Flash and Java – Can businesses Live Without Them?

By: Gavin Millard, technical director at Tenable Network Security

The Hacking Team breach continues to expose risks for individuals and businesses alike, as flaws in widely popular pieces of software continue to be uncovered from the stolen data.

Recently, there has been a spate of warnings of Flash zero day vulnerabilities, plus a previously unknown and unpatched Java arbitrary code execution vulnerability, being utilised by attackers. The news is dire for users that have these applications installed as they are seriously at risk of these vulnerabilities being exploited. Worst still is the speed in which the recent disclosures were weaponised, beating Adobe to the punch with the bugs being utilised in popular exploit kits like Angler before a patch was available, so even if you’ve got a short patch cycle users can still be at risk.

But can businesses live without implementing Java and Flash?

Java has enjoyed a long period of popularity, with many employers still asking for knowledge of Java as a requirement for new programmers. This popularity is due to the vast array of libraries that are available for solving most of the common issues present when developing enterprise applications, as well as Java’s reported flexibility and its usage on up to a billion devices, making a standard requirement for a lot of sites and businesses in terms of accessibility and ease of use. However users are starting to disable it in their browsers, looking for alternatives – so perhaps the winds of change are a-blowin’.

As for Flash, organisations such as Mozilla have taken steps to block Adobe Flash temporarily and Facebook wants an end to Flash altogether. The amount of new vulnerabilities being reported shows that user data is not as safe as was thought, which is why organisations need to minimise their use. Alternatives such as HTML5 are gaining ground, especially as there is no flash plug-in for most mobile browsers, it’s clear that it isn’t a complete necessity. However flash is still ubiquitous, with it reaching a reported 99% of internet enabled desktops worldwide.

A major obstacle is that many organisations have developed applications using Java and Flash or rely on code written by a third party in these aging languages. Unfortunately, the probability that a business could disable Flash and Java across every device today without impact is low.

Death knell

Nonetheless, the internet is fluid and with it the opportunities for new norms to develop is equally viable. Alternative software tools are constantly evolving, with more secure offerings coming to the fore.

With the rapid disclosure and weaponisation of vulnerabilities within Flash and Java outpacing the vendors’ ability to fix the flaws and IT staff to identify and patch, the ease of attackers gaining a foothold in environments is unfortunately increasing. With most employees nowadays using corporate systems at home, away from the advanced security of the corporate network, if IT staff don’t have an effective method of identifying how vulnerable mobile endpoints are to exploits of this type, combined with the ability to rapidly push updates to fix them, threats could be walking through the door in employees laptop bags every day.

As long as Flash and Java continue to be a favoured attack vector for exploit kits and malware authors, maybe it’s time that they were put out to pasture, only being used by parts of the business that require it and continually monitoring for users that don’t. If this is too drastic a move, educating the users to threats associated with Flash and Java and disabling the auto play of code so the user has to decide to run it could be a first step in finally getting rid of a major weakness on client machines.