Back in the days of dial-up when the world wide web was full of promise, and internet sites were pretty text heavy, Adobe Flash Player burst into life to change how we viewed online content. Rather than static sites, it allowed web designers to finally unleash their creativity — to run short animation clips and even introduce a limited amount of user interactivity on websites.
Over the years, each new version offered additional functionality with new and imaginative ways to utilize the player, from games to movies, and even entire flashy [if you’ll pardon the pun] websites, that provided visitors with a fun, interactive experience.
It didn’t take long for the pop-up message claiming that Adobe Flash Player was required to view content on a website to become familiar. Millions have happily clicked the install button and run the software over the years. In fact, in 2010, it was claimed that 99% of web users had Flash installed.
While individuals saw it as a necessary program, threat actors saw it as an opportunity, and security teams began to recognize it as their achilles heel.
In a few short years, vulnerabilities started to surface in the player’s code, with numerous critical flaws identified and patched with increasing frequency. A search of the National Vulnerability Database returns 1,122 records for Flash Player, with the first published in 2002. The most recent vulnerability was disclosed in June 2020, receiving the highest possible rating of 10.0 given that successful exploitation could lead to arbitrary code execution.
Cyber-criminals still haven't finished with Flash
Adobe announced three years ago that Flash Player would reach End of Life (EOL) on 31 December 2020, allowing time for developers to move to HTML5, JavaScript-based technologies and other alternatives.
While the player may not be as pervasive now as in 2010, criminals still see opportunity in Flash Player. Earlier this year, the US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert, detailing the top 10 routinely exploited vulnerabilities. As you’d expect, a number of Microsoft’s operating systems feature heavily in the list, but there’s still room for Adobe Flash Player.
A vulnerability, previously disclosed in 2018, continues to be targeted by threat actors to deploy DogCall malware in an effort to steal information, but it’s not just vulnerabilities that pose a risk as Adobe’s plan to retire the software has also been grasped as an opportunity by threat actors to have one final fling with the plug-in. In June, a warning was issued of malware that disguises itself as a Flash Player being spread by malicious Google searches, affirming that criminals are still looking to monetize Flash-themed scams.
Let’s end Flash, once and for all
Flash must be viewed and treated as a high security risk application. If not due to the bounty of bugs within its code, then the withdrawal of support in a few short months has to be a motivation to fully eradicate the software.
Organizations need to fully assess their entire infrastructure to identify all instances of the program and remove it. With many still accommodating remote employees accessing corporate systems from home, away from the advanced security of the corporate network, IT staff need an effective method to assess this extended perimeter, with the ability to remove the program where feasible, particularly given updates for Flash end soon. If left, the threat could come walking through the door as these remote employees return to the office.
The final element is to identify and block attempts by corporate users trying to install Flash - whether the legitimate program or a malicious imposter. If there is a business case for a user to download Flash, and it needs to be pretty compelling given the risk, then this should be done with the knowledge of the IT team who can scan the files to ensure it’s the “real deal” and not a malicious variation.
Where Flash is left installed on an endpoint, it’s also imperative that compensating controls are added to limit the risk the software poses.
Flash has been the favored attack vector for exploit kit authors for many years, but surely it's time this ends and organizations work to seal off this criminals’ cash cow once and for all. This isn’t an advisory to organizations to find and patch the vulnerable software, instead it’s a loud hailer instruction to remove it.