Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO
Are you Still Running Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memo?
With Independence day looming a metaphor is needed: Flash is a bit like lighting fireworks. There might be less dangerous methods to do it, but the only sure method is simply to prevent it. And with Flash, you needn’t combat pyromaniac surges to avoid it, just handle your endpoint setups.
Why would you want to do this? Well, querying Google for “Flash vulnerability” returns thirteen-million results! Flash is old and finished and ready for retirement, as Adobe put it themselves:
Today [November 30, 2015], open standards like HTML5 have matured and offer much of the abilities that Flash introduced… Looking forward, we encourage content creators to develop with new web standards…
Run a vulnerability scanner throughout your endpoint population. See any Flash indication? Yes, in the typical business, zillions. Your hackers know that likewise, they are depending on it. Thanks for contributing! Just continue to disregard those annoying security blog writers, like Brian Krebbs:
I would advise that if you use Flash, you must highly consider removing it, or a minimum of hobbling it until and unless you need it.
Ignoring Brian Krebs’ suggestions raises the chances your business’s data breach will be the headline story in one of his future blogs.
Flash Exploits: the Preferred Exploit Kit Ingredient
The unlimited list of Flash vulnerabilities continues to extend with each brand-new patch cycle. Nation state enemies and the better resourced groups can call upon Flash zero days. They aren’t difficult to mine – launch your fuzz tester against the creaking Flash codebase and view them roll out. If an offending cyber group can’t call upon zero days, not to worry, there are lots of newly issued Flash Common Vulnerabilities and Exposures (CVE) to bring into play, before business patch cycles are brought up to date. For exploit package authors, Flash is the gift that keeps giving.
A current FireEye blog exhibits this normal Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime business exploit:
On May 8, 2016, FireEye detected an attack making use of a previously unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 simply 4 days later on (Published to FireEye Risk Research Blog on May 13, 2016).
As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero day even before it became a known vulnerability. Now that it is known, popular exploitation sets will find it. Be sure you are ready.
Start a Flash and QuickTime Obliteration Campaign
While we have not spoken about QuickTime yet, Apple got rid of support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you get rid of all support for QuickTime? Including on macOS? Or just Windows? How do you discover the unsupported versions – when there are numerous drifting around?
By doing nothing, you can flirt with catastrophe, with Flash vulnerability exposures swarming throughout your client endpoint population. Otherwise, you can begin a Flash and QuickTime eradication project to move towards a Flash-free enterprise. Or, wait, perhaps you inform your users not to glibly open e-mail attachments or click on links. User education, that constantly works, right? I do not believe so.
One issue is that a few of your users work function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to hiring departments, or legal notices sent to legal departments.
Let’s take a closer look at the Flash exploitation described by FireEye in the blog post mentioned above:
Attackers had actually embedded the Flash exploitation inside a Microsoft Office document, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this setup, the assailants could share their exploitation through URL or email attachment. Although this vulnerability lives within Adobe Flash Player, risk actors created this specific cyber attack for a target using Windows and Microsoft Office.
Even if the Flash-adverse enterprise had completely purged Flash enablement from all their numerous internet browsers, this exploitation would still have succeeded. To fully remove Flash needs purging it from all internet browsers and disabling its execution in embedded Flash objects within Microsoft Office or PDF documents. Definitely that is an action that needs to be taken as a minimum for those departments with a job function to open attachments from unsolicited e-mails. And extending outwards from there is a worthwhile setup solidifying objective for the security conscious enterprise.
Not to mention, we’re all awaiting the first post about QuickTime vulnerability which collapses a major business.