A deadline three years in the making is coming up on December 31, 2020. That’s when Adobe will end its support of Flash. So, what does that mean for an organization’s IT department and all of us as individuals?
It means proceed with caution because any security vulnerabilities Flash has now won’t be resolved come January 1. And there are plenty of bad actors out there waiting to exploit them. Here’s what you need to know to protect your organization and yourself.
Was Flash ever really secure?
When Steve Jobs penned his now-famous Thoughts on Flash in 2010, it sounded the death knell of an application that ran on nearly one billion endpoints at the height of its popularity. It’s worth noting that in Jobs’ dismissal of Flash, security was only one of several issues he had with the application.
Since then, many websites have turned to HTML5 for delivering animated and interactive content, so the installed base of Flash has gradually declined. Moreover, browser vendors have moved to open standards and most have blocked Flash from running because of the numerous security vulnerabilities it can create.
Nevertheless, there’s still a lot of Flash — or fragments of it — out there in operating systems, on websites, as part of business applications behind the company firewall, and on users’ machines.
What made Flash so vulnerable to security issues?
It’s not just Flash that’s had a checkered history in terms of security. Over the years, Adobe introduced many products with security holes, according to Boyd White, director of technical account management at Tanium.
As for Flash, he says, “I think it was written as a functional tool first and Adobe simply didn’t seem to put security first. They were chastised, much like Microsoft was about 25 years ago. But Adobe Flash never implemented the controls necessary to release products that didn’t allow remote exploitation.”
Several acquisitions by Adobe also contributed to this helter-skelter approach.
“Flash was originally a totally different product,” White adds. “So, when you inherit a code base, you’re always just trying to make it work.”
White shares a technical overview of how to handle Flash’s end of support in this Vulnerability Advisory on the Tanium community.
Why are Flash risks greater with the end of support?
The risks are more significant because once support ends whatever vulnerabilities exist will never be addressed. And Flash has been around for a long time, so there are instances of it all over the place. For example, when you install Windows 10 on a new computer, there are still remnants of it in the operating system. All it takes is a clever attacker enticing an unsuspecting user to click on something that launches a latent vulnerable dynamic link library (DLL) on a machine — voilà: remote code execution.
It’s tough to find and remove every instance of code you no longer want in a system. Uninstallers often fail to remove all remnants. They can leave DLLs, executables, registry keys, or permissions. So, even if you run a Flash uninstaller, you may still have issues.
Are there still legitimate uses for Flash?
Undoubtedly, some legitimate uses for Flash remain. For example, some enterprise resource planning (ERP) reporting applications might use Flash. Organizations can choose to uninstall Flash where it’s not needed and keep it where there’s a use that can’t be fulfilled with another application.
But this complicates the process and increases the risks. It’s not easy to track all the users of an application. Tanium customers can use the Deploy module to remove Adobe Flash, while giving users the option to notify IT if they have a legitimate use. This limits your risk exposure.
When it comes to security, there’s no such thing as perfect. But the more Adobe Flash you remove from your environment, the safer it is.
Three tips for minimizing the risks of Flash in your environment
Acknowledging that there’s no single, perfect strategy or tactic for dealing with Flash, we recommend using:
- Surveys: Survey each department in your company about their use of and need for Flash. You can also survey web app developers and business information security officers (BISOs). With surveys, it’s always a challenge to get people to respond, but stress that a security breach caused by Flash will harm the company’s reputation and operations.
- Tanium Deploy and Patch: For Tanium customers, our Deploy and Patch modules can help find and remediate Flash vulnerabilities.
- Tanium Comply: Customers of Tanium should continue to scan for vulnerabilities using Tanium Comply. If a new Adobe Flash vulnerability comes out after EOL, Tanium Comply will be updated and help you locate and track vulnerable systems.
- Uninstallers from reputable companies: Be sure to check that your organization has removed all the software related to Flash, not just the base Flash application. This includes the Adobe Flash uninstaller.
The risks of Flash will gradually decrease
According to White and other experts, identifying and remediating Flash vulnerabilities will extend over months, if not years.
“Until operating systems are entirely rebuilt, there will be remnants in the systems of many organizations,” White says. “But the risks will be much lower over time.”
In the meantime, organizations and individuals need to stay aware. For example, be on the lookout for certain file extensions, such as .swf (Shockwave file) that indicate Flash. Any link that prompts the user to “click here” on a Flash program is potentially a phishing attempt that can introduce malware into your device or corporate network.
Unsupported applications are not just an Adobe Flash problem
White cautions that application end-of-life (EOL) and its end of support isn’t just an issue with Flash. Once any product ends, there’s always a chance it has unidentified vulnerabilities. So, when support ends, these vulnerabilities can be exploited forever because there’s no patch for them — and there never will be.
“The publicity surrounding Flash end of support presents a good opportunity to think about how you manage applications and operating system EOL in general,” White says. “It doesn’t have to be a high profile application to give opportunities to bad actors.”
Large organizations use hundreds, if not thousands, of applications that will likely reach EOL at some point. And when one company merges with or acquires another, it adds to the volume and complexity of this problem. The threat this presents can be enormous.
“I think the moral of the story comes back to basic IT hygiene,” White says. “Know what’s on your network and why. If you don’t have that visibility, then you are definitely at risk.”
And this is even more pressing with mergers and acquisitions. It would be imperative to know what the acquired company’s software stack looks like and what security or performance liabilities your organization might be inheriting.
“When you decide to stop using an application, or it enters EOL, the security consequences of that go far beyond whatever function the software originally performed,” White adds.
Regardless of your company’s business situation, the Tanium Platform can make finding and removing out-of-date or risky software like Adobe Flash much faster and easier than traditional methods.
“Tanium provides the visibility and control that is so essential for managing the applications on your devices to ensure they are safe and operating as efficiently as possible,” White says. “Flash is just the latest example, but keeping a close watch on device software is a constant and essential need for any digital organization.”
For step-by-step instructions on finding and removing Adobe Flash Player using Tanium, check out White’s article on the Tanium Community.