Partner Perspectives  Connecting marketers to our tech communities.
8/27/2015
09:05 AM
Gavin Millard
Gavin Millard
Partner Perspectives
50%
50%

Flash: Web Browser Plugins Are Vulnerable

Maybe it's time to uninstall Flash for those that don't need it and continuously monitor those that do.

Adobe Flash has been in the press a lot recently after zero day vulnerabilities were disclosed. Facebook's CISO is calling for an end of life date, and Brian Krebs, the well-known infosec journalist (along with many others), is calling for everyone to uninstall the software. Flash has had major vulnerabilities in the past; everyone is used to seeing the almost daily popup from Adobe requesting an install of the latest version, so why all the sudden momentum?

When the treasure trove of information from the Hacking Team breach was reviewed by eagle-eyed researchers, they discovered that the security company of choice for dictatorships had three previously undisclosed and unpatched vulnerabilities they’d be leveraging to infect targets. The vulnerabilities were bad; in fact the Hacking Team described one as, “the most beautiful Flash bug for the last four years.” The 400GB data dump also included handy, proof of concept code that was quickly rolled into the Angler and Neutrino exploit kits before Adobe even had a chance to release an updated version of Flash to fix the “beautiful bug.”

The first stage of an attack is often the initial foothold, getting a malicious virtual foot in the door. For a targeted attack, this foothold is frequently established by phishing or social engineering, persuading a hapless employee to give up credentials, click on a link, plug in a dodgy USB device, or download and run malicious code. If we look at the famous RSA breach of a few years ago, the initial intrusion was allegedly via an email containing a spreadsheet of salaries; the desire for employees to get a glimpse of their peers’ earnings was tempting enough for them to ignore all the training they’d had from the security team.

Manipulation of “Layer 8” insecurities is a frequently leveraged approach to breaking in, but why go to that effort when easily exploitable and unpatched browser or plugin vulnerabilities are running on millions of laptops? Cybercriminals will often take the easy path to infection, targeting the low hanging fruit with off-the-shelf malware, rather than create bespoke, complex and targeted code. We hear so much about Advanced Persistent Threats, but for the majority of users, intrusions are more likely to come from leveraging a known, and easily exploitable, vulnerability.

Uninstall Flash Unless It Is Required

If there are no fixes available or the patch rate is greater than a few days to deploy the ones that are, what can be done to protect users from this increasing threat vector? Uninstalling vulnerable software is a viable option, but many still require it for their day-to-day work to use business critical systems, and for playing browser games. Disabling Flash or “Click-to-Play” is another option, but users can easily be manipulated into running the Flash player. Anti-malware solutions offer some protection, but even if they are deployed and up to date, they are often behind the curve of detecting the latest obfuscation techniques utilized by the exploit kit authors. If you can’t prevent, you need to detect. 

Utilize Strong Detective Controls On Systems Where Flash Is Required

The ability to detect indicators of compromise --  unexpected autoruns, malicious known code missed by AV software, connections to Command and Control servers often utilized by attackers -- have increased by leaps and bounds in the last few years and should be considered in any defense in-depth strategy. Deploying robust detective controls utilizing these approaches alongside traditional preventive and corrective controls should help decrease the risk of unknown or unpatched client side vulnerabilities being used as the initial foothold many fear.

One major concern surrounding the use of detective controls is the false positive issue causing security analysts to drown under the weight of alerts from the different threat intelligence feeds and logs. This is where context is critical. One approach for focusing on the risky rather than the risk-free, is to identify systems that are using known browser plugins targeted by malware authors, or out of date browsers that are easily attacked, and then to leverage this context for elevating alerts of possible indicators of compromise on those affected systems.

Visibility is another concern. What about all those remote workers who are now a favored target because they are less protected than their counterparts in corporate headquarters? Agents installed on their devices can collect vulnerability information, software inventory, configuration issues and the indicators of compromise. Agents should always be considered in a rigorous detective control program, and the collected data should be sent back to corporate for correlation and prioritization.

Since Steve Jobs made the controversial decision to keep Flash off Apple’s shiny iOS devices, many mainstream websites have made the move to HTML5 or alternate technologies to support the millions of devoted fans of all things “i.” Maybe it’s time to uninstall Flash for those that don’t need it and continuously monitor for indicators of compromise for those that do.

Gavin Millard is a trained, ethical hacker who works with medium and large enterprises to address their cybersecurity challenges. With a deep understanding of how attackers plot a breach, he helps bring these companies to a trusted state of IT infrastructure. He previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sdecatur328
100%
0%
sdecatur328,
User Rank: Apprentice
8/27/2015 | 9:46:30 AM
Oxymorons
Funny how a website article about the vulnerability of Flash, wants you to run the add-on Adobe Flash Player from Adobe Systems Incorporated...
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.