A new tool has been released to the open-source community which has been developed to improve the security of Flash until its retirement.
Adobe Flash, due to be deprecated in 2020, is a common feature in monthly security updates pushed by the vendor and accounts for over 1,000 CVE assignments since 2005 — many of which have a CVSS score of 9.0 or higher.
The software is used for multimedia components including rich Internet applications in-browser, but its adoption is gradually reducing now that many major browsers have dropped support for the ever-vulnerable software.
This does not mean that exploits for the software are not being adopted by attackers, however. You will often find Flash-based exploits in threat actor toolkits in the wild, and until the software is truly phased out — which may be years after 2020 when Adobe stops distributing the software — it is unlikely that attacks against Flash will cease.
In order to maintain adequate levels of security for Flash until its demise, a balance has to be met between spending time and resources auditing the software and the need for analysis.
To assist the cause, cybersecurity firm FireEye has released Flashmingo, a framework for the automatic analysis of SWF files. The company revealed the new tool on Monday, which has now been given to the open-source community. FireEye says that Flashmingo “enables analysts to triage suspicious Flash samples and investigate them further with minimal effort.”
Flashmingo integrates into analysis workflows either as a standalone tool or as part of a library, and the cybersecurity firm says it is also possible to extend the software’s functionality through custom Python plugins.
TechRepublic: Top 5 emerging risks businesses face
The tool uses the open-source SWIFFAS library to parse Flash files and all of the binary and bytecode data is stored in an object called SWFObject after parsing. Tag lists, strings, constants, and embedded binary data are all included.
There is also a number of plugins which are included by default which allow Flashmingo to find suspicious method names and loops, as well as malicious constants. A separate plugin also gives users the option to decompile Flash objects.
“Even though Flash is set to reach its end of life at the end of 2020 and most of the development community moved away from it a long time ago, we predict that we’ll see Flash being used as an infection vector for a while,” FireEye says. “Flashmingo provides malware analysts a flexible framework to quickly deal with these pesky Flash samples without getting bogged down in the intricacies of the execution environment and file format.”
Flashmingo can be downloaded from GitHub.
In March, FireEye released the Complete Mandiant Offensive VM (Commando VM) suite, a Windows-based rival of the Kali Linux penetration testing platform.
Commando VM is geared towards pen testing and red team use and aims to give users a VM suitable for staging command-and-control (C2) networks and a suite of tools including Boxstarter, Chocolatey, and MyGet in a native Windows environment.
Previous and related coverage