Chuck Leaver – Don’t Let Adobe Flash Be A Security Threat To Your Organization

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

 

Are you Still Running Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memo?

With Independence day looming a metaphor is required: Flash is a bit like firework lighting. There might be less risky methods to do it, but the only sure method is simply to avoid it. And with Flash, you needn’t fight pyromaniac rises to avoid it, just handle your endpoint setups.

 

Adobe1

 

Why would you wish to do this? Well, querying Google for “Flash vulnerability” returns 13 million results! Flash is old and finished and overdue for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards such as HTML5 have actually developed and supply many of the abilities that Flash introduced… Looking forward, we encourage content developers to develop with new web standards…

Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the typical enterprise, zillions. Your enemies understand that likewise, they are depending on it. Thanks very much for your contribution! Just continue to neglect those bothersome security bloggers, like Brian Krebbs:

I would recommend that if you use Flash, you need to highly consider removing it, or a minimum of hobbling it up until and unless you require it.

Disregarding Brian Krebs’ advice raises the chances your enterprise’s data breach will be the feature story in one of his future blog posts.

 

Adobe2

 

Flash Exploits: the Preferred Exploit Kit Active ingredient

The limitless list of Flash vulnerabilities continues to extend with each brand-new patch cycle. Nation state enemies and the much better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – introduce your fuzz tester versus the creaking Flash codebase and watch them being presented. If an offensive cyber team cannot call upon zero days, not to fret, there are lots of newly issued Flash Common Vulnerabilities and direct Exposures (CVE) to bring into play, prior to business patch cycles are brought up to date. For exploit package authors, Flash is the present that keeps on giving.

A recent FireEye blog exemplifies this normal Flash vulnerability progression – from virgin zero-day to newly hatched CVE and prime business exploit:

On May 8, 2016, FireEye detected an attack exploiting a formerly unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the concern to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just four days later on (Published to FireEye Threat Research Blog site on May 13, 2016).

As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was utilized in targeted attacks as a zero day even before it became a recognized vulnerability. Now that it is known, popular exploit packages will pick it up. Be prepared.

Start a Flash and QuickTime Obliteration Job

While we haven’t spoken about QuickTime yet, Apple eliminated support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with great deals of Apple macOS and Windows clients. Do you get rid of all support for QuickTime? Including on macOS? Or just Windows? How do you find the unsupported versions – when there are numerous floating around?

 

Adobe3

By doing nothing, you can flirt with catastrophe, with Flash vulnerability direct exposures swarming across your client endpoint environment. Otherwise, you can begin a Flash and QuickTime eradication campaign to move to a Flash-free enterprise. Or, wait, possibly you educate your users not to glibly open e-mail attachments or click on links. User education, that always works, right? I do not believe so.

One issue is that a few of your users have a job function to open attachments, such as PDF billings to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent out to legal departments.

Let’s take a closer look at the Flash exploit described by FireEye in the blog mentioned above:

Attackers had actually embedded the Flash exploitation inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this configuration, the hackers might distribute their exploit through URL or e-mail attachment. Although this vulnerability resides within Adobe Flash Player, risk actors designed this specific cyber attack for a target operating Windows and Microsoft Office.

 

Adobe4

 

Even if the Flash-adverse business had actually completely purged Flash enablement from all their numerous internet browsers, this exploitation would still have prospered. To fully remove Flash requires purging it from all web browsers and disabling its execution in embedded Flash objects within Microsoft Office or PDF files. Certainly that is a step that must be taken as a minimum for those departments with a task function to open attachments from unsolicited emails. And extending outwards from there is a worthy setup solidifying objective for the security-conscious business.

Not to mention, we’re all awaiting the first post about QuickTime vulnerability which brings down a significant business.

ziften-flash-diagram-700x257