Partner Perspectives  Connecting marketers to our tech communities.
8/27/2015
09:05 AM
Gavin Millard
Gavin Millard
Partner Perspectives
50%
50%

Flash: Web Browser Plugins Are Vulnerable

Maybe it's time to uninstall Flash for those that don't need it and continuously monitor those that do.

Adobe Flash has been in the press a lot recently after zero day vulnerabilities were disclosed. Facebook's CISO is calling for an end of life date, and Brian Krebs, the well-known infosec journalist (along with many others), is calling for everyone to uninstall the software. Flash has had major vulnerabilities in the past; everyone is used to seeing the almost daily popup from Adobe requesting an install of the latest version, so why all the sudden momentum?

When the treasure trove of information from the Hacking Team breach was reviewed by eagle-eyed researchers, they discovered that the security company of choice for dictatorships had three previously undisclosed and unpatched vulnerabilities they’d be leveraging to infect targets. The vulnerabilities were bad; in fact the Hacking Team described one as, “the most beautiful Flash bug for the last four years.” The 400GB data dump also included handy, proof of concept code that was quickly rolled into the Angler and Neutrino exploit kits before Adobe even had a chance to release an updated version of Flash to fix the “beautiful bug.”

The first stage of an attack is often the initial foothold, getting a malicious virtual foot in the door. For a targeted attack, this foothold is frequently established by phishing or social engineering, persuading a hapless employee to give up credentials, click on a link, plug in a dodgy USB device, or download and run malicious code. If we look at the famous RSA breach of a few years ago, the initial intrusion was allegedly via an email containing a spreadsheet of salaries; the desire for employees to get a glimpse of their peers’ earnings was tempting enough for them to ignore all the training they’d had from the security team.

Manipulation of “Layer 8” insecurities is a frequently leveraged approach to breaking in, but why go to that effort when easily exploitable and unpatched browser or plugin vulnerabilities are running on millions of laptops? Cybercriminals will often take the easy path to infection, targeting the low hanging fruit with off-the-shelf malware, rather than create bespoke, complex and targeted code. We hear so much about Advanced Persistent Threats, but for the majority of users, intrusions are more likely to come from leveraging a known, and easily exploitable, vulnerability.

Uninstall Flash Unless It Is Required

If there are no fixes available or the patch rate is greater than a few days to deploy the ones that are, what can be done to protect users from this increasing threat vector? Uninstalling vulnerable software is a viable option, but many still require it for their day-to-day work to use business critical systems, and for playing browser games. Disabling Flash or “Click-to-Play” is another option, but users can easily be manipulated into running the Flash player. Anti-malware solutions offer some protection, but even if they are deployed and up to date, they are often behind the curve of detecting the latest obfuscation techniques utilized by the exploit kit authors. If you can’t prevent, you need to detect. 

Utilize Strong Detective Controls On Systems Where Flash Is Required

The ability to detect indicators of compromise --  unexpected autoruns, malicious known code missed by AV software, connections to Command and Control servers often utilized by attackers -- have increased by leaps and bounds in the last few years and should be considered in any defense in-depth strategy. Deploying robust detective controls utilizing these approaches alongside traditional preventive and corrective controls should help decrease the risk of unknown or unpatched client side vulnerabilities being used as the initial foothold many fear.

One major concern surrounding the use of detective controls is the false positive issue causing security analysts to drown under the weight of alerts from the different threat intelligence feeds and logs. This is where context is critical. One approach for focusing on the risky rather than the risk-free, is to identify systems that are using known browser plugins targeted by malware authors, or out of date browsers that are easily attacked, and then to leverage this context for elevating alerts of possible indicators of compromise on those affected systems.

Visibility is another concern. What about all those remote workers who are now a favored target because they are less protected than their counterparts in corporate headquarters? Agents installed on their devices can collect vulnerability information, software inventory, configuration issues and the indicators of compromise. Agents should always be considered in a rigorous detective control program, and the collected data should be sent back to corporate for correlation and prioritization.

Since Steve Jobs made the controversial decision to keep Flash off Apple’s shiny iOS devices, many mainstream websites have made the move to HTML5 or alternate technologies to support the millions of devoted fans of all things “i.” Maybe it’s time to uninstall Flash for those that don’t need it and continuously monitor for indicators of compromise for those that do.

Gavin Millard is a trained, ethical hacker who works with medium and large enterprises to address their cybersecurity challenges. With a deep understanding of how attackers plot a breach, he helps bring these companies to a trusted state of IT infrastructure. He previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sdecatur328
100%
0%
sdecatur328,
User Rank: Apprentice
8/27/2015 | 9:46:30 AM
Oxymorons
Funny how a website article about the vulnerability of Flash, wants you to run the add-on Adobe Flash Player from Adobe Systems Incorporated...
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.