Detecting Out of Date and Vulnerable Flash Versions on Your Network
There’s been a rise in the success of phishing and zero-days, as the Ponemon Institute’s report, the 2015 State of the Endpoint Report: User-Centric Risk found. While phishing relies on weak authentication, zero-days and other exploits often rely on out of date browsers, software and plugins to be successful.
One of those plugins, Adobe Flash Player, is used prolifically to display video/audio content across the web. But recently, rashes of vulnerabilities and zero-days have prompted the information security community to encourage moving away from the technology, or finding a better way to detect outdated versions in order to protect against vulnerabilities.
Sooo Many Vulnerabilities
In late September, Adobe updated its Flash Player once again to address 23 critical vulnerabilities in the software, according to Threatpost. The latest version is 220.127.116.11, and it protects against exploits that could lead to data disclosure or code execution. The vulnerabilities were found by Google Project Zero researchers and Chinese hacking crew Keen Team, Alibaba Security Research Team and others.
The Hacking Team fallout also uncovered many new Flash vulnerabilities this past summer. As an international spyware company providing surveillance technology to government agencies, the company’s emails and data were dumped online by hackers. An analysis of the dump found that two Flash Player exploits that were unlisted in the CVE database were sold to clients, allowing them to use them against targets, which included journalists.
Those critical Flash vulnerabilities affecting version 18.104.22.1684 allowed an attacker to crash and take control of an affected system, and have since been patched by Adobe. And if you search the CVE database hosted by the National Vulnerability Database, you’ll find that there are 743 records that match the keyword “Flash.”
Moving Away From Flash
Most recently, the BBC announced they would be switching from Flash to HTML5 for for their BBC iPlayer for better playback quality. And after the Hacking Team news, well-known security news blogger Brian Krebs wrote about his “month without Adobe Flash Player,” stating that browser plugins are targets of malware and criminals, as they’re generally full of unmatched or undocumented security holes that malicious hackers can use to get control over vulnerable systems.
In early September, Google’s Chrome browser stopped supporting NPAPI plugins, including Silverlight, Java and Unity. Chrome also started blocking Adobe Flash plugins that were out of date, showing error messages to users and prompting them to update.
Although Chrome automatically updates its Flash component to the latest version, if, for any reason, administrators manually disabled updates, users will see that flash content was blocked by default.
While updating immediately to avoid susceptibility to known vulnerabilities seems simple enough, Adobe Flash isn’t often updated right away, especially within organizations that lack a patch management process, as CSOOnline.com reported.
Out of Date Plugins and Browsers
In Duo’s own data analytics, we found that on average, 46 percent of corporate PCs are running out of date versions of browsers, Flash and Java. Users browsing on Safari and Internet Explorer were running out of date browser versions, at 61 and 57 percent, respectively.
Check out the full infographic to learn more about The Current State of Endpoint Security, including the risks involved with using endpoint devices such as personal PCs, tablets and smartphones.
Our data found that 30 percent of users are running an out of date version of Flash, while 50 percent of users are running an out of date version of Java.
With the number of vulnerabilities x users x devices x out of date plugins and browsers, the odds don’t look too great when it comes to preventing a security or data breach of corporate networks. Luckily, we just released a few new security features as part of our Duo Access that help you both protect user accounts with two-factor authentication and end user devices.
Our endpoint security features give you visibility and insight into your company’s overall devices, letting you also get in-depth by drilling down to see specific device data, such as:
- How many users have Java and Flash enabled on their devices used to access your corporate network
- How many are out of date
- How many are vulnerable, by comparing plugin versions to the CVE database
- Which users are using which devices
We do the analysis so you don’t have to by flagging any out of date and vulnerable devices. Plus, our new user Self-Remediation feature will soon notify your users when they log in with Duo if they’re using any out of date plugins or browsers. Learn more about Duo’s endpoint security solution.