If there were ever a compelling argument for convincing your customers to ditch any use of the Adobe Flash browser plug-in, it is this vulnerabilities list on the CVE Details site, a historic run through of the more than 1,000 vulnerabilities impacting Flash since it launched two decades ago. This week brought Flash woes back into the headlines as Adobe released a patch to address yet another problem with the software.
The flaws, listed as CVE-2018-4877 and CVE-2018-4878, exist in Flash Player 18.104.22.168 and earlier versions, and allow an attacker to remotely execute malicious code. Adobe published a security advisory acknowledging the zero-day on Feb. 1 and issued the patch for it earlier this week.
The zero-day vulnerability was initially identified by South Korea’s KISA (KrCERT/CC). A blog on the issue from researchers at Malwarebytes explains that Windows users in South Korea were targeted when threat actors used social engineering techniques to trick targets into opening a decoy Microsoft Excel document, which would then infect them with a remote administration tool named ROKRAT.
Research teams from both FireEye’s iSIGHT Intelligence and Cisco believe a North Korean hacker group is behind the attacks. The group, known as TEMP.Reaper by FireEye and Group 123 by Cisco, has had close ties previously with North Korea and is thought to be behind several campaigns in 2017 that targeted South Korean users. The cyberstrike speaks to the potential for exploitation by North Korean hackers as tensions also mount between the country and the United States. Attacks launched by hostile nation-state hackers have been an increasing concern for IT security professionals in recent years. A recent report from Cylance notes that 82 percent of IT security professionals polled cited nation-state attacks as a top concern.
Time to Trash Flash?
Obviously the immediate takeaway is that MSSPs should be advising customers to patch – and patch immediately – with the fix Adobe released this week. But the news also speaks to the larger question of whether organizations should be using Flash at all these days. Rife with ongoing problems, the software poses more risk than advantage at this point.
And do you really need Flash anymore? Likely, no. As the team from Sophos explains, while it was initially used for viewing videos, almost all websites will use HTML5 for videos if you don’t have Flash.
“If you uninstall it, your browser will use its built-in video player instead — so you probably don’t need Flash after all,” noted Sophos staff in a recent blog.
Adobe itself plans to retire Flash in 2020. Once the most popular software to enable watching videos and playing games online, now frustrations with its risk profile and the increasing use of newer technologies, like HTML5, have rendered it less desirable.
Get the word out now to clients: It’s time to break old habits and move into a more secure place by trashing Flash. Have a discussion with them about their Flash use and help them get educated about the alternatives.
Who is Security Joan? We'll never tell, but all you really need to know is that she's a huge Steely Dan fan (as if the nom de plume didn't give it away). She's also a veteran infosec journalist who has covered the evolution of the cybersecurity industry, its shadowy criminal underworld, and the good people trying to stop them for more than a decade. In addition to our weekly Security Central column, Security Joan helps inform the Channel Futures cybersecurity coverage with her sizable expertise. Say hi on Twitter @Security_Joan or shoot her an email at [email protected].