“Trash cans” CC attribution: by andresmbernal on flickr.
Post updated 07/13/2015 to incorporate yet another Flash Player 0-day. That’s three now if you are keeping count.
So in light of recent events, I’ve decided I’m taking Adobe Flash Player to the trash-bin on my secondary system as part of an experiment.
In case you have been living under a rock, the recent hack of “Hacking Team” has led to the public release of not one, but two (for now) 0-day exploits for Flash. Although, there were bad-enough Flash 0-day exploits around just prior to the new mess left on our lawns.
And as soon as each 0-day exploit of Flash became known, it was a done-deal that the exploit would become fairly common-place in the malware attack landscape.
CVE-2015-3113 (pre-Hacking Team)
- Emergency Patch for Adobe Flash Zero-Day - Krebs on Security
- New Adobe Zero-Day Shares Same Root Cause as Older Flaws – TrendLabs Security Intelligence blog
- How the Wolf attacked and outsmarted defenses with CVE-2015-3113 – HitmanPro blog
CVE-2015-5119 (Hacking Team 0-day)
- Hacking Team Leak Exposes New Flash Player Zero Day - Malwarebytes Unpacked
- Hacking Team Leak Includes Multiple Exploits – TrendLabs Security Intelligence blog
- Adobe to Patch Hacking Team’s Flash Zero-Day - Krebs on Security
- PSA: Flash Zero-Day Now Active in The Wild - Malwarebytes Unpacked
- A Flash Exploit (CVE-2015-5119) From the Hacking Team Leak – SpiderLabs blog
- CVE-2015-5119 (HackingTeam 0d - Flash up to 220.127.116.11) and Exploit Kits - Malware don't need Coffee
- Vulnerability Note VU#561288 - Adobe Flash ActionScript 3 ByteArray use-after-free vulnerability - CERT
- Hacking Team Flash Zero-Day Integrated Into Exploit Kits – TrendLabs Security Intelligence blog
- Hacking Team’s Flash 0-day: Potent enough to infect actual Chrome user - Ars Technica
- DirectRev Malvertising Uses Self Sufficient Flash 0Day - Malwarebytes Unpacked
CVE-2015-5122 (Hacking Team 0-day)
- CVE-2015-5122 - Second Adobe Flash Zero-Day in HackingTeam Leak – FireEye Threat Research blog
- CVE-2015-5122 (HackingTeam 0d two - Flash up to 18.104.22.168) and Exploit Kits - Malware don't need Coffee
- CVE-2015-5122 Zero-Day Arises from Hacking Team Data Leak – TrendLabs Security Intelligence blog
- Another Hacking Team Flash Player 0day Uncovered - Malwarebytes Unpacked
- Adobe To Fix Another Hacking Team Zero-Day - Krebs on Security
- Vulnerability Note VU#338736 - Adobe Flash ActionScript 3 opaqueBackground use-after-free vulnerability - CERT
CVE-2015-5123 (Hacking Team 0-day)
- New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak – TrendLabs Security Intelligence blog
(not related to Flash Player but since we are on a roll…
- Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit – TrendLabs Security Intelligence blog
So what is one to do?
For most people/businesses/enterprises…probably many folks won’t do anything and will keep on web-surfing with exploitable Flash Player versions hanging over their head like a sword strung up by a thread. (I’m speaking you to Enterprise team that has us running a quite-outdated version of Flash Player as our standard as part of “application compatibility”.)
Everyone using Flash Player should hop immediately over to Adobe’s Adobe Flash Player Distros page and download/install the appropriate version. Not sure if you need it, then first stop by Qualys BrowserCheck in every one of your installed web-browsers. It will tell you if you have the latest version of Flash Player (and other critical browser plug-ins) installed. If not, it will help you get them updated.
However, as the 2nd Flash 0-day shows, having the latest Flash Player installed is no guarantee you won’t get hammered anyway.
To add deeper layers of protection consider installing Malwarebytes Anti-Exploit (free/$) or HitmanPro.Alert (trial/$) for Windows 0-day exploit protection. Couple that with Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) for good measure. Please.
But to get even more hardened on your security, seriously consider dumping Flash Player from your system entirely. Yes that is a “extreme” position, but considering the threat landscape, if you don’t need it for a business critical reason then it’s time to shed it.
I’ve pulled that trigger on my secondary system. After about a week of trialing, I’m likely to do the same on my primary system and Lavie’s system as well.
Wonder what life may be like without Flash Player? Brian Krebs has already gone down that patch and can tell you all about it.
- A Month Without Adobe Flash Player - Krebs on Security
As a Windows user I used the “Programs and Features” area to manually uninstall both the Active-X (IE) and Plugin-based browser installations of Flash Player. For good measure I then downloaded and ran the official Adobe Flash Uninstaller to make sure no bits were left behind.
I also manually checked for the presence of Flash Player embedded in Chrome/Chromium and was prepared to disable/remove it manually if needed. In my case it wasn’t.
- How to Uninstall and Disable Flash in Every Web Browser – How-To Geek
- Disable the Old Adobe Flash Plugin in Google Chrome – How-To Geek
- Adobe Flash Player plug-in - Chrome Help
Yes there are additional guides on how to simply disable Adobe Flash (or set Flash media to “click-to-run”) in your browser and/or control Flash activity via add-ons.
However the risk seems too great so for me the answer is to just strip it out entirely.
Next step; to see if I need to remove any remaining Flash elements that are embedded in other Adobe products on my system in case they could be used to pivot as part of an exploit chain.
Seriously…if you don’t critically need Flash Player…remove it.
PS: I didn’t discuss it, but I have already removed Adobe Shockwave & Adobe AIR as well from all our systems. Don’t need them. Don’t use them. Do have the latest Java JRE still installed as I do need that for some JAVA apps but I keep it fully patched. Same with Silverlight. Just saying…