Our Head of Technology, Nik Goile, gives us some background on last month’s Adobe Flash exploits, and explains how CDSM was prepared to deal with them…
You probably heard about the Adobe Flash Player vulnerabilities that came to light in July. They were heavily publicised in the news – even appearing in a BBC article – and caused a flurry of activity in the online security community.
Security updates for operating systems, programs, browsers and associated plugins are common – so what makes July’s multiple patch releases any worse than what’s happened in the past?
The Danger of ‘Zero Day’ Exploits
Early last month, the controversial ‘Hacking Team’ – a company that sells offensive intrusion and surveillance tools to governments, law enforcement agencies and corporations – were hacked themselves. The hackers cleaned out the Hacking Team’s internal code, files and email archives, and then published them on the Internet.
The published archive included at least three zero day exploits for Adobe Flash, and one for Microsoft Internet Explorer. A ‘zero day’ exploit is when an exploit has been created but the supplier doesn’t know about it, and so hasn’t patched their software to defend against the exploit. Whoever has these exploits can attack anyone who’s using a vulnerable technology (which is a lot of people when it comes to Flash and Internet Explorer). Worse still, these exploits were tried and tested, as the Hacking Team had been selling them to snooping agencies and corporations around the world for several years. Now these effective and proven exploits were available to any active cybercriminal.
What Happened Next
Adobe, Microsoft and Oracle (for an unrelated – but serious – set of Java vulnerabilities) rushed out patches in an attempt to close these security holes and protect their users. However, the rapidity of the exploits being discovered in Flash meant that users’ computers were left vulnerable for days at a time between patches. This led security experts to call for Flash to be uninstalled or disabled on computers, and some browsers to start automatically blocking Flash by default. Internet giant Facebook even called for Flash to be killed off completely. Things were clearly getting serious.
The impact of this Flash Player blackout is that fewer and fewer Internet users will be able to see Flash content automatically when they visit web pages (though on the plus side, this does stop them from being subjected to a whole host of annoying adverts). If a user has Flash ‘Click-to-Play’ enabled, then they will see a box where the Flash movie is and must choose to play it manually. If Flash has been disabled or uninstalled, then the user will get a prompt to install it (if the content is clever) or an empty box (if the content isn’t running any checks to see if the Flash plugin is installed).
How CDSM Dealt with the Zero Day Threats
In the week following these zero day exploits, one of our large corporate customers notified us that they had disabled flash on all their company devices. As the dust settles, we expect more of our corporate and public sector customers to follow suit.
A Big Decision
Your content repository may contain a significant amount of third-party and/or legacy material that has been negatively affected by these recent developments. For many companies, existing Flash material represents a significant investment, and so abandoning Flash overnight may seem like an intimidating prospect.
If you would like some help in planning a transition to more contemporary e-learning content, then please do not hesitate to contact us. Whether you’re an existing CDSM customer, or a representative of an organisation that has been affected by the fallout from these zero day exploits, CDSM are here and happy to help.