Adobe Flash is no stranger to zero-day exploits. The application has been under fire for years over its vulnerabilities and lack of security. Another zero-day vulnerability recently combined Adobe Flash with Excel to drop malware on a user’s system and give an attacker remote access to the desktop. Adobe Flash used to be the de facto application for video and animation, but the introduction of HTML5 has made it a dinosaur that only opens cyber-security vulnerabilities on your network.
Why Attackers Use Adobe Flash as a Vector
Prior to 2010, users needed flash to view videos or play animation. The Flash application was installed on any browser, which made it a widespread tool among internet users. When an application is widely used on any desktop, attackers have a good chance of launching an attack with a better return on their efforts. Since Flash is installed on most computers, it’s a huge target for attackers, especially since it’s riddled with security flaws.
Many Apple fans used to buy Mac computers just for its impermeability to malware. It wasn’t that the operating system couldn’t be hacked. The issue was that few people had Mac computers, so attackers focused on Windows or Linux. That’s no longer the case, and several attacks have focused on Mac OS instead of its competitors.
The same could be said of Flash. Flash is installed by default on most systems, so attackers have a better chance of infecting a machine. Microsoft Silverlight is also used for streaming video, but it’s not as popular and has been discontinued. Silverlight is still used on Netflix, but it’s not common enough for attackers to find vulnerabilities.
Flash Exploits and Vulnerabilities
Even prior to 2010, security experts suggested Flash should be deactivated on corporate machines. It wasn’t until 2015 that a major security flaw allowed attackers to remotely access a computer when a user just browsed a malicious website. This caused major browser vendors (Google and Mozilla) to release emergency updates that disabled the software. Adobe quickly released a patch, but it was the final vulnerability that sealed its doom.
Chrome and Firefox now have their own homegrown versions of Flash that keep it sandboxed from the operating system. It’s disabled by default, but if a user absolutely needs to use Flash it’s available. The user can whitelist domains that allow them to use Flash on the local browser, but opening Flash to all domains is a security issue.
Because Flash was disabled on major browsers, attackers were forced to come up with new methods. Users are familiar with the Adobe Flash brand, so they will likely install unknown software labeled as an Adobe patch. Instead of installing a Flash patch, they actually install malware.
Attackers lead a user to a website and show a message that indicates Adobe Flash is out of date. They then point users to an executable on a third-party site. Naive users don’t notice that the executable isn’t hosted on Adobe’s official domain and install it on a vulnerable machine. The malware is usually a trojan that allows remote access from the internet. It can also be malware that makes the desktop a part of a botnet, which is used to DDoS online corporations. These “drive-by” attacks are common on the web, and poor local security allows the user to install malware from malicious third-party sites. These sites can be filtered out with good content filtering systems.
A recent zero-day attack uses Excel and Adobe Flash. The attacker sends a victim the Excel document. The victim opens the Excel spreadsheet and an embedded Flash object provides remote access for the attacker. These attacks just further show that uninstalling Flash is the better way to deal with cyber-security on a corporate network.
To provide the best security for your business, the solution is to uninstall Flash. Here is how you can uninstall it by browser.
Chrome: Go to chrome//plugins and click “Disable” next to Adobe Flash Player.
Safari: Go to “Preferences” and click “Security.” Click “Adobe Flash Player.” Click “Block” next to “When visiting other websites.”
Firefox: Click “Addons” from the main preferences menu in the upper-right corner. Click “Plugins.” Click “Never Activate” next to Flash.
You can also set security policies on your network that automatically disables and uninstalls Flash. Unless you have users that specifically need it, they won’t notice that Flash isn’t enabled unless they stream videos from older sites. You can then whitelist domains as your users ask for access.