The goal of any security awareness and training program should be to reduce risk. Unfortunately, some programs could actually end up increasing vulnerability for one fundamental reason: Adobe Flash. A breach accomplished by hacking a security training program would be ironic, but definitely not funny.
The Adobe Flash plug-in and its serious security flaws have been receiving a lot of press lately. Brian Krebs of Krebs on Security is just one of several sources calling for disabling or removal of Flash. And the Occupy Flash website and Twitter account are calling on users to “rid the world of the Flash Player plug-in.”
But is it much ado about nothing? Absolutely not. Flash’s susceptibilities are not hypothetical; hackers are fully up to speed and actively using the weaknesses to their benefit. In fact, Bromium recently reported that Flash was at the root of more exploits than any other popular software during the first six months of 2015. This summer’s Hacking Team breach was a prime example; the data released following the breach included proof of concept code that was immediately rolled into the Angler and Neutrino exploit kits — all before Adobe could release a patch.
Info security professionals are also tuned in; 90 percent of those surveyed by Bromium said their organizations would be more secure if the plug-in were disabled. Many security experts feel that Flash will never be secure. Outdated, unpatched browsers and plug-ins (like Flash) are running on millions of laptops — and they are an easy way in for hackers. Cisco’s research reveals that 75 percent of known subdomain exploits since 2014 have been associated with Angler, which uses Flash and similar browser vulnerabilities to avoid detection. The same research shows that 40 percent of users who encounter an Angler kit online are compromised, which is double the 20 percent compromise rate with other kits.
Flash Attacks Spread Far and Wide
The potential pitfalls associated with Flash can turn a localized attack into a widespread issue. When hackers penetrate a central website through an Adobe Flash vulnerability, they can use that inroad to install an exploit kit on site users’ PCs. Using these exploit kits, they can then execute whatever code they want to and remotely control the affected computers.
To get into the site itself, the cyber criminals would simply have wait for someone to use a compromised PC to access the site’s web server or connected database, and they would be in. Outside of that, mapped cloud drives, saved passwords, user data…all of those browser bits on the PC itself would also be available to the hacker. The possibilities for capitalizing on this information are virtually endless.
Best practices and training could limit the scope of these kinds of attacks, many of which start with an infected file in a phishing email. But it’s easy to see how a Flash exploit that targets a central site could quickly spread far and wide.
Does It Work to Turn Flash Off?
On the surface, disabling Flash seems like an easy and effective solution. If you don’t use Flash or can do without it, you certainly should. However, disabling the software isn’t as expedient as it sounds; most users are likely to run into some significant troubles somewhere. More than 40 percent of the organizations that participated in the Bromium survey said that turning off Flash would disrupt productivity or even “break” critical applications.
Many websites use Flash, including major e-commerce sites, business publications, entertainment portals, and display advertising platforms, so the general surfing experience will be degraded when it is disabled. It is possible to enable it each time you need it and then return it to a disabled state. But, frankly, it’s dangerous to assume that users will be willing to take these extra steps, even if they are savvy enough to know how and why they should.
There are signs of progress, however: joining Apple’s longstanding ban of Flash as a faulty technology, browsers like Chrome, Firefox, and Safari are limiting Flash content and changing default browser settings. Moreover, massive retailers like Amazon are beginning to eliminate Flash-based advertising on their sites as attacks are an increasingly prevalent feature of the cybercrime landscape.
Break Your Flash Habit before It Breaks You
The proverbial cat is clearly out of the bag as far as Flash goes. It’s a popular hacker target now, and it will continue to be one. There is very little money spent on testing it, and the risk is only compounded by the fact that it utilizes many other technologies within web browsers. Because Flash has permission to jump technologies, any exploits written for it will have the same free reign in the browser, so the potential for damage is multiplied.
For the time being, it’s best to avoid Flash whenever you can. When you choose software products (e.g., a security awareness and training platform) opt for a Flash-free version. And if you are using a subscription-based service or an older internal software platform that utilizes Flash, such as a learning management system, start working now to get your transition plan in place. You certainly don’t want to be in the ironic position shared by one Black Hat attendee, whose organization had removed all Flash instances but one: the training videos delivered by its security awareness provider.
- Adobe Flash exploits: How secure is your security training software? - October 10, 2015
Thanks for including the Bromium survey, Jeff. I conducted it during Black Hat 2015 and actually had the chance to speak with a few of the respondents about their answers. Sure enough, one security professional sheepishly admitted to me that one of the only applications that still requires Flash was for security training.