By Al Hartmann

Enterprise Hardening Tip: Banish Adobe Flash

Get Tough or Get Hacked.

Highly skilled cyber attack teams have targeted and are targeting your enterprise.  Your vast endpoint population is the most common point of entry for skilled attack organizations. These enterprise endpoints number in the thousands, are loosely managed, laxly configured, and rife with vulnerability exposures, and are operated by marginally trained, credulous users—the perfect target-rich opportunity. Mikko Hypponen, chief research officer at F-Secure, often remarks at industry symposia: “How many of the Fortune 500 are hacked right now? The answer: 500.”

And how long did it take to penetrate your enterprise? White hat hackers performing penetration testing or red team exercises typically compromise target enterprises within the first few hours, even though ethically and legally restrained in their methods.  Black hat or state sponsored hackers may achieve penetration even more quickly and secure their presence indefinitely. Given average attacker dwell periods measured in hundreds of days, the time-to-penetration is negligible, not an impediment.

// Exploit Kits

The industrialization of hacking has created a black market for attack tools, including a variety of software for identifying and exploiting client endpoint vulnerabilities. These exploit kits are marketed to cyber attackers on the dark web, with dozens of exploit kit families and vendors. An exploit kit operates by assessing the software configuration on the endpoint, identifying exposed vulnerabilities, and applying an exploit to a vulnerability exposure.

A relative handful of commonly deployed endpoint software accounts for the bulk of exploit kit targeted vulnerabilities. This results from the sad reality that complex software applications tend to exhibit a continual flow of vulnerabilities that leave them continually vulnerable. Each patch release cycle the exploit kit developers will download the latest security patches, reverse engineer them to discover the underlying vulnerabilities, and update their exploit kits.  This will often be done more quickly than enterprises apply patches, with some vulnerabilities remaining unpatched and ripe for exploitation even years after a patch is issued.

// Adobe Flash

Prior to widespread adoption of HTML 5, Adobe Flash was the most commonly used software for rich Internet content.  Even with increasing adoption of HTML 5, legacy Adobe Flash maintains a significant following, maintaining its long-held position as the darling of exploit kit authors. A recent study by Digital Shadows, In the Business of Exploitation, is instructive:

This report analyzes 22 exploit kits to understand the most frequently exploited software. We looked for trends within the exploitation of vulnerabilities by these 22 kits to show what vulnerabilities had been exploited most widely, coupled with how active each exploit kit was, in order to inform our assessment.

The vulnerabilities exploited by all 22 exploit kits showed that Adobe Flash Player was likely to be the most targeted software, with 27 of the 76 identified vulnerabilities exploited pertaining to this software.

With relative consistency, dozens of fresh vulnerabilities are uncovered in Adobe Flash each month. To exploit kit developers, it is the gift that keeps on giving.


The industry is learning its lesson and moving beyond Flash for rich web content. For example, a Yahoo senior developer blogging recently in Streaming Media noted:

“Adobe Flash, once the de-facto standard for media playback on the web, has lost favor in the industry due to increasing concerns over security and performance. At the same time, requiring a plugin for video playback in browsers is losing favor among users as well. As a result, the industry is moving toward HTML5 for video playback.”

–Amit Jain, Sep 21, 2016

dont-need-no-stinking-flash

// Banishing Adobe Flash

One step enterprises may take today to harden their endpoint configurations is to banish Adobe Flash as a matter of enterprise security policy. This will not be convenient, it may be painful, but it will be helpful in reducing your enterprise attack surface. It involves blacklisting Adobe Flash Player and enforcing browser security settings disabling Flash content. If done correctly, this is what users will see where Flash content appears on a legacy web page:

flash player message

This message confirms two facts:

  1. Your system is properly configured to refuse Flash content.
    –Congratulate yourself!
  2. This website would compromise your security for their convenience.
    –Ditch this site!

Get the General Here