small, otherwise invisible "tracking" files, known as Persistent Identification Elements (PIEs)[27] or Local Shared Object files, to be stored on the hard drive of a user's computer. Sent in the background over the Internet from websites to which a user is connected, these files work much the way "cookies" do with Internet browsers. When stored on a user's computer, PIE (.sol) files are capable of sending personally sensitive data back out over the Internet without the user's knowledge to one or more third parties. In addition, Flash Player is also capable of accessing and retrieving audio and video data from any microphone and/or webcams that might be either built in or connected to a user's computer and transmitting it in realtime over the Internet (also potentially without the user's knowledge) to one or more third parties."

So my questions are (1) Do I really need to install this app? (2) Is it really as dangerous a threat to my security as the Wiki quote says? (3) If it is, why isn't Adobe required to advise a potential user upfront about its liabilities?

1. Only if you want to view the page or site in question, otherwise you don't need it.
2. There are or have been security holes in most browsers and other internet applications including Safari and Quicktime. Some are inherently more secure than others and vice-versa but Tacit or someone more knowledgeable than I will have to address the specific level of risk imposed by Flashplayer.
3. Adobe, like Apple, and the other developers of internet applications is pretty good about releasing updates or patches any time a security hole is discovered. The key is keeping your software up to date with all the latest udates and patches as well as using common sense on what web sites you visit. Virtually all malware attacking the Macintosh requires the user to install it so the next time you are visiting a porn site and are asked to install something "so you can view the site better" or you are downloading and installing pirated software be aware there is a high probability you are opening the door to malware.

Supposedly Adobe's Flashplayer is found on well over 80% of the computers in the world. I have used Flashplayer on all my Macs for many years and have never ever had any malware other than infected emails from some of my poor benighted PC using friends and none of those were successful in infecting my Macs.

Maybe I'm naive, but I wasn't aware that Quicktime or Safari or any other application was "capable of accessing and retrieving audio and video data from any microphone and/or webcams that might be either built in or connected to a user's computer and transmitting it in realtime over the Internet (also potentially without the user's knowledge) to one or more third parties." This is the action that triggered intervention by law enforcement and national media attention when done without notice to students by the Lower Merion township high school in Montgomery County, Pennsylvania, last month. I gather from the lack of responses to my post that I'm pretty much alone in being worked up about it. Still, if Flashplayer is so prevalent, how is it that I haven't encountered any problems by not having it installed before this?

In addition to Joemikeb's comments, many users find that Flash can be a CPU- and power hog and generally mess up ones browsing experience. The free Safari plugin ClickToFlash suppresses all flash frames in web pages until you allow them to run. Another (Snow Leopard only) utility, BashFlash, extends this functionality by letting you kill a flash process you mistakenly allowed with ClickToFlash.

> Another (Snow Leopard only) utility, BashFlash, extends this functionality by letting you kill a flash process you mistakenly allowed with ClickToFlash.

Just to clarify, simply refreshing a page on which Flash has been enabled gets you back to square one, i.e. re-suppresses said page's Flash content; BashFlash does so universally.

(It seems to me that every version of OS X I've ever run installed Flash by default; I wonder why it's not installed on dondenny's Mac?)

I've only just read your post and find the information quite disturbing. I was not aware of the danger, so thanks for finding and posting. I recall the news story and, as there wasn't a lot of technical detail, assumed the school's ability to spy might be connected with a local network of some sort.

I may also have been distracted by being totally aghast that some school administration pinhead would even contemplate such an invasion, let alone actually carry it out.

Your link ends with a bit of unsettling information: "In addition to cookies, many banks and other financial institutions also routinely install Persistent Identification Elements using Flash Player on users' hard drives when they establish and access their accounts, as do other interactive sites such as YouTube."

Yikes.

ryck

Reflecting on artie's comment regarding the ubiquity of Flash Player in Mac os, I've checked my system again more thoroughly. And I find I do have Flash Player.plugin (/library/internet plugins). Initially I had used Spotlight to look for "flash audio" (because that was the original reference that triggered my interest) and then I'd looked for simply "flash," with no result from either search. I was also assuming I was looking for an application and had found nothing relevant in the application folder.

I appreciate everyone's comments; I'm going to look in to ClickToFlash and BashFlash. But what about the "personally sensitive data" Flash Player can reveal to others that the Wikipedia article refers to? What data is that? Merely my url access history or more? And where are these Persistent Identification Elements stored? I can access the cookies stored on my Mac and choose to delete them if I wish; can I do the same with these PIEs? But the biggest and spookiest issue in this matter is the Wikipedia statement that "Flash Player is also capable of accessing and retrieving audio and video data from any microphone and/or webcams that might be either built in or connected to a user's computer and transmitting it in realtime over the Internet." I would sure like to know more about that.

I went to the Adobe site and did some experimenting with their Settings Manager . The results were interesting. Clicking on the Global Security Settings Panel brought five choices.

Global Privacy Settings

This is where you Always Deny or require Always Ask for websites who want access to your camera or microphone.
I selected Always Ask but found, as I did further testing, that the selection wasn't particularly meaningful.

Global Storage Settings

You can specify the amount of disk space a website can use to store information on your computer. It's accompanied by a Never Ask Again checkbox. The default has the box unchecked.
There are two other check boxes: "Allow third party Flash content to store data on your computer" and "Store common Flash components to reduce download times". I have never been to the Adobe Settings Manager so I found it interesting that the default was that both boxes were checked.
I left the two boxes as is, but reduced the disk space to zero.

Global Security Settings

This is where one is supposed to be able to restrict access from other sites using an older system of security and Adobe says: "This is usually harmless, but it is possible that some sites could obtain unauthorized information using the older system."
You can choose Always Ask, Always Allow, Always Deny. There's also a box to enter the addresses of trusted locations.
I chose Always Ask.

Website Privacy Settings

You can change the privacy settings for websites you have already visited and there is a box listing sites that have made a request and it shows how much disk space they have used. You are able to delete websites from the box.
I had five sites and two of the five had placed information on my drive - they were "iViewTube.com" and "media.mtvnservices.com". I deleted all five.

There also are buttons for the Always Ask, Always Allow, and Always Deny options...but they are not operational.

Website Storage Settings

Like Global Storage, you can change the disk space storage settings for sites you have visited. It's also accompanied by a Never Ask Again checkbox, and the default has the box unchecked. I set the slider to zero.
Like Website Privacy, there is a box listing sites that have stored information and it shows how much disk space they have used. You are able to delete websites from the box.


My dull post actually has an interesting ending. After I made the Settings Manager changes, I visited the five sites mentioned earlier. Following each visit I went back to Adobe's site and checked the status of the Settings Manager.

In spite of the fact that I had checked off "Always Ask" and had set all disk space sliders to zero, "iViewTube.com" always put information on my drive. I was never asked. It wasn't until I went back to the Global Storage Settings and unchecked "Allow third party Flash content to store data on your computer" that it stopped.

After the box was unchecked I again visited all the sites. Most seemed to load okay. The exceptions were "iViewTube.com" which was slow in loading and "media.mtvnservices.com" which simply loaded a blank page.

I am certainly not any kind of expert in web security matters and just put this information up to present the experience of a novice. I leave it to the qualified folks at this site to assess whether any of this is meaningful or not.

ryck

ryck, thanks for your good efforts and the information. I'm going to follow in your footsteps and limit Flash Player too.

> I went to the Adobe site and did some experimenting with their Settings Manager.

Cool!

I've never seen Adobe's Settings Manager mentioned before; how'd you know it was there?

THE CYBER-SECURITY THREAD is not specific to your question, but you might derive some benefit from reading it.

This topic actually came up in a couple of MFIF threads a year ago:

Cookies will not delete
Adobe web site settings

Did you actually remember that or are you an inveterate searcher?

If you followed my links, you'd see that I spent some time researching the issue back then; why wouldn't I remember?

For those who had trouble accessing the MFIF pages, see Fix for macfixitforums archive slow loading - FineTunedMac. In the meantime, in those threads I linked to

• Adobe Flash Player : What Are Third-Party Local Shared Objects? (Adobe's description), and to
• Local Shared Object (Wikipedia's presumably more objective explanation).

For additional information, see the Electronic Privacy Information Center's EPIC Flash Cookie Page.

It was linked to the Wikipedia link in dondenny's original post.



Actually I have been following that thread. My response in this thread is due to the fact that dondenny's original post (Is Flash necessary?) morphed a bit. I thought this might be a good topic to add to the Cyber-Security thread but I'll leave that to the Moderators.

ryck

Thanks for this.

I looked at both and, at the end of the Adobe link there's another link called TechNote: How to disable third party local shared objects . When I looked at it I got a better understanding of what I did when I unchecked "Allow third party Flash content to store information and other data on your computer".

Quick Update Edit: I've now also read your EPIC Flash Cookie link, which was equally interesting.

However, I still don't where I stand on two other questions.

1. Although I checked Always Ask, one website "iViewTube.com" constantly placed data on my computer without asking.

2. My status relative to dondenny's original concern, which was the ability of an outsider to take control of your camera and/or microphone without your knowledge. Am I vulnerable or not?

Now, in my case, if they take control of my camera before I've had my morning coffee, they're not likely to want to do that a second time. But still.............

ryck



The Plot Thickens
Edit: 13:00 Saturday

A friend sent a Google video link called Flying Colors - 2002. When I went to the video a small box was in the centre with this information:

Adobe Flash Player Settings
Local Storage
video.google.com is requesting permission to store information on your computer.

Requested: up to 10 KB
Currently Used: 0 KB


I first denied permission to see what would happen. The video played but the small box with the request remained.

I then provided permission. The box disappeared and the video replayed from the start.

I then went to the Adobe Global Privacy panel and it had:

video.google.com Used 1 KB Limit 10KB It had the Always Ask icon next to it.


However..........

The settings panel also had "iviewTube.com" Used. 0 KB Limit 0 KB. It also had the Always Ask icon in spite of the fact that it had not asked.

I've deleted both.