When will Flash stop being the exploit of choice

When will Flash stop being the exploit of choice?

Adobe Flash has long been something of a controversy among security personnel due to its massive amount of known vulnerabilities. Both have become popular targets for hackers (Wired) and the list of vulnerabilities continues to grow according to CVE Details. So the questions I ask is, when will we stop allowing this outdated and archaic video player plug-in be phased out?

Flash being phased out has been a goal that many companies have been pushing with big hitters such as Facebook, Google and Mozilla being the flagships for this campaign.

While this push to end Flash has been ongoing, it still used pervasively throughout the internet to the detriment to any company who allows this plug-in to be allowed on its network. Security controls to disable flash from the company allowed web browser is still the best way to overcome the fact that Flash is still being used on a plethora of web.

Flashy Problems

The real problem that many company execs run into to is not creating controls for Flash and allowing either the user to run Flash on the company network or disabling the plug-in on one browser and still not restricting user privileges to prevent other browsers from being installed. Both scenarios allow the network to be exposed to every zero-day exploit known to the internet at any time.

Per Arellia research:

it has been “proven that running with reduced privileges can mitigate a majority of software vulnerabilities in Microsoft, Adobe, and Mozilla products.”

While reducing the cross-section of your network from Flash vulnerabilities only fixes part of the problem, the bigger problem here is the known security problems with Adobe Flash (The Guardian, 2015).

It’s a known fact that Adobe can’t keep up with the amount of security problems that are found and the time between a vulnerability discovered and a patch deployed is over 60 days for the most serious of vulnerabilities. This coupled with the fact that “More than 90% of the vulnerabilities exploited in 2014 had security patches available but organizations continue to struggle to mitigate these threats” (Arellia). The fact is, is that even when Adobe manages to get a patch out for a zero-day threat, companies aren’t dealing with it in an appropriate amount of time. “What makes matters worse is companies like Hacking Team are in the business of finding these flaws and not always reporting them (Venture Beat, 2015).

Final Thoughts

At some point Flash will either be phased out (which is the much more likely scenario at this point) or something drastic will need to happen to fix the mess Adobe has created. Companies need to recognize this and adjust their security policy to cope with the fact that Flash is an open door to hackers, kiddies and anyone who wants a free pass into your organization’s network.

References

Arellia
Wired
CVE Details
Venture Beat
The Guardian

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

Enter your email address:

Delivered by FeedBurner





Contact Us


Subscribe to our mailing list

* indicates required







About Matthew Eliason

Matthew Eliason was born in Houston, Texas.  Upon graduating from high school, he joined the Navy.  His first tour was as an Information Systems Technician of a 130 client DOD network where he developed the documentation and maintenance procedures from 2007-2012.  In 2012, he transferred shore duty where he serves as a system and security administrator. He graduates with a Bachelor’s of Science in Information Technology from American Military University in November of 2015. He holds the CompTIA Security+ certification and has extensive experience in DOD Information Assurance (IA) and Cyber Security compliance and procedures.  He enjoys golf, hiking, watching football in his spare time.