Exploit Kits Leverage Critical Flash and Browser Vulnerabilities
Yet more new research reveals the risks presented by Adobe Flash Player and outdated web browsers, as Adobe releases a new version of Flash to fix critical security vulnerabilities.
Exploit Kits and Critical Flash Vulnerabilities
Security startup Recorded Future released a report that found 8 out of the top 10 vulnerabilities used by exploit kits this year targeted Flash, including popular Angler and Nuclear exploit kits.
The company also found that Microsoft Internet Explorer versions 10 and 11 were also a major target, as well as Silverlight, a free plugin used for developing web and mobile apps.
The top vulnerability was CVE 2015-0313, affecting Flash version 18.104.22.1686, identified by Adobe as critical. This vulnerability was exploited in the wild in February this year, and it can allow a remote attacker to execute arbitrary code via “unspecified vectors,” according to the National Vulnerability Database (NVD).
Threatpost recently reported on Adobe’s “monthly ritual” of pushing out a new version of Flash with patches for 17 critical vulnerabilities - totaling over 80 vulnerabilities since July. The latest released version is 22.214.171.124, patching for exploits that could lead to remote code execution.
To think, just one device on your network that is running an older version of Flash could be exploited to run malicious code on your applications and systems to steal confidential data from your company - yikes.
Disable, Click to Play and Device Analysis
To cut down on risk exposure, some security experts recommend disabling Flash, and others opt for the “Click to Play” alternative, which requires a user to click on the Flash object before playing it. This can cut down on the number of automatic drive-by infections unleashed on Flash users.
Flash users that run out-of-date software are most vulnerable to known exploits. For corporate devices that are managed by IT, they can easily be updated on a timely basis. But for personal phones, laptops, smartwatches and other devices that aren’t managed by corporate IT, they can introduce some risk to your organization.
Personal devices still have access to your company’s apps and services, like email or an HR application. But if those devices aren’t updated to the latest version of Flash, then they can be exploited, and potentially deliver malware or leave an open door to your company’s data.
Duo provides a way to see which devices are running Flash, as well as which versions are outdated and susceptible to known vulnerabilities, as listed in the Common Vulnerabilities and Exposures (CVE) database. By flagging these devices for admins, you can quickly drill down into the specific users that are running old versions of Flash, letting you alert them that they need to update their software.
Or, you can view which devices have Flash enabled, disabled or uninstalled, to better align with your company’s policy on use of the software. Learn more about Device Analysis, a feature available in the Duo Access.