Charles Leaver – Network Security And Adobe Flash Don’t Mix

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

Are you Still Running Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is required: Flash is a bit like lighting fireworks. There might be less dangerous methods to achieve it, but the only sure method is just to avoid it. And with Flash, you needn’t combat pyromaniac surges to abstain from it, simply manage your endpoint configurations.

Adobe1

Why would you wish to do this? Well, performing a Google query for “Flash vulnerability” returns thirteen-million results! Flash is old and finished and overdue for retirement, as Adobe stated themselves:

Today [November 30, 2015], open standards like HTML5 have actually matured and offer much of the abilities that Flash ushered in… Looking ahead, we encourage content creators to build with brand-new web standards…

Run a vulnerability scanner throughout your endpoint population. See any Flash indication? Yes, in the typical business, zillions. Your opponents know that likewise, they are relying on it. Thanks very much for your contribution! Just continue to ignore those annoying security bloggers, like Brian Krebbs:

I would recommend that if you utilize Flash, you need to highly think about removing it, or a minimum of hobbling it until and unless you require it.

Neglecting Brian Krebs’ recommendations raises the possibilities your enterprise’s data breach will be the headline story in one of his future blog posts.

Adobe2

 

Flash Exploits: the Preferred Exploit Set Active ingredient

The unlimited list of Flash vulnerabilities continues to lengthen with each brand-new patch cycle. Nation state cyber attackers and the much better resourced groups can call upon Flash zero days. They aren’t difficult to mine – launch your fuzz tester against the creaking Flash codebase and view them roll out. If an offending cyber team cannot call upon zero days, not to fret, there are plenty of newly provided Flash Common Vulnerabilities and direct Exposures (CVE) to draw upon, prior to enterprise patch cycles are brought up to date. For exploit set authors, Flash is the present that keeps on giving.

A recent FireEye blog exhibits this common Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime enterprise exploit:

On May 8, 2016, FireEye detected an attack exploiting a previously unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the concern to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 simply 4 days later on (Posted to FireEye Threat Research Blog on May 13, 2016).

As a rapid test then, inspect your vulnerability report for that entry, for CVE-2016-4117. It was used in targeted cyber attacks as a zero-day even before it ended up being a known vulnerability. Now that it is understood, popular exploit packages will locate it. Be sure you are ready.

Start a Flash and QuickTime Removal Project

While we haven’t spoken about QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you remove all support for QuickTime? Including on macOS? Or just Windows? How do you discover the unsupported variations – when there are numerous drifting around?

Adobe3

By not doing anything, you can flirt with catastrophe, with Flash vulnerability direct exposures swarming across your client endpoint environment. Otherwise, you can start a Flash and QuickTime obliteration job to move towards a Flash-free business. Or, wait, possibly you educate your users not to glibly open e-mail attachments or click links. User education, that constantly works, right? I don’t think so.

One issue is that a few of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or candidate Microsoft Word resumes to recruiting departments, or legal notices sent out to legal departments.

Let’s take a more detailed look at the Flash exploit described by FireEye in the blog pointed out above:

Attackers had embedded the Flash exploit inside a Microsoft Office doc, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this configuration, the enemies could share their exploitation via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors created this particular attack for a target using Windows and Microsoft Office.

Adobe4

Even if the Flash-adverse enterprise had completely purged Flash enablement from all their various web browsers, this exploitation would still have actually been successful. To fully eradicate Flash needs purging it from all internet browsers and disabling its execution in embedded Flash objects within Microsoft Office or PDF files. Definitely that is a step that should be taken at least for those departments with a task function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration solidifying goal for the security conscious business.

Not to mention, we’re all awaiting the first post about QuickTime vulnerability which brings down a major business.

ziften-flash-diagram-700x257