No Patch Yet: Flash Vulnerability Exploited in the Wild
There are many, many Adobe Flash Player vulnerabilities (at least 1,045 reported ones listed in CVE Details), but one recent bug has been reportedly actively exploited by attackers - and there's no fix yet.
Adobe will release an update in a few days ("planned for the week of February 5"), but the best advice now is to disable or uninstall Flash. Another fix for administrators may be to enable click-to-play for Flash in users' browsers. Last year, Google disabled Flash by default in the Chrome browser. Mozilla also blocked it in Firefox in 2015, while Microsoft has enabled click-to-play for Flash in the Edge browser.
However, for users browsing on out-of-date or old browsers (like Internet Explorer) with out-of-date plugins like Flash, they are especially vulnerable to bugs they haven’t yet patched for in their systems. An Adobe security advisory warns that the critical vulnerability (CVE-2018-4878) affects Flash version 220.127.116.11 and earlier. An attacker could take control of an affected system.
CVE-2018-4878 Exploited in the Wild
As reported by Threatpost, the South Korean Computer Emergency Response Team issued a warning on Wednesday about attacks targeting South Koreans. The vulnerability is a Flash SWF file embedded in Microsoft Word documents - if a user opens a malicious document, web page, or spam mail containing the Flash file, an attacker could compromise their system.
In October, Adobe released an out-of-band (meaning, outside of their usual Patch Tuesday schedule) patch in response to another critical vulnerability that was being exploited in the wild, used in targeted attacks against Windows users. CVE-2017-11292 allowed for remote code execution.
Prevalence of Out-of-Date Flash Plugins
In Duo's 2017 Trusted Access Report: The Current State of Endpoint Security, the percentage of enterprise endpoints running an out-of-date version of Flash has increased from 42% in 2016 to 53% in 2017. Flash is the most out of date on IE (58%), while most up to date on the Chrome browser (65%).
The report looks at all endpoints used to log into and access enterprise applications and resources, including both corporate-owned and personal devices.
Personal devices can be cause for more concern as remote and mobile workers continue to blur the lines between work and personal computing, often using personal smartphones, laptops, tablets, PCs and more to access work resources (typically web-based applications, where data is stored virtually in the cloud).
Protecting Against A Compromise via Flash
Some point to ad blocking in browsers in order to curb the threat of exploitation via Flash malvertisements, as seen on Decent Security - Adblocking for Internet Explorer Without an Extension: Enterprise Deployment.
Blocking advertising has multiple security and performance benefits to clients. Ads are especially dangerous to corporate computers, which often run outdated plugins that can be exploited by malvertising.
Are you worried about the new Flash 0day getting put in malicious ads to infect your users? Here’s how we block ads nationwide in IE, Chrome, and Firefox. Proven for years. We don’t worry about Flash infections at my company. https://t.co/Wx7zG7qt73— SwiftOnSecurity (@SwiftOnSecurity) February 2, 2018
Adobe has also recommended:
Beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content. For more details, see this administration guide.
And ultimately, Adobe will be sunsetting Flash in 2020:
...in collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.
However, for remote users or those using personal devices to access work applications, they may not be subject to group policies put in place by administrators. By using an endpoint and authentication solution that can give you insight into corporate vs. personal devices, you can create more granular access policies to ensure only 'trusted' (or secure) devices can access corporate apps.
For example, you might set a device access policy that blocks all personal devices running an out-of-date version of Flash, warning users to update their plugins in order to gain access.
This new approach to enterprise security can help provide more contextual security against threats that lie beyond the perimeter of traditional defenses, and ensure the trust of both the user and their device.