Archive for July, 2016

Chuck Leaver – Adobe Flash Is A Real Threat To Organization Security

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memo?

With Independence day looming a metaphor is needed: Flash is a bit like lighting fireworks. There might be less risky methods to do it, but the only sure way is simply to avoid it. And with Flash, you need not battle pyromaniac surges to avoid it, simply handle your endpoint setups.




Why would you want to do this? Well, performing a Google query for “Flash vulnerability” returns thirteen-million hits! Flash is old and finished and ready for retirement, as Adobe stated themselves:

Today [November 30, 2015], open standards such as HTML5 have matured and supply much of the abilities that Flash introduced… Looking forward, we encourage content creators to develop with new web standards…

Run a vulnerability scanner across your endpoint population. See any Flash indication? Yes, in the average enterprise, zillions. Your assailants know that also, they are counting on it. Thanks for contributing! Simply continue to ignore those bothersome security blog writers, like Brian Krebbs:

I would recommend that if you utilize Flash, you should highly consider removing it, or a minimum of hobbling it up until and unless you require it.

Overlooking Brian Krebs’ guidance raises the possibilities your business’s data breach will be the feature story in one of his future blogs.




Flash Exploits: the Preferred Exploit Kit Active ingredient

The endless list of Flash vulnerabilities continues to lengthen with each brand-new patch cycle. Nation state cyber attackers and the better resourced groups can call upon Flash zero days. They aren’t tough to mine – launch your fuzz tester against the creaking Flash codebase and view them being presented. If an offensive cyber team can’t call upon zero days, not to fret, there are lots of freshly provided Flash Common Vulnerabilities and direct Exposures (CVE) to bring into play, before enterprise patch cycles are brought up to date. For exploit set authors, Flash is the present that continues to give.

A recent FireEye blog post exhibits this normal Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime business exploit:

On May 8, 2016, FireEye spotted an attack making use of a formerly unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 just 4 days later on (Published to FireEye Threat Research Blog on May 13, 2016).

As a fast test then, examine your vulnerability report for that entry, for CVE-2016-4117. It was used in targeted cyber attacks as a zero-day even before it ended up being a known vulnerability. Now that it is understood, popular exploit sets will pick it up. Be sure you are ready.

Start a Flash and QuickTime Elimination Project

While we have not discussed QuickTime yet, Apple got rid of support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you eliminate all support for QuickTime? Aslo on macOS? Or just Windows? How do you find the unsupported versions – when there are many drifting around?



By doing nothing, you can flirt with disaster, with Flash vulnerability direct exposures rife across your client endpoint environment. Otherwise, you can start a Flash and QuickTime eradication campaign to move towards a Flash-free business. Or, wait, possibly you educate your users not to glibly open e-mail attachments or click on links. User education, that always works, right? I don’t think so.

One issue is that a few of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to hiring departments, or legal notifications sent out to legal departments.

Let’s take a closer look at the Flash exploit explained by FireEye in the blog post cited above:

Attackers had embedded the Flash exploit inside a Microsoft Office doc, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this setup, the assailants could distribute their exploit through URL or e-mail attachment. Although this vulnerability lives within Adobe Flash Player, risk actors created this particular attack for a target using Windows and Microsoft Office.




Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their different browsers, this exploit would still have succeeded. To completely get rid of Flash requires purging it from all internet browsers and disabling its execution in embedded Flash objects within Office or PDF files. Certainly that is an action that ought to be taken at least for those departments with a job function to open attachments from unsolicited e-mails. And extending outwards from there is a deserving configuration hardening objective for the security-conscious business.

Not to mention, we’re all waiting on the first post about QuickTime vulnerability which devastates a major enterprise.