Flash is a popular Adobe platform frequently used for creating games,multimedia interaction, animated visualizations, videos and much more. Every time you visit a web page that loads a video, animation or interactive content, it is typically Flash that is the driving force behind the visual interaction. While Flash has been used on a large-scale since 1996, the security community has expressed concerns over the abundance of malware and vulnerabilities that have plagued the Flash platform in recent years.
Flash security threats
At the site CVE Details, you can find a comprehensive list of all known vulnerabilities for Flash. It is strongly suggested that companies remain up-to-date with the latest Flash patches and security fixes. According to the CVE site, 63 new vulnerabilities were discovered in 2011 alone. This has resulted in Adobe continuously issuing numerous updates with patches and fixes to address the threats and eliminate vulnerabilities. Unfortunately, additional vulnerabilities are discovered on a frequent basis, so expect the updates to continue.
Numerous types of vulnerabilities have been found in Flash, the most common ones being denial-of-service, cross-site scripting attacks and executable code. All three of these threats can have serious consequences if an attacker is able to successfully execute them. Many security experts have recently warning users to uninstall Flash and not use it anymore if they want to stay safe. There are also tools that users can download and install that will block Flash on external websites.
The threat of Flash vulnerabilities is real, especially for companies. Once an attacker has successfully used a Flash vulnerability exploit to gain unauthorized access to part of the company network, he can use that privilege to gain even greater access to more sensitive areas of the company infrastructure. This can put practically all company assets at risk, including important contracts, financial records, confidential customer/client information (credit card info, banking info, social security numbers, phone numbers, addresses, etc.), sensitive company information, trade secrets, and much, much more.
Flash security settings
In addition to keeping company computers updated with the latest patches and fixes, users can keep tight control on the security settings as well. To change these settings, users should access the Adobe Flash Player Settings Manager, which can be accessed from the Adobe website. The Adobe Flash Player Settings Manager has six tabs of options, each with sub-options.
Global Privacy Settings
Global Storage Settings
Global Security Settings
Website Privacy Settings
Website Storage Settings
By using the options and sub-options on each tab, users can select an appropriate security level for each tab. If users are unsure of any settings, the settings can be set to "always ask." This option notifies users every time a Flash component tries to make a change to the system so that they can make the appropriate decision on whether to allow the action or deny it.
Another competent security option is to use sandboxing. By utilizing Flash security sandboxes, users can test Flash applications and code while it is "sandboxed" in a safe environment and cannot affect the computers on the company network system.
Flash developers and security
Flash developers are having a tough time trying to keep up with security updates and vulnerability management while creating Flash applications. Here are just a few of the actions that developers must perform in order to keep their Flash application as secure as possible.
- Properly adjust Flash security settings
- Ensure that Flash has been updated to latest patches and fixes
- Perform vulnerability assessment and penetration testing if necessary
- Maintain global Flash security management
- Set Flash security controls using HTML
