Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO
Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?
With Independence day looming a metaphor is needed: Flash is a bit like firework lighting. There may be less risky ways to achieve it, but the only sure method is just to prevent it. And with Flash, you need not fight pyromaniac rises to avoid it, just handle your endpoint setups.
Why would you want to do this? Well, querying Google for “Flash vulnerability” returns 13 million hits! Flash is old and finished and ready for retirement, as Adobe stated themselves:
Today [November 30, 2015], open standards like HTML5 have actually grown and offer a number of the abilities that Flash ushered in… Looking forward, we encourage content creators to develop with new web standards…
Run a vulnerability scanner throughout your endpoint population. See any Flash mention? Yes, in the typical enterprise, zillions. Your cyber attackers know that also, they are depending on it. Thank you for your contribution! Just continue to ignore those bothersome security blog writers, like Brian Krebbs:
I would suggest that if you use Flash, you should strongly think about removing it, or a minimum of hobbling it until and unless you need it.
Disregarding Brian Krebs’ recommendations raises the chances your enterprise’s data breach will be the feature story in one of his future posts.
Flash Exploits: the Preferred Exploit Set Component
The limitless list of Flash vulnerabilities continues to lengthen with each brand-new patch cycle. Nation state cyber attackers and the better resourced groups can call upon Flash zero days. They aren’t tough to mine – launch your fuzz tester against the creaking Flash codebase and view them roll out. If an offensive cyber group can’t call upon zero days, not to fret, there are plenty of freshly released Flash Common Vulnerabilities and direct Exposures (CVE) to bring into play, before enterprise patch cycles catch up. For exploit package authors, Flash is the gift that continues to give.
A current FireEye blog post exhibits this common Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime enterprise exploit:
On May 8, 2016, FireEye detected an attack making use of a formerly unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 just four days later (Posted to FireEye Threat Research Blog on May 13, 2016).
As a rapid test then, check your vulnerability report for that entry, for CVE-2016-4117. It was used in targeted attacks as a zero day even before it ended up being a known vulnerability. Now that it is understood, popular exploit kits will pick it up. Be sure you are ready.
Start a Flash and QuickTime Eradication Campaign
While we have not discussed QuickTime yet, Apple got rid of support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you get rid of all support for QuickTime? Including on macOS? Or simply Windows? How do you discover the unsupported versions – when there are numerous drifting around?
By not doing anything, you can flirt with catastrophe, with Flash vulnerability direct exposures swarming across your client endpoint environment. Otherwise, you can begin a Flash and QuickTime eradication project to move to a Flash-free business. Or, wait, possibly you inform your users not to glibly open e-mail attachments or click links. User education, that constantly works, right? I do not believe so.
One issue is that a few of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent out to legal departments.
Let’s take a closer look at the Flash exploitation explained by FireEye in the blog post mentioned above:
Attackers had embedded the Flash exploitation inside a Microsoft Office document, which was then hosted on their web server, and utilized a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the opponents could disseminate their exploitation by means of URL or email attachment. Although this vulnerability resides within Adobe Flash Player, risk actors designed this particular attack for a target operating Windows and Microsoft Office.
Even if the Flash-adverse business had actually thoroughly purged Flash enablement from all their various browsers, this exploitation would still have been successful. To completely get rid of Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF files. Certainly that is a step that needs to be taken at least for those departments with a task function to open attachments from unsolicited emails. And extending outwards from there is a deserving configuration solidifying objective for the security conscious business.
Not to mention, we’re all awaiting the first post about QuickTime vulnerability which brings down a significant enterprise.