Last month, I blogged about a Flash zero day. This month, two more Flash zero days have emerged as the result of the Hacking Team leaks. These critical vulnerabilities have some security experts calling for a new approach to Flash.
ZDNet reports that Mozilla has blocked all version of Flash in Firefox by default. To clarify, Mozilla is only blocking actively exploited versions of Flash, until it is patched. However, many information security professionals would love to be able to block Flash completely. Discussions from around the Internet paint Flash as an outdated technology, which is becoming obsolete because of HTML 5. There is even a social movement, Occupy Flash, which has the goal to “rid the world of the Flash Player plugin.”
In light of the Firefox block, even Facebook is calling for the end of Flash.
In June, Brian Krebs blogged about his experience disabling Flash for a month. After 30 days, he found that he barely missed it:
I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.
Well known browser plugins such as Flash often have unknown vulnerabilities, but is it realistic to disable Flash at your organization? The outcry from users would be swift and severe. In some cases, the impact may be limited to impacting some streaming video sites like YouTube, but in other cases Flash is built into the legacy code of enterprise applications.
Where does this leave organizations? They remain vulnerable to zero day attacks if they leave Flash enabled and unpatched. And yet, even when a patch emerges, a new set of challenges comes with it: do you race to deploy the newest patch? Or do you test to make sure it integrates with legacy systems?
Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.
A chain is only as strong as its weakest link. Today the weak link is Flash, tomorrow it will be something else. The internet today is a constantly changing and expanding chain made up of potentially weak links. Disabling flash is a good move, but in the end it’s just another reactive band aid. Unless a new approach to security is taken we will be back in the same position with a different link next week or next month