Find and fix your Adobe Flash dependencies, says NCSC

Consumer PC users will probably not notice much difference when the once-ubiquitous Adobe Flash Player finally enters end-of-life on 31 December 2020, but many organisations, both large and small, still have Flash dependencies that they may not be entirely aware of, and the time to get on top of the situation is now, says the UK’s National Cyber Security Centre (NCSC).

In a new advisory urging organisations to fix their Flash dependencies, the NCSC said that for many, weaning themselves off Flash may be easier said than done. Because it used to be the only practical way of hosting multimedia or dynamic content, a great many applications, including many e-learning, document management and company intranet sites, still rely on it.

Among others, NCSC researchers found Flash Player in use in versions of VMware vCenter and vSAN (prior to spring 2018) for some admin functions, and various tools from the likes of SAS, Citrix, and others. Flash Player was also needed to run the Extensible Firmware Interface (EFI) Shell used to load firmware updates onto older Intel Server mainboards.

“Our research suggests that the majority of enterprises will have some Flash dependencies,” said NCSC researchers. “In most cases, though, the vendors of the products in question have done the hard work to provide updates for their products. So, it’s down to us to get those updates applied.

“Warranties and service agreements on enterprise services and hardware are usually set at three or five years, suggesting that it is unusual to replace or refresh enterprise equipment, applications and services more than twice a decade.

“So, unless a conscious effort is made to find an alternative, many enterprises will still need to use Adobe Flash Player to access enterprise services, and perform common administrative functions, well after the product has reached end-of-life.”

Flash has been a growing source of cyber security headaches for some time now, with more than 1,000 recognised vulnerabilities, including some discovered as recently as June this year. At times, the Flash update and installation process itself has been targeted by malicious actors, with fake Flash updates being used to distribute malicious trojans.

As of 1 January 2021, any new vulnerabilities are likely to remain unpatched indefinitely, making continued use of Flash highly risky.

Also, anyone who wants to continue to use it will have to use an old, unpatched version of their browser, and are likely to need to disable its update mechanism, which is highly inadvisable.

“We encourage you to work alongside your suppliers to remove Flash dependencies,” said the NCSC. “Any vendors that are unwilling, or unable, to do this should themselves be considered risky. Please let us know if you encounter problems.”

Ed Williams, EMEA director of Trustwave’s SpiderLabs threat research unit, said end-of-life software was a perennial problem for most enterprises, and was frequently found to be the underlying cause of a compromise.

“The risk posed of running end-of-life software is significant and one that organisations don’t always appreciate due to the scale of the issue,” he said.

“It’s also a problem that is very rarely solved at one point in time and is considered more of an ongoing risk mitigation project. Most software periodically requires patching and maintenance and, given the sheer scale of the problem, we often see exploitable gaps within even the most robust patching regime.”

Williams added: “Being able to identify end-of-life software and then appropriately mitigate the risk is no easy task and one that requires significant investment and cyber maturity. I’d recommend a continuous patching policy, coupled with regular threat and vulnerability management to identify gaps and blind spots.”