Saturday, July 11, 2015

Taking Flash Player out to the Bins


“Trash cans” CC attribution: by andresmbernal on flickr.

Post updated 07/13/2015 to incorporate yet another Flash Player 0-day. That’s three now if you are keeping count.

So in light of recent events, I’ve decided I’m taking Adobe Flash Player to the trash-bin on my secondary system as part of an experiment.

In case you have been living under a rock, the recent hack of “Hacking Team” has led to the public release of not one, but two (for now) 0-day exploits for Flash. Although, there were bad-enough Flash 0-day exploits around just prior to the new mess left on our lawns.

And as soon as each 0-day exploit of Flash became known, it was a done-deal that the exploit would become fairly common-place in the malware attack landscape.

CVE-2015-3113 (pre-Hacking Team)

CVE-2015-5119 (Hacking Team 0-day)

CVE-2015-5122 (Hacking Team 0-day)

CVE-2015-5123 (Hacking Team 0-day)

(not related to Flash Player but since we are on a roll…

So what is one to do?

For most people/businesses/enterprises…probably many folks won’t do anything and will keep on web-surfing with exploitable Flash Player versions hanging over their head like a sword strung up by a thread. (I’m speaking you to Enterprise team that has us running a quite-outdated version of Flash Player as our standard as part of “application compatibility”.)

Everyone using Flash Player should hop immediately over to Adobe’s Adobe Flash Player Distros page and download/install the appropriate version. Not sure if you need it, then first stop by Qualys BrowserCheck in every one of your installed web-browsers. It will tell you if you have the latest version of Flash Player (and other critical browser plug-ins) installed. If not, it will help you get them updated.

However, as the 2nd Flash 0-day shows, having the latest Flash Player installed is no guarantee you won’t get hammered anyway.

To add deeper layers of protection consider installing Malwarebytes Anti-Exploit (free/$) or HitmanPro.Alert (trial/$) for Windows 0-day exploit protection. Couple that with Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) for good measure. Please.

But to get even more hardened on your security, seriously consider dumping Flash Player from your system entirely.  Yes that is a “extreme” position, but considering the threat landscape, if you don’t need it for a business critical reason then it’s time to shed it.

I’ve pulled that trigger on my secondary system. After about a week of trialing, I’m likely to do the same on my primary system and Lavie’s system as well.

Wonder what life may be like without Flash Player? Brian Krebs has already gone down that patch and can tell you all about it.

As a Windows user I used the “Programs and Features” area to manually uninstall both the Active-X (IE) and Plugin-based browser installations of Flash Player. For good measure I then downloaded and ran the official Adobe Flash Uninstaller to make sure no bits were left behind.

I also manually checked for the presence of Flash Player embedded in Chrome/Chromium and was prepared to disable/remove it manually if needed. In my case it wasn’t.

Yes there are additional guides on how to simply disable Adobe Flash (or set Flash media to “click-to-run”) in your browser and/or control Flash activity via add-ons.

However the risk seems too great so for me the answer is to just strip it out entirely.

Next step; to see if I need to remove any remaining Flash elements that are embedded in other Adobe products on my system in case they could be used to pivot as part of an exploit chain.

Seriously…if you don’t critically need Flash Player…remove it.

Constant Vigilance!

--Claus Valca

PS: I didn’t discuss it, but I have already removed Adobe Shockwave & Adobe AIR as well from all our systems. Don’t need them. Don’t use them. Do have the latest Java JRE still installed as I do need that for some JAVA apps but I keep it fully patched. Same with Silverlight. Just saying…


FF Extension Guru said...

Hmm...yeah don't think I could quit Flash cold turkey like that. Dang browser games and the evil Facebook use Flash. At least YouTube moved over to HTML5, that is at least a sign of progress.

FF Extension Guru said...

I forgot to add...Adobe Air I used for the Pandora music player (which I no longer subscribe to) as well as the external management console for an eCommerce Wordpress plugin.

Claus said...

@ FF Guru - Yes it is a horrible tension. Do I... (from the perspective of a non-tech user)

1) Strip out all the third-party browser add-ons and just browse on with diminished "features" and "rich-web experiences" but heightened security?
2) Add a reminder to have my tech-relative stop by every week to check/patch my system?
2) Have my tech-relative disable all the auto-play of those plugins because I can't do it myself?
3) Hope for the best and call for help when my system gets p0wned each week?
4) Have additional layers of security added by my techie friend? (EMET, MB-Anti-Exploit,HitManPro-Alert!, etc.) and then put them on speed-dial when then (silently) block software installs, updates, etc...?
5) Give up, toss the computer into the closet and order a newspaper subscription be tossed on my driveway each morning?


I've got my own systems stripped down and layered up with security pretty tightly. However, on dearest Lavie's system I can only take that so far as she does use Facebook in addition to other "rich media" when developing and maintaining the church-house web-page as part of her job duties. All I can do is keep them constantly updated and layered up with security.

Hopefully progress will be made in terms of additional (embedded) browser security overall.


--Claus V.