Fortinet’s FortiGuard Labs released an advisory relating to Flash earlier this month. Essentially a specially crafted SWF could allow an attacker to execute code on a user’s PC arbitrarily. The exploit actually uses a vulnerability patched in Flash 220.127.116.11. There are more details on their website here. Fortinet classified the vulnerability as SWF/SwfDlr.BC!tr?
If your organisations requires Flash, the obvious course of action is to ensure that Flash is up to date. The continued use of Flash is not really recommended unless you need it. With the widespread adoption of HTML5 for video and interactive web applications, there have been questions for sometime regarding the longevity of Flash. With exploits appearing in the wild every so often, it is not wonder its demise is perhaps accelerating, with people turning to open standards such as HTML5.
We have talked about IPS (Intrusion Prevention Systems) in a number of articles and discussed how there is often a misconception that these are positioned around hosted applications or e-commerce. In the case of this particular vulnerability, this is exactly where an IPS excels.
FortiGuard’s own labs tested and identified this exploit. They have created a signature that is deployed to Fortinet firewalls and Web Application Firewalls (WAF) in real-time. These devices could be protecting the perimeter or internal network segments. Once this signature is loaded on, if any user in the organisation is tricked into connecting to a malicious website (or a legit compromised website), the IPS engine will identify the attempted exploit and block it. In these scenarios, the IPS is in effect blocking intrusions that are to some extent initiated by the user.
The ability to inspect SSL encrypted traffic is equally challenging, especially if the crafted exploit code was delivered via a website over HTTPS. Your common web-filters or firewalls (not configured to do SSL inspection) will simply not see it. The use of SSL inspection does need some careful consideration given that as a business you can look at all traffic, including potentially employee-confidential traffic. It is for this reason you staff handbook, terms and security policy make it clear what actions you are doing and why.