Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO
Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?
With Independence day looming a metaphor is needed: Flash is a bit like firework lighting. There might be less dangerous methods to achieve it, however the only sure way is simply to avoid it. And with Flash, you need not fight pyromaniac surges to abstain from it, just manage your endpoint configurations.
Why would you want to do this? Well, querying Google for “Flash vulnerability” returns thirteen-million hits! Flash is old and spent and ripe for retirement, as Adobe put it themselves:
Today [November 30, 2015], open standards such as HTML5 have matured and supply a number of the abilities that Flash introduced… Looking ahead, we encourage content developers to build with brand-new web standards…
Run a vulnerability scanner across your endpoint population. See any Flash indication? Yes, in the typical business, zillions. Your cyber attackers know that likewise, they are relying on it. Thank you for contributing! Simply continue to disregard those bothersome security bloggers, like Brian Krebbs:
I would suggest that if you use Flash, you must strongly consider removing it, or a minimum of hobbling it till and unless you need it.
Overlooking Brian Krebs’ recommendations raises the opportunities your business’s data breach will be the feature story in one of his future blogs.
Flash Exploits: the Preferred Exploit Kit Ingredient
The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Country state attackers and the much better resourced groups can call upon Flash zero days. They aren’t difficult to mine – launch your fuzz tester against the creaking Flash codebase and watch them roll out. If an offensive cyber team can’t call upon zero days, not to fret, there are lots of freshly issued Flash Common Vulnerabilities and direct Exposures (CVE) to bring into play, prior to enterprise patch cycles are brought up to date. For exploit set authors, Flash is the gift that continues to give.
A recent FireEye blog exhibits this normal Flash vulnerability progression – from virgin zero-day to freshly hatched CVE and prime business exploit:
On May 8, 2016, FireEye spotted an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the problem to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 just four days later on (Published to FireEye Risk Research Blog on May 13, 2016).
As a fast test then, check your vulnerability report for that entry, for CVE-2016-4117. It was utilized in targeted cyber attacks as a zero-day even before it became a known vulnerability. Now that it is understood, popular exploit packages will locate it. Be sure you are ready.
Start a Flash and QuickTime Eradication Job
While we haven’t spoken about QuickTime yet, Apple got rid of support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you remove all support for QuickTime? Aslo on macOS? Or just Windows? How do you find the unsupported versions – when there are lots of floating around?
By doing nothing, you can flirt with catastrophe, with Flash vulnerability exposures swarming across your client endpoint environment. Otherwise, you can start a Flash and QuickTime elimination project to move towards a Flash-free enterprise. Or, wait, perhaps you inform your users not to readily open email attachments or click links. User education, that always works, right? I don’t think so.
One issue is that some of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or candidate Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.
Let’s take a better look at the Flash exploit explained by FireEye in the blog post mentioned above:
Attackers had actually embedded the Flash exploitation inside a Microsoft Office document, which they then hosted on their web server, and utilized a Dynamic DNS (DDNS) domain to reference the doc and payload. With this setup, the enemies might share their exploit by means of URL or email attachment. Although this vulnerability lives within Adobe Flash Player, threat actors created this particular cyber attack for a target operating Windows and Microsoft Office.
Even if the Flash-adverse enterprise had actually thoroughly purged Flash enablement from all their different internet browsers, this exploit would still have actually succeeded. To completely remove Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Microsoft Office or PDF files. Certainly that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthwhile configuration solidifying goal for the security-conscious enterprise.
Not to mention, we’re all waiting on the first post about QuickTime vulnerability which devastates a major business.