Welcome back to this series of blog posts on cybersecurity lessons learned from 2018. In my previous post, I covered the Meltdown and Spectre vulnerabilities. Today, let’s turn our attention to a persistent thorn in the side of the security world, Adobe Flash. Remember, all these posts draw from a webcast that I did with Microsoft MVP and Windows security expert Randy Franklin Smith, so it’s guaranteed to be good stuff.
A brief history
Adobe Flash was one of the most important technologies of the early internet. It was widely installed on desktop computers to display interactive web pages, enable online games, and play video and audio content. In fact, beginning with Windows 8, Microsoft built Flash Player directly into the Internet Explorer browser.
However, Flash quickly became a hacker’s dream — and everyone else’s nightmare. By 2010, both Apple and Microsoft were reporting significant reliability and security problems with Flash, and Symantec's Internet Security Threat Report was recommending that administrators disable it altogether. Steve Jobs even published a manifesto noting that Flash was the number one reason Macs crash and explaining why Apple does not allow Flash on iPhones, iPods and iPads.
But Flash still would not die. As of today, Adobe Flash Player has over 1,000 Common Vulnerabilities and Exposures (CVE) entries, over 800 of which lead to arbitrary code execution — instantly turning an outside attacker into an insider threat.
With open standards like HTML5, WebGL and WebAssembly now available, there is no longer any need for Flash. Finally, in July 2017, Adobe announced that it will end-of-life Flash. But it’s way too early to rejoice and relax: EOL doesn’t come until the end of 2020, and that’s just when Adobe will stop updating and distributing the Flash Player — it doesn’t mean websites have to stop using Flash or that all the browsers already installed in your organization will miraculously be purged of the plug-in.
What should you do about Flash?
How concerned you need to be about Flash depends to a degree on which browsers you're running: Edge and Chrome don't run Flash by default, but Internet Explorer still does. In any case, it’s wise to use Active Directory Group Policy to disable Flash — and keep it disabled — on all your browsers. Look for a good Active Directory tool that streamlines Group Policy management. It’s also smart to also educate your users about the vulnerabilities of Flash so they don’t try to get around this critical restriction.
Even with that precaution in place, it’s essential to establish and maintain proper Active Directory security and governance to minimize your attack surface area, and to have comprehensive, real-time Active Directory auditing in place so you can quickly spot suspicious activity across your IT environment. Finally, it’s always a best practice to regularly back up Active Directory so you can restore business operations quickly in case a threat gets through and causes havoc or even takes down your entire Active Directory forest.
Fewer and fewer websites are using Flash, but don’t let your guard down. Remember, we still have two years to go until Flash is officially at EOL.
Unfortunately, Meltdown, Spectre and Flash weren’t the only threats in the news last year. Remember NotPetya? I’ll explore what we can learn from it in my next post, so stay tuned. In the meantime, you can learn more about best practices for limiting the ability of attackers to move around inside your network by checking out our ebook, “Enhancing Active Directory Security & Lateral Movement Detection.”