Flash has been getting a lot of attention recently, as Amazon and Google each announced they would be blocking or pausing Flash ads. This should come as no surprise to anyone that has been following trends with Flash. Previously, Bromium research indicated that 90 percent of security professionals believe their organization would be more secure if it disabled Flash. Additionally, the Bromium threat report, “Endpoint Exploitation Trends 1H 2015,” highlighted the growing issues with Flash:
In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.
The reason that Flash exploits are so popular is because Flash advertisements are so prevalent. According to Ad Age, 84 percent of online ads are delivered through Flash, which makes it a green field for cyber attacks. Unfortunately, as is the case with so many industries, security has been an afterthought to the advertising industry, who had no financial motivation to develop a more secure delivery model.
That changes now that Google is forcing the issue with its Chrome internet browser. Beginning September 1, Google Chrome will be “intelligently pausing” Flash ads. Flash video players will still work, but non-essential Flash content will be blocked. Part of the motivation for blocking Flash ads is a better user experience; Flash ads can be noisy and intrusive, even draining battery life.
There is no doubt that blocking Flash ads will improve security. Bromium research has written extensively about malicious advertising, which can be targeted to specific users of operating systems, browsers and plug-ins. Therefore, even though Chrome will be blocking Flash, malicious Flash ads will remain a viable attack vector for other browsers because they can be easily targeted.
Where does this leave organizations? They remain vulnerable to zero day attacks if they leave Flash enabled and unpatched. And yet, even when a patch emerges, a new set of challenges comes with it: do you race to deploy the newest patch? Or do you test to make sure it integrates with legacy systems?
Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.
A chain is only as strong as its weakest link. Today the weak link is Flash, tomorrow it will be something else. The internet today is a constantly changing and expanding chain made up of potentially weak links. Disabling flash is a good move, but in the end it’s just another reactive band aid. Unless a new approach to security is taken we will be back in the same position with a different link next week or next month.