Monthly patches and upgrades don’t always go well, but getting them down is increasingly critical, especially for applications like Flash, Reader, and the major web browsers. This week I called it “the new firewall.”
Twenty years ago, home users almost never bothered with firewalls. My first employer didn’t bother with them either. That changed in the late 1990s, when worms exploiting weaknesses in Microsoft software devastated the nascent Internet. Firewalls soon became commonplace, along with some unfortunate hyperbole that led some people to believe firewalls make you invisible and invincible, a myth that persists in some circles even today.
For this reason I’m a bit hesitant to declare anything a new firewall, but firewalls are necessary. So is protecting key software.
The easiest way into a corporate network in the post-firewall age is to attack a workstation. The easiest and most effective way to attack a workstation is to get it to exploit weaknesses in a web browser, Flash, Acrobat Reader, or Java. Once you gain a presence on that workstation, you can jump elsewhere on the network.
Adobe releases a new version of Flash almost every month. Microsoft patches Internet Explorer almost every month. Mozilla patches Firefox at least every six weeks. Google patches Chrome whenever it feels like it–usually a couple of times a month.
Deploying patches is critical, but sometimes you can’t patch fast enough, or maybe your attackers know about vulnerabilities that haven’t been patched yet, so it’s important to supplement that with mitigations. Run EMET. Don’t install Flash and Java at all if you can get away with it–and increasingly you can get away with it because Flash isn’t available for most modern tablets and phones, so web sites substitute HTML5 content for Flash when it’s unavailable, even on a desktop. If you need Flash, you can use EMET 5.x’s attack surface reduction (ASR) functionality to make Flash available only to business-critical sites that need it (if indeed there is such a thing), and make non-business-critical sites limp along without it. You can use the same functionality to make Java available only under the same circumstances.
If you really want to be revolutionary, deploy Java and Flash selectively. I never use Java, so there’s no reason for me to have Java installed on my workstation. There are some business-critical apps written in Java, so let the users of those apps have Java, but all Java is doing on my box is making it more pwnable. Most likely, if you really dig into it, you’ll find people who have no need for Flash either. Patching and protecting Flash are great, but they’re no match for not having Flash installed at all.