When will Flash stop being the exploit of choice?
Adobe Flash has long been something of a controversy among security personnel due to its massive amount of known vulnerabilities. Both have become popular targets for hackers (Wired) and the list of vulnerabilities continues to grow according to CVE Details. So the questions I ask is, when will we stop allowing this outdated and archaic video player plug-in be phased out?
Flash being phased out has been a goal that many companies have been pushing with big hitters such as Facebook, Google and Mozilla being the flagships for this campaign.
While this push to end Flash has been ongoing, it still used pervasively throughout the internet to the detriment to any company who allows this plug-in to be allowed on its network. Security controls to disable flash from the company allowed web browser is still the best way to overcome the fact that Flash is still being used on a plethora of web.
The real problem that many company execs run into to is not creating controls for Flash and allowing either the user to run Flash on the company network or disabling the plug-in on one browser and still not restricting user privileges to prevent other browsers from being installed. Both scenarios allow the network to be exposed to every zero-day exploit known to the internet at any time.
Per Arellia research:
it has been “proven that running with reduced privileges can mitigate a majority of software vulnerabilities in Microsoft, Adobe, and Mozilla products.”
While reducing the cross-section of your network from Flash vulnerabilities only fixes part of the problem, the bigger problem here is the known security problems with Adobe Flash (The Guardian, 2015).
It’s a known fact that Adobe can’t keep up with the amount of security problems that are found and the time between a vulnerability discovered and a patch deployed is over 60 days for the most serious of vulnerabilities. This coupled with the fact that “More than 90% of the vulnerabilities exploited in 2014 had security patches available but organizations continue to struggle to mitigate these threats” (Arellia). The fact is, is that even when Adobe manages to get a patch out for a zero-day threat, companies aren’t dealing with it in an appropriate amount of time. “What makes matters worse is companies like Hacking Team are in the business of finding these flaws and not always reporting them (Venture Beat, 2015).
At some point Flash will either be phased out (which is the much more likely scenario at this point) or something drastic will need to happen to fix the mess Adobe has created. Companies need to recognize this and adjust their security policy to cope with the fact that Flash is an open door to hackers, kiddies and anyone who wants a free pass into your organization’s network.
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
Be sure to subscribe to this blog and to our Podcast.