Oh, Adobe Flash, why are you so insecure. But in corporate environments we (most of the time) just can’t get rid of Flash – for backwards compatibility, to prevent complaints (including from higher management who just will not back away from viewing their favorite flash sites and would be willing to risk the security of the organization for it)… whatever the reasons, we just have to put up with this amazing piece of software, for now (and let’s hope HTML5 gains traction faster).
If you are one of the many who need to keep Flash on all user machines, then there is some limited relief – in the form of the official Adobe Flash 17 (could be newer at the time of you reading this) Administration Guide – http://www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_17_0_admin_guide.pdf
For some unknown reason there are no STIGs or NSA security guides for configuring Flash, so we are on our own here.
First of all: are you updating Flash across all your computers every time a new version comes out? Are you sure – are you checking the version after each update on all computers? Are you disabling it every time an exploit comes out, until a new, patched version is out?
Second: after the above is done and integrated into the daily processes and procedures at your workplace it is time to think about hardening it.
If you look at the payload of any flash exploit, you will see, in almost all cases, imports to functions relating to network and file system access, among others. So our objective will be to limit the access Flash has to file and network resources – so it would be unable to download 2nd stages of any payload or store it / modify it / decrypt it on the file system, effectively rendering the exploits useless.
Ignoring the deployment options from the guide above as they’re not relevant to this book, let’s focus on the security configuration settings described in it, specifically page 24 and the file “mms.cfg”.
mms.cfg file location
Assuming a default Windows installation, Flash Player looks for the mms.cfg file in the following system directories:
• 32-bit Windows – %WINDIR%\System32\Macromed\Flash
• 64-bit Windows – %WINDIR%\SysWow64\Macromed\Flash
In general as you go through the settings, you should follow a whitelisting rule, meaning allowing network connections and file activity (downloads, for example) only for explicitly approved domains and locations. Pages 28, 33 and 35 of the guide above are most interesting for our purposes.
From all the settings, the following are almost mandatory, bold are the preferred settings (and remember: test, test, test. Some settings may and will break needed functionality, play at your own risk!):
LocalFileReadDisable = [ 0, 1 ] (0 = false, 1 = true)
FileDownloadDisable = [ 0, 1 ] (0 = false, 1 = true)
FileUploadDisable = [ 0, 1 ] (0 = false, 1 = true)
SilentAutoUpdateEnable = [ 0, 1 ] (0 = false, 1 = true)
DisableSockets = [ 0, 1 ] (0 = false, 1 = true) (read the manual description, use the next option)
ProtectedMode = [0, 1] (0 = off, 1 = on)
So my mms.cfg file looks like:
LocalFileReadDisable = 1
FileDownloadDisable = 1
FileUploadDisable = 1
SilentAutoUpdateEnable = 1
DisableSockets = 1
ProtectedMode = 1