Back in the days of dial-up when the world wide web was full of promise, and internet sites were pretty text heavy, Adobe Flash Player burst into life to change how we viewed online content. Rather than static sites, it allowed web designers to finally unleash their creativity to run short animation clips and even introduce a limited amount of user interactivity on websites.

Over the years, each new version offered additional functionality with new and imaginative ways to utilize the player, from games to movies, and even entire flashy websites that provided visitors with a fun, interactive experience.

It didn’t take long for the pop-up message claiming that Adobe Flash Player was required to view content on a website to become familiar. Millions have happily clicked the install button and run the software over the years. In fact, in 2010, it was claimed that 99% of web users had Flash installed.

While individuals saw it as a necessary program, threat actors saw it as an opportunity, and security teams began to recognize it as their Achilles heel.

In a few short years, vulnerabilities started to surface in the player’s code, with numerous critical flaws identified and patched with increasing frequency. The most recent vulnerability was disclosed in June 2020.

Multiple vulnerabilities have been discovered in Adobe Flash Player, the most severe of which could allow for arbitrary code execution. The details of these vulnerabilities are as follows:

• An Out-of-bounds read vulnerability that could allow for Information Disclosure. (CVE-2019-7108)
• A Use after Free vulnerability that could allow for Arbitrary Code Execution. (CVE-2019-7096)

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

Cyber-criminals still haven’t finished with Flash

Adobe announced three years ago that Flash Player would reach End of Life (EOL) on 31 December 2020, allowing time for developers to move to HTML5, JavaScript-based technologies and other alternatives.

While the player may not be as pervasive now as in 2010, criminals still see opportunity in Flash Player. Earlier this year, the US Federal Bureau of Investigation (FBI) and Cyber security and Infrastructure Security Agency (CISA) issued a joint alert, detailing the top 10 routinely exploited vulnerabilities.

A vulnerability, previously disclosed in 2018, continues to be targeted by threat actors to deploy DogCall malware in an effort to steal information, but it’s not just vulnerabilities that pose a risk as Adobe’s plan to retire the software has also been grasped as an opportunity by threat actors to have one final fling with the plug-in. In June, a warning was issued of malware that disguises itself as a Flash Player being spread by malicious Google searches, affirming that criminals are still looking to monetize Flash-themed scams.

Let’s end Flash, once and for all

Flash must be viewed and treated as a high security risk application. If not due to the bounty of bugs within its code, then the withdrawal of support in a few short months has to be a motivation to fully eradicate the software. Where Flash is left installed on an endpoint, it’s also imperative that compensating controls are added to limit the risk the software poses.

Flash has been the favored attack vector for exploit kit authors for many years, but surely it’s time this ends and organizations work to seal off this criminals’ cash cow once and for all. This isn’t an advisory to organizations to find and patch the vulnerable software; instead it’s a loud hailer instruction to remove it.

 

Recommendations

The best practices recommended are as follows:

• Organizations need to fully assess their entire infrastructure to identify all instances of the program and remove it.
• With many still accommodating remote employees accessing corporate systems from home, away from the advanced security of the corporate network, IT staff needs an effective method to assess this extended perimeter, with the ability to remove the program where feasible, particularly given updates for Flash end soon. If left, the threat could come walking through the door as these remote employees return to the office.
• The final element is to identify and block attempts by corporate users trying to install Flash – whether the legitimate program or a malicious imposter.
• If there is a business case for a user to download Flash, and it needs to be pretty compelling given the risk, then this should be done with the knowledge of the IT team who can scan the files to ensure it’s the “real deal” and not a malicious variation.