CDSM never stop learning

Adobe Flash and the Danger of Zero Day Exploits

Our Head of Technology, Nik Goile, gives us some background on last month’s Adobe Flash exploits, and explains how CDSM was prepared to deal with them…

You probably heard about the Adobe Flash Player vulnerabilities that came to light in July. They were heavily publicised in the news – even appearing in a BBC article – and caused a flurry of activity in the online security community.

Security updates for operating systems, programs, browsers and associated plugins are common – so what makes July’s multiple patch releases any worse than what’s happened in the past?

The Danger of ‘Zero Day’ Exploits

Early last month, the controversial ‘Hacking Team’ – a company that sells offensive intrusion and surveillance tools to governments, law enforcement agencies and corporations – were hacked themselves. The hackers cleaned out the Hacking Team’s internal code, files and email archives, and then published them on the Internet.

Adobe Flash

The published archive included at least three zero day exploits for Adobe Flash, and one for Microsoft Internet Explorer. A ‘zero day’ exploit is when an exploit has been created but the supplier doesn’t know about it, and so hasn’t patched their software to defend against the exploit. Whoever has these exploits can attack anyone who’s using a vulnerable technology (which is a lot of people when it comes to Flash and Internet Explorer). Worse still, these exploits were tried and tested, as the Hacking Team had been selling them to snooping agencies and corporations around the world for several years. Now these effective and proven exploits were available to any active cybercriminal.

What Happened Next

Adobe, Microsoft and Oracle (for an unrelated – but serious – set of Java vulnerabilities) rushed out patches in an attempt to close these security holes and protect their users. However, the rapidity of the exploits being discovered in Flash meant that users’ computers were left vulnerable for days at a time between patches. This led security experts to call for Flash to be uninstalled or disabled on computers, and some browsers to start automatically blocking Flash by default. Internet giant Facebook even called for Flash to be killed off completely. Things were clearly getting serious.

The impact of this Flash Player blackout is that fewer and fewer Internet users will be able to see Flash content automatically when they visit web pages (though on the plus side, this does stop them from being subjected to a whole host of annoying adverts). If a user has Flash ‘Click-to-Play’ enabled, then they will see a box where the Flash movie is and must choose to play it manually. If Flash has been disabled or uninstalled, then the user will get a prompt to install it (if the content is clever) or an empty box (if the content isn’t running any checks to see if the Flash plugin is installed).

Install Flash Player to play content

How CDSM Dealt with the Zero Day Threats  

Several years ago, in response to the increasing impact of mobile devices in learning, CDSM made the decision to move to using HTML5 and JavaScript as its core technology for presenting interactive content. The recent Flash debacle is a vindication of this decision, as it means that the impact of these recent exploits on our core products and services is very low.

In the week following these zero day exploits, one of our large corporate customers notified us that they had disabled flash on all their company devices. As the dust settles, we expect more of our corporate and public sector customers to follow suit.

A Big Decision

Your content repository may contain a significant amount of third-party and/or legacy material that has been negatively affected by these recent developments. For many companies, existing Flash material represents a significant investment, and so abandoning Flash overnight may seem like an intimidating prospect.

The decision to completely disable Flash is ultimately a decision for you and your organisation. If you decide against disabling Flash, it’s important to make sure that your browsers are updated and protected. For organisations considering a migration strategy, an evaluation of existing content – working out exactly how much would need to be moved over to use HTML and Javascript – is a good place to start.

If you would like some help in planning a transition to more contemporary e-learning content, then please do not hesitate to contact us. Whether you’re an existing CDSM customer, or a representative of an organisation that has been affected by the fallout from these zero day exploits, CDSM are here and happy to help.



One comment

  • September 17, 2015 - 10:42 am | Permalink

    Great report Nik! Personally I think adopting HTML5 as the de-facto standard will go a long way since it has so many benefits over Flash like less cpu power, less screen tearing and smoother play, security vulnerability in one browser’s HTML5 implementation is unlikely to be duplicated in other browsers and bugs in an HTML5 implementation affect less users as they get patched sooner. Both of these make HTML5 bugs less valuable to attackers. Way to go CDSM!

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    * Copy This Password *

    * Type Or Paste Password Here *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>