Charles Leaver – Adobe Flash Continues To Provide A Network Security Risk

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

Are you Still Running Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is needed: Flash is a bit like lighting fireworks. There may be less dangerous methods to achieve it, but the only sure method is just to avoid it. And with Flash, you need not fight pyromaniac rises to avoid it, simply manage your endpoint setups.

 

Adobe1

 

Why would you want to do this? Well, performing a Google query for “Flash vulnerability” returns thirteen-million results! Flash is old and finished and ripe for retirement, as Adobe stated themselves:

Today [November 30, 2015], open standards like HTML5 have actually developed and provide much of the capabilities that Flash ushered in… Looking ahead, we encourage content developers to develop with new web standards…

Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the typical enterprise, zillions. Your enemies understand that likewise, they are depending on it. Thanks very much for your contribution! Simply continue to overlook those pesky security blog writers, like Brian Krebbs:

I would advise that if you use Flash, you ought to strongly consider removing it, or a minimum of hobbling it up until and unless you need it.

Ignoring Brian Krebs’ suggestions raises the chances your enterprise’s data breach will be the headline story in one of his future blog posts.
Adobe2

 

Flash Exploits: the Preferred Exploit Kit Component

The limitless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Nation state cyber attackers and the much better resourced syndicates can call upon Flash zero days. They aren’t difficult to mine – release your fuzz tester versus the creaking Flash codebase and view them being presented. If an offending cyber group can’t call upon zero days, not to worry, there are plenty of newly released Flash Common Vulnerabilities and direct Exposures (CVE) to draw upon, before enterprise patch cycles catch up. For exploit kit authors, Flash is the gift that keeps giving.

A recent FireEye blog post exhibits this normal Flash vulnerability development – from virgin zero-day to freshly hatched CVE and prime business exploit:

On May 8, 2016, FireEye identified an attack making use of a formerly unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the problem to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 simply four days later on (Posted to FireEye Threat Research Blog on May 13, 2016).

As a rapid test then, inspect your vulnerability report for that entry, for CVE-2016-4117. It was used in targeted cyber attacks as a zero-day even before it became a known vulnerability. Now that it is known, popular exploitation kits will find it. Be prepared.

Start a Flash and QuickTime Elimination Job

While we haven’t discussed QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you get rid of all support for QuickTime? Including on macOS? Or simply Windows? How do you discover the unsupported variations – when there are many drifting around?

 

Adobe3

 

By not doing anything, you can flirt with disaster, with Flash vulnerability exposures rife throughout your client endpoint environment. Otherwise, you can begin a Flash and QuickTime elimination job to move to a Flash-free business. Or, wait, perhaps you inform your users not to glibly open e-mail attachments or click on links. User education, that constantly works, right? I don’t believe so.

One issue is that a few of your users work function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to hiring departments, or legal notifications sent out to legal departments.

Let’s take a more detailed look at the Flash exploit described by FireEye in the blog cited above:

Attackers had embedded the Flash exploitation inside a Microsoft Office document, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the opponents might disseminate their exploit by means of URL or e-mail attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this specific attack for a target running Windows and Microsoft Office.

 

Adobe4

Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their different internet browsers, this exploit would still have been successful. To completely eliminate Flash needs purging it from all web browsers and disabling its execution in ingrained Flash objects within Microsoft Office or PDF files. Definitely that is a step that should be taken at least for those departments with a task function to open attachments from unsolicited e-mails. And extending outwards from there is a worthy configuration solidifying objective for the security conscious enterprise.

Not to mention, we’re all waiting for the first post about QuickTime vulnerability which brings down a major enterprise.

ziften-flash-diagram-700x257