Therefore the recommendation, if you can't disable Flash entirely, is choose "Block by default" in Chrome's plugin settings so that you have to right-click and "Run This Plug-in" when you really want Flash to play. You can still whitelist if you want.
I do see how preventing clickjacking is hard, and you wouldn't want click-to-play as the only line of defense, but I think Chrome should at least make the effort to do so. A working click-to-play security boundary would reduce the number of sites that get to attempt to exploit me with Flash by more than an order of magnitude.
Any website can induce you to click somewhere using a psychological trick (for example, a "Next Page" link in an article). There would be no reason to be concerned--after all, merely following a link on a webpage can't be unsafe, right? (After all, you know better than to download software from untrusted sources, so you won't do that. You're just browsing pages.) Then it could use script to replace that link with a malicious plugin in the instant just before you are most likely to click. There--bypassed security boundary.
I find this "you don't need to know the inner workings" lesson analogous to a thought experiment I sometimes ask tech people. I quiz them: Can a USB storage drive harm your computer (install malware, etc.) merely by plugging it in, even if you know better than to run any executable files on it? The answer is (1) Yes, and (2) You don't need any specialized knowledge of how USB works to know this--you just need to know about the existence of USB keyboards. The USB device, despite appearing to be a thumb drive storage device, need merely identify itself as a keyboard, and it can start typing malicious commands after being plugged in.
Disable all of them
Edit: if you have a site that requires a plugin, create a separate chrome user with that plugin enabled and run that site in it
Thus the advice to disable or block Flash within Chrome, especially since Chrome's Flash hasn't yet been updated for this vulnerability.
I can but there are websites that still rely on Flash for video playback :/
Disabling unsecured plugins will be a long term benefit for us.
Apparently this is because it needs MediaSourceExtensions with HTML5 MP3 support, neither of which are in Firefox currently - https://bugzilla.mozilla.org/show_bug.cgi?id=911837
The situation is better on Linux, as several distros include chromium packages.
I'd love to know who runs it.
If you use Chrome, and want to be safe, go to about:plugins, and disable it manually.
Under Linux the latest is 22.214.171.124, which is not vulnerable (but I'm using Chrome 40.0.2214.10 beta, so YMMV).
Chrome sandboxes plugins in order to give an extra layer of protection against exactly these kind of exploits. The interesting question will be how it helps in this case. Do you have any info?
ADDED: initial reports suggest Chrome is NOT affected; whether its thanks to Chrome's sandboxing model or whether its because Chrome has patched it isn't clear: http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerab...
Adobe has promised to support the NPAPI Linux plug-in for a few more years (IIRC till 2017). It doesn't get any new features, but security issues will be fixed, usually at the same time as on other platforms.
Well, question answered.
Furthermore it's more shameful to release an update for the manual update users two days after the automatic update users get it. Get over yourselves already. This is already being exploited, push fixes out faster or atleast at the same time.
Steve Jobs was so right.
Uninstall flash, and refuse to reinstall it. And see if your nontechy friends and relatives will let you do the same to protect them as well.
There are a lot of sites that have multiple streaming options, but when flash is installed it's what they default to.
apple quicktime has over two hundred -- and that's ONLY counting from OS X days (i.e., not including Mac OS days).
Writing network-enabled rich-content delivery platforms is a hard task. flash player is installed on a tremendous number of devices across a staggeringly diverse operating system segment. Problems are sadly impossible to avoid.
Firefox has more than 1100 -- again, not counting Mozilla days. Chrome has more than a thousand. Safari, commendably, has little more than five hundred. The point is nobody gets it right. Not even Steve Jobs.
There haven't been many major pieces of software that didn't have at least one major security vulnerability reported in the last year. Apple's products being no exception.
That isn't making excuses for them, of course, but it gives us an important data point as to what behaviour to avoid in future. (I'm looking at you, Silverlight.)