A growing number of researchers and analysts recommend disabling the Flash plugin in your web browsers due to ongoing security problems. Perhaps you already did that and you may think your computers are now immune to Flash exploits. But maybe not.
Flash files can not only be embeded in a web page but also in various document formats such as Microsoft Office documents and PDF files. Even if you have disabled Flash in your browsers, Flash exploits can still leverage Flash player vulnerabilities through software like Microsoft Office and Adobe Reader. Let's do some tests. I will use the PoC of CVE-2015-5122 from the Hacking Team in my test. It will pop up the calculator program when loaded in browsers and other applications that have a vulnerable Flash plugin enabled.
First I craft a PPT document with PowerPoint 2013 as shown in the image below.
When I view slide show this document the calculator program pops up on my computer as shown in the image below.
Next I craft a PDF file with Adobe Acrobat Pro DC 2015 as shown in the image below.
The calculator program pops up on my computer when I insert the Flash exploit. I close the PDF file then open it again. The calculator program pops up again when I click the play button.
There is no need to modify the Flash exploit at all. It works well inside a PPT and PDF document until I uninstall the Flash player on my computer.
It is worth noting that this particular exploit (and others like it) can be blocked by Microsoft's Enhanced Mitigation Experience Kit , but this software is not exactly universal in its deployment and this is just one simple example of ways in which Flash can be exploited outside of a web browser.
What all this means, unfortunately, is that disabling the Flash plugin in your browsers isn't a complete solution to Flash security. Flash is a technology that can be embedded in many places and requires vigilance on the part of users as well as smart edge and endpoint protection and rigorously patched software to ensure that Flash exploits don't end up on your network.
No comments:
Post a Comment