Adobe Flash Continues as an Enterprise Security Nemesis

by Kim Foster

July 11, 2016

access_time 7 min read

Still Supporting Adobe Flash and Apple QuickTime for Windows? Didn’t Get the Memo?

On the heels of Independence Day, there is a good time for a metaphor: Flash is a bit like lighting fireworks. There may be less risky ways to do it, but the only sure way is just to avoid it. And with Flash, you needn’t fight pyromaniac surges to abstain from it, just manage your endpoint configurations.

Why would you wish to do this? Well, Googling “Flash vulnerability” returns thirteen-million hits! Flash is old and spent and ripe for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards like HTML5 have matured and provide many of the capabilities that Flash ushered in. … Looking ahead, we encourage content creators to build with new web standards…

Link source: https://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html

Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the average enterprise, zillions. Your attackers know that also, they are counting on it. Just continue to ignore those pesky security bloggers, like Brian Krebbs:

I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it.

Link source: http://krebsonsecurity.com/2015/08/adobe-ms-push-patches-oracle-drops-drama/#more-31884

Ignoring Brian Krebs’ advice raises the chances your enterprise’s data breach will be the feature story in one of his future blogs.

Flash Exploits: the Preferred Exploit Kit Ingredient

The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Nation state attackers and the better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – launch your fuzz tester against the creaking Flash codebase and watch them roll out. If an offensive cyber team can’t call upon zero days, not to worry, there are plenty of freshly issued Flash Common Vulnerabilities and Exposures (CVE) to draw upon, before enterprise patch cycles catch up. For exploit kit authors, Flash is the gift that keeps on giving.

A recent FireEye blog exemplifies this typical Flash vulnerability progression—from virgin zero-day to freshly hatched CVE and prime enterprise exploit:

On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just four days later (Posted to FireEye Threat Research Blog on May 13, 2016).

As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero-day even before it became a known vulnerability. Now that it is known, popular exploit kits will pick it up. Be prepared.

Start a Flash and QuickTime Eradication Project

While we haven’t talked about QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you remove all support for QuickTime? Including on macOS? Or just Windows? How do you find the unsupported versions – when there are many floating around?

QT-Flash 1

By doing nothing, you can flirt with disaster, with Flash vulnerability exposures rife across your client endpoint population. Otherwise, you can start a Flash and QuickTime eradication project to move towards a Flash-free enterprise. Or, wait, maybe you educate your users not to glibly open email attachments or click on links. User education, that always works, right? Hmmm.

One problem is that some of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.

Let’s take a closer look at the Flash exploit described by FireEye in the blog cited above:

Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.

QT-Flash 4

Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their various browsers, this exploit would still have succeeded. To fully eradicate Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF documents. Certainly that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration hardening goal for the security-conscious enterprise.

Not to mention, we’re all waiting for the first post about QuickTime vulnerability which brings down a major enterprise.

How Ziften Works

Adobe Flash diagram