Charles Leaver – Continuing To Support Adobe Flash Can Mean A Big Security Risk

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is required: Flash is a bit like firework lighting. There may be less risky ways to achieve it, however the only sure way is simply to prevent it. And with Flash, you needn’t combat pyromaniac surges to abstain from it, simply handle your endpoint setups.
Adobe1

Why would you want to do this? Well, performing a Google query for “Flash vulnerability” returns 13 million results! Flash is old and spent and ready for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards such as HTML5 have matured and offer a number of the abilities that Flash ushered in… Looking forward, we encourage content developers to develop with new web standards…

Run a vulnerability scanner throughout your endpoint population. See any Flash mention? Yes, in the typical business, zillions. Your opponents understand that also, they are relying on it. Thanks very much for contributing! Just continue to overlook those pesky security blog writers, like Brian Krebbs:

I would suggest that if you utilize Flash, you must highly consider removing it, or a minimum of hobbling it till and unless you require it.

Ignoring Brian Krebs’ advice raises the possibilities your enterprise’s data breach will be the feature story in one of his future blogs.
Adobe2

 

Flash Exploits: the Preferred Exploit Set Ingredient

The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Country state attackers and the better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – introduce your fuzz tester against the creaking Flash codebase and view them being presented. If an offending cyber team cannot call upon zero days, not to fret, there are a lot of freshly provided Flash Common Vulnerabilities and Exposures (CVE) to draw upon, before business patch cycles catch up. For exploit set authors, Flash is the gift that continues to give.

A current FireEye blog exemplifies this typical Flash vulnerability progression – from virgin zero-day to freshly hatched CVE and prime business exploit:

On May 8, 2016, FireEye detected an attack exploiting a formerly unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the problem to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 simply four days later (Published to FireEye Threat Research Blog on May 13, 2016).

As a quick test then, examine your vulnerability report for that entry, for CVE-2016-4117. It was utilized in targeted cyber attacks as a zero-day even before it ended up being a recognized vulnerability. Now that it is understood, popular exploit sets will locate it. Be sure you are ready.

Start a Flash and QuickTime Removal Project

While we have not discussed QuickTime yet, Apple eliminated support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you eliminate all support for QuickTime? Including on macOS? Or simply Windows? How do you find the unsupported variations – when there are numerous drifting around?

 

Adobe3

 

By doing nothing, you can flirt with catastrophe, with Flash vulnerability exposures rife throughout your client endpoint population. Otherwise, you can start a Flash and QuickTime eradication project to move towards a Flash-free business. Or, wait, maybe you educate your users not to glibly open e-mail attachments or click on links. User education, that constantly works, right? I do not think so.

One problem is that some of your users work function to open attachments, such as PDF invoices to accounts payable departments, or candidate Microsoft Word resumes to recruiting departments, or legal notifications sent to legal departments.

Let’s take a better look at the Flash exploitation explained by FireEye in the blog post pointed out above:

Attackers had embedded the Flash exploit inside a Microsoft Office document, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the cyber attackers might share their exploitation by means of URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors created this particular attack for a target using Windows and Microsoft Office.
Adobe4

Even if the Flash-adverse business had actually completely purged Flash enablement from all their various browsers, this exploitation would still have actually been successful. To completely eliminate Flash needs purging it from all browsers and disabling its execution in ingrained Flash objects within Microsoft Office or PDF documents. Definitely that is a step that needs to be taken as a minimum for those departments with a task function to open attachments from unsolicited e-mails. And extending outwards from there is a worthwhile configuration solidifying objective for the security conscious business.

Not to mention, we’re all waiting on the very first post about QuickTime vulnerability which devastates a significant enterprise.

 

ziften-flash-diagram-700x257

Leave a Reply

Your email address will not be published. Required fields are marked *