In the wake of several Flash zero-day vulnerabilities, how can enterprises limit the risk posed by Flash on the endpoint when it's a mission-critical must have?
Ask the Expert!
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
Adobe Systems has been kept busy this year releasing emergency updates to address Flash security issues as a result of zero-day vulnerabilities in the browser plugin. Some of the flaws were given a Priority 1 rating by Adobe, its highest threat level. If Flash is truly a mission-critical must-have for your users, then you have to stay on top of security bulletins from Adobe to ensure security announcements aren't missed. Sign up to Adobe's Security Notification Service and ensure your patch procedures can handle out-of-band emergency updates. Even though Adobe is now synchronizing its Flash Player security updates with Microsoft's Patch Tuesday, it may still issue emergency updates outside of this schedule to combat zero-day exploits.
You also need to keep other software up to date. For example, in Office 2008 and earlier versions, Flash Player content runs by default without sandbox protection. One of the most common Flash Player zero-day attack vectors has been malicious Flash content embedded in Microsoft Office documents delivered via email. Office 2010 offers some protection, as it includes a Protected Mode sandbox. If a document originates from the Internet or an Untrusted Zone, the Protected View feature can prevent Flash Player content from executing.
Users could be forced to use Google's Chrome browser for viewing Flash content. It runs Flash inside a "Pepper Flash" sandbox to isolate it from other processes the browser is running and provide a much more restrictive environment. Thus, even Windows XP users can have a sandboxed Flash. If Flash content that has to be accessed is hosted on trusted sites, then use the ActiveX filtering function in Internet Explorer 10 to stop the Flash Player from running except on these sites. If you host your own Flash content, you could disable Flash altogether and deliver your content using HTLM5. YouTube content runs perfectly well using the HTML5 player instead of the Flash player.
Finally, as many attacks exploit vulnerabilities in Adobe software, users should be regularly reminded of the dangers of opening unsolicited or unusual attachments or links.
This was first published in June 2013