by Amir Khashayar Mohammadi
Right in time for Groundhog Day, another serious Zero-Day vulnerability was added to the long list of Adobe Flash Player exploits. Early reports indicate that North Korean nation-state actors have taken advantage of this security flaw at least since mid-November 2017.
If you still run Flash in your local browser(s), get rid of it now. Read on below to learn how to protect yourself without necessarily having to give up on websites that put your local IT at risk by asking you to install Flash.
The critical Adobe Flash Player Zero-Day vulnerability was disclosed with no patch available at the time (CVE-2018-4878). Affected are all versions 220.127.116.11 and prior. This vulnerability also impacts all major operating systems (Windows/Linux/Macintosh/ChromeOS) and most major browsers, such as Microsoft Edge, Chrome and Internet Explorer 11.
Attackers who take advantage of this remote code execution flaw would gain full control over the victim’s entire environment:
All that an attacker needs to leverage this vulnerability is a Flash file specifically crafted for this purpose, containing the exploit embedded into various attack methods.
Web pages, Word documents, emails - they all can be used to mount the attack, as long as the user has Flash installed and enabled in the browser.
In addition to the browsers mentioned earlier, Firefox is also affected, although not as severely. Because Firefox runs Flash in a “protected mode”, users are protected through a containment technique that disallows access to sensitive resources from the Flash component. By far, not a complete solution, nevertheless it holds up against this particular Zero-Day.
In Adobe's security advisory, which was released on February 1st (just in time for Groundhog Day), the company promised a patch for the week of February 5th. It also advised users to disable the Flash component in browsers and other runtime environments.
Flash still casting a shadow that won’t go away
Adobe Flash Player vulnerabilities by type
Source: CVE Details
This newest Flash vulnerability (is anybody still counting?) serves as a reminder of the regular browser’s inherent security weaknesses. Its seemingly most insignificant components often turn out to be the most dangerous, giving external attackers full access to the local machine and network.
As information security researcher Mohit Kumar points out, this vulnerability (CVE-2018-4878) has likely been “actively exploited in the wild by North Korean hackers to target Windows users in South Korea” for quite a while, according to this alert of the South Korean CERT.
Source: The Hacker News
Do you still have a Flash plugin installed? Do you even know? Get rid of it. If you or your organization is still using it on one of the named browsers, it’s time to follow the South Korean example and do some spring cleaning.
Soon more threat actors will likely take advantage of this vulnerability. Keep in mind that this exploit has been used for more than two months before it was discovered by researchers only a few days ago.
Given the catastrophic security record of Flash since its inception and its reputation for hogging resources, we need to ask ourselves (again): Why would any business still use or allow Flash on its computers?
Flashy content. Shady code.
Flash has been used mainly in online advertising, on entertainment and news media sites, for online games, and in animation-type applications. Flash-based visualization was common in research, for example, and still can be found on quite a few Alexa top 500 global sites.
If a website contains Flash content, it can only be viewed with Adobe Flash Player installed. According to a September 2016 report by Neurogadget, Flash plugins are still required for users to view content on numerous banking, news media, entertainment, and technology sites.
If visitors don’t have Flash installed, they are usually prompted to download the Flash player to be able to access the content they are interested in - a video, for example, or a presentation.
If they comply, they not only gain access to the Flash content. Because Flash requires direct access to the computer’s system resources, users also open the door to their local IT for attackers.
This should put fear into the heart of any user who ever has clicked a “Download Flash” link or button, be it just to play Motherload or Tetris on the office computer, or to be able to use a Flash-based physics learning app in college.
Any flash of optimism would be premature...
Is there a bright side? While Adobe has announced to phase out Flash completely by 2020, the application’s well-deserved demise is far from guaranteed. One problem is that “phased out” doesn’t mean websites and their visitors won’t use it anymore.
It’ll just be more dangerous to do so. New Flash-related Zero-Day exploits in the future are likely - only patches will be a thing of the past. Phasing out Flash will not solve its fundamental security flaw, the tight integration with local system resources, as long as people are still using it.
Just think of how many organizations are still using “undead” operating systems like Windows 2000 or Windows XP. Their number is topped only by the amount of outdated, unpatched “legacy” browsers still in use. And how many of them still have Flash installed?
...and updating the problem is not a solution.
Either get rid of it for good, or continue updating the problem.
Until Flash is confirmed dead and buried, it will continue to provide a barn door of opportunity for threat actors. Personally, I cannot think of many good reasons why IT would allow users to enable Flash on their local browser.
Where this is still deemed necessary, at a minimum, the organization should update Flash as per Adobe’s advisories ASAP, and keep updating it. And updating it. And… - is it really worth the trouble?
Use a secure remote browser instead.
If you are not ready yet to part with Flash entirely, I recommend this - secure - alternative: Use a remote, disposable browser that securely processes all content - including Flash media - in an isolated cloud container, outside your network.
Delivered as an off-site service, a remote browser gives users control over the content they access on the web, without exposing their local IT to the associated risks.
That way, the user - or IT admin - can decide how executable Flash multimedia plugins and files, as well as other (high-risk) formats, should be handled.
With a browser that processes all content remotely instead on the local machine, the endpoint remains shielded from all-related vulnerabilities, including Flash.
Amir Khashayar Mohammadi is a Computer Science and Engineering major who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors.