Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO
Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?
With Independence day looming a metaphor is required: Flash is a bit like firework lighting. There might be less risky methods to achieve it, but the only sure method is just to avoid it. And with Flash, you needn’t battle pyromaniac surges to abstain from it, simply manage your endpoint setups.
Why would you wish to do this? Well, querying Google for “Flash vulnerability” returns 13 million hits! Flash is old and spent and ready for retirement, as Adobe said themselves:
Today [November 30, 2015], open standards such as HTML5 have actually grown and provide many of the abilities that Flash introduced… Looking ahead, we encourage content creators to build with new web standards…
Run a vulnerability scanner throughout your endpoint population. See any Flash mention? Yes, in the average business, zillions. Your assailants know that likewise, they are counting on it. Thanks for your contribution! Just continue to neglect those pesky security bloggers, like Brian Krebbs:
I would recommend that if you utilize Flash, you should strongly think about removing it, or at least hobbling it till and unless you need it.
Ignoring Brian Krebs’ suggestions raises the possibilities your business’s data breach will be the headline story in one of his future blog posts.
Flash Exploits: the Preferred Exploit Kit Ingredient
The limitless list of Flash vulnerabilities continues to extend with each new patch cycle. Nation state cyber attackers and the better resourced groups can call upon Flash zero days. They aren’t difficult to mine – introduce your fuzz tester against the creaking Flash codebase and view them roll out. If an offending cyber group cannot call upon zero days, not to worry, there are lots of newly provided Flash Common Vulnerabilities and Exposures (CVE) to bring into play, before business patch cycles are brought up to date. For exploit kit authors, Flash is the gift that keeps giving.
A current FireEye blog post exhibits this normal Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime enterprise exploit:
On May 8, 2016, FireEye identified an attack exploiting a previously unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the concern to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 simply four days later (Published to FireEye Threat Research Blog site on May 13, 2016).
As a rapid test then, inspect your vulnerability report for that entry, for CVE-2016-4117. It was utilized in targeted attacks as a zero day even before it became a known vulnerability. Now that it is understood, popular exploit sets will locate it. Be prepared.
Start a Flash and QuickTime Elimination Job
While we have not discussed QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you remove all support for QuickTime? Aslo on macOS? Or just Windows? How do you discover the unsupported variations – when there are lots of floating around?
By doing nothing, you can flirt with disaster, with Flash vulnerability exposures rife across your client endpoint environment. Otherwise, you can begin a Flash and QuickTime elimination campaign to move to a Flash-free business. Or, wait, perhaps you educate your users not to glibly open email attachments or click on links. User education, that always works, right? I do not think so.
One problem is that some of your users have a job function to open attachments, such as PDF billings to accounts payable departments, or candidate Microsoft Word resumes to recruiting departments, or legal notifications sent out to legal departments.
Let’s take a closer look at the Flash exploit explained by FireEye in the blog cited above:
Attackers had actually embedded the Flash exploitation inside a Microsoft Office doc, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this setup, the hackers could distribute their exploitation by means of URL or e-mail attachment. Although this vulnerability lives within Adobe Flash Player, threat actors designed this particular attack for a target using Windows and Microsoft Office.
Even if the Flash-adverse business had actually completely purged Flash enablement from all their various internet browsers, this exploit would still have succeeded. To completely get rid of Flash requires purging it from all internet browsers and disabling its execution in ingrained Flash objects within Office or PDF documents. Definitely that is an action that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthwhile setup hardening objective for the security conscious enterprise.
Not to mention, we’re all awaiting the first post about QuickTime vulnerability which devastates a major business.