Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO
Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Receive the Memo?
With Independence day looming a metaphor is required: Flash is a bit like firework lighting. There might be less dangerous methods to do it, but the only sure way is simply to prevent it. And with Flash, you needn’t fight pyromaniac rises to avoid it, simply manage your endpoint configurations.
Why would you want to do this? Well, querying Google for “Flash vulnerability” returns thirteen-million hits! Flash is old and finished and overdue for retirement, as Adobe put it themselves:
Today [November 30, 2015], open standards such as HTML5 have actually developed and offer many of the abilities that Flash introduced… Looking ahead, we encourage content developers to develop with new web standards…
Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the average business, zillions. Your enemies understand that also, they are depending on it. Thanks very much for your contribution! Just continue to disregard those pesky security bloggers, like Brian Krebbs:
I would advise that if you use Flash, you ought to strongly think about removing it, or a minimum of hobbling it until and unless you require it.
Ignoring Brian Krebs’ guidance raises the chances your business’s data breach will be the feature story in one of his future blogs.
Flash Exploits: the Preferred Exploit Set Ingredient
The unlimited list of Flash vulnerabilities continues to extend with each new patch cycle. Country state opponents and the better resourced groups can call upon Flash zero days. They aren’t hard to mine – release your fuzz tester against the creaking Flash codebase and watch them roll out. If an offending cyber team can’t call upon zero days, not to worry, there are a lot of newly released Flash Common Vulnerabilities and direct Exposures (CVE) to draw upon, prior to business patch cycles are brought up to date. For exploit kit authors, Flash is the present that continues to give.
A current FireEye blog post exhibits this normal Flash vulnerability progression – from virgin zero-day to newly hatched CVE and prime enterprise exploit:
On May 8, 2016, FireEye detected an attack making use of a previously unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the concern to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just 4 days later on (Published to FireEye Threat Research Blog on May 13, 2016).
As a fast test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero day even before it ended up being a recognized vulnerability. Now that it is known, popular exploit kits will locate it. Be sure you are ready.
Start a Flash and QuickTime Elimination Campaign
While we have not discussed QuickTime yet, Apple eliminated support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you eliminate all support for QuickTime? Including on macOS? Or just Windows? How do you find the unsupported versions – when there are numerous floating around?
By doing nothing, you can flirt with disaster, with Flash vulnerability exposures swarming across your client endpoint environment. Otherwise, you can begin a Flash and QuickTime eradication campaign to move towards a Flash-free business. Or, wait, possibly you inform your users not to readily open e-mail attachments or click links. User education, that constantly works, right? I do not think so.
One problem is that some of your users work function to open attachments, such as PDF billings to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.
Let’s take a better look at the Flash exploitation explained by FireEye in the blog post pointed out above:
Attackers had actually embedded the Flash exploit inside a Microsoft Office document, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this configuration, the opponents could share their exploitation by means of URL or e-mail attachment. Although this vulnerability resides within Adobe Flash Player, threat actors developed this particular cyber attack for a target utilizing Windows and Microsoft Office.
Even if the Flash-adverse enterprise had actually completely purged Flash enablement from all their various internet browsers, this exploitation would still have succeeded. To completely eradicate Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF documents. Definitely that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration solidifying objective for the security-conscious enterprise.
Not to mention, we’re all waiting on the first post about QuickTime vulnerability which devastates a major business.