Enhancing the Security of Adobe Flash

| How-To

Adobe's Flash player has had its share of security issues, so much so that some users have refused to install it. Here's technique that will allow you to keep Flash installed, but allow it to run under your control. It's called ClicktoFlash, and it'll speed up your Safari browsing too.

When you visit a Website that uses Flash, the site sends a request to the Flash Player on your Mac to activate. There may be multiple Flash sources on a page, in addition to the one you're interested in -- perhaps some ads as well. Some may not be easy to see, but they'll still chew up your CPU and pose possible security risks.

Adobe's Flash player, located in /Library/Internet Plug-Ins/ then springs into action to render the videos. A significant problem is that Adobe doesn't supply a auto-updater for the Flash Player and it isn't folded into Mac OS X's Software Update. As a result, many users are left perusing the Internet with, possibly, an older and vulnerable version of Flash, and they don't even know it.

So far, the only solutions have been to either remove the Flash Player or keep a sharp eye out for the latest version and stay on top of the updates.

This page shows you the latest version of Flash Player.

This page shows you the version you have installed.

ClicktoFlash to the Rescue

Fortunately, there is a handy plug-in called ClicktoFlash from the Red Shed Sofwtare Company. It intercepts the request to the Flash Player and inserts a graphic, like the ones below, on a Web page that has Flash content.

CTF 1a

Click to play the content or click the gear for options

Note: This utility will work only with Safari 3 or later and Safari 4 is highly recommended. ClicktoFlash, by the way, inserts a .webplugin file into /Users/username/Library/Internet Plug Ins. That's all it does, and it's easy to uninstall if you need to.


A .webplugin file is installed.

From now on, whenever you visit a page that has Flash content, you can selectively chose which Flash item you want to play -- just click it. Ads and other content you're not interested in won't be executed. This will also speed up your browsing.

Note the gear in the upper left corner of the Flash content. That controls all your options, including an option to uninstall. The first popup shows immediate options.


Gear popup for options

The bottom item, ClicktoFlash Settings..., brings up a page of preferences.



ClicktoFlash has a lot going for it. It's easy to install or uninstall. It's trivial to use in practice. It's in constant development, and you can have it check for updates. You can Whitelist entire sites that you trust. Your Mac will spend less time executing Flash code, and Safari will seem snappier.

Note that this plugin only works for Apple's Safari. If you want equivalent functionality for, say, Firefox or Camino, you can use a product called Flashblock. ClicktoFlash is free, but the developer requests a modest donation of US$6 to support development.  I've sent him my donation.

Here's an additional note from the developer on the "invisible" Flash setting.


Thanks to TMO reader Sir Harry Flashman for the tip on this very handy plugin.

Popular TMO Stories



One annoyances with Safari is that if you try to disable the Flash plug-in and if the web page author includes download references, the user is required to continually dismiss download request dialog boxes.

Lee Dronick

One annoyances with Safari is that if you try to disable the Flash plug-in

That is one of the nice things about ClickToFlash, no need to disable the Flash plugin.


I *HATE* Flash


Yep, just installed click-to-flash. Much gooder.

I like, too, how it installs in the user’s library not in the local library.

Lee Dronick

ust installed click-to-flash. Much gooder.

I like, too, how it installs in the user?s library not in the local library.

Makes it easier to troubleshoot. If there are Safari problems you can login using a different account and see if it is related to ClickToFlash.

I *HATE* Flash

I too generally dislike Flash, but it isn’t inherently bad, the problem is in how it is used.


Just for the record, this seems to work just fine on Omniweb. I wonder if it will also work with Chrome and other Webkit browsers?



If you are a Firefox user, this site has a similar program - http://flashblock.mozdev.org/


I especially love this program’s ability to play YouTube videos with QuicTime. It has saved me tens of hours of battery life and millions of RPM’s of fan usage. (I know that’s not technically right, but that’s basically the way it seems wink.


Flash is great for certain things, such as Pandora, but given that Adobe allows the user little governance over its use in web pages without affecting it universally makes it a loathsome program.


I just run Safari with the “Enable plug-ins” UNchecked in the Prefs. It’s very easy to hit ‘CMD-,’ with the prefs left at the Security Tab, and click to turn ON plug-ins when necessary. This works great for old hardware and 10.4.11 where ClicktoFlash isn’t an option. Dramatically improves browsing experience.

I am amazed that with all the complaining about FLASH that it is still such a CPU hog. Has me convinced the basic FLASH software architecture must be really a mess, or Adobe truly doesn’t know what they are doing.


Outstanding!!! They earned the modest donation—well done!

Thanks TMO staff and Sir Harry Flashman for this early Christmas present—and you didn’t even need to wrap it!

BTW, ClickToFlash settings are also available in the menu bar under “Safari” when active.

Flash Gordon

This page shows you the latest version of Flash Player *AND* the version you have installed:


Not need to go to two separate pages.

Also, for some reason, people do not seem to know about the Adobe Flash Player Settings Manager. You can set some security parameters and also set and interval for it to check for a new version. You *NEED* to go to this page and configure your settings to lesson your chances of a security breach. I’m not sure why this is not more well known. Here is the Settings Manger page:


And for the heck of it, here is the proper download page as well: 


Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account