Last week Adobe issued an out-of-band Flash patch, and once again Brian Krebs urged people to ditch Flash, noting that he’s done so and hasn’t missed it.
We decided to try ditching Flash at work a few months ago, but it didn’t go quite so smoothly for us. I thought I’d share my experience.
What we did was block .swf files at the proxy and create exceptions as we saw necessary. We’re a few months in now, and it sure seems like we’re still whitelisting a site per day as someone notices something broken and calls the helpdesk. A large number of training sites, for instance, still use Flash. Ironically, one of those sites is the company we use for security awareness training.
At my previous gig, we made a similar move with Java. Unfortunately, when it comes to criminally ancient and vulnerable software that corporations just can’t quit, ancient Javas seem to top that list. When there’s one legacy intranet app you can’t retire that requires the JRE that Ada Lovelace wrote for Charles Babbage, there are only two things you can do if you can’t migrate off that app: Run EMET on the JRE with as many mitigations as possible, then filter at the proxy to ensure no other web sites can send Java applets to that beyond-ancient JRE.
We did both, and our incident response team got a lot less busy. That’s all I’m willing to say. Well, I’ll add one thing: In the case of Java, there were very few howls of protest, because Java really is increasingly rare on the Web.
Flash isn’t quite there yet, but it doesn’t mean we can’t start filtering it.