Adobe has brought us yet another delightful 0day vulnerability and POC code has apparently made it into the wild. Exploits are expected ahead of Adobe's target date for a patch on the 18th.
Suppose I were to sell the business on blocking Flash on the gateway--how best to accomplish?
I searched teh System Lists MediaType for Flash and found the following MediaType.EnsuredTypes - I haven't yet looked to see if there's a reliable user agent string that Flash presents across Chrome, IE and Firefox.
|172||application/vnd.adobe-flv-authoring||Flash Movie Authoring file|
|263||application/x-flash-shared-object||Adobe Flash shared object file|
|24||application/x-shockwave-flash||Macromedia Flash file|
|33||video/f4v||MPEG-4 based Flash Video|
|22||application/x-shockwave-flash||Macromedia Flash file|
Anyone tried this and how much screaming did you have from the business?
Nothing really. The ticket I opened confirmed my approach as viable if you wanted to do it. I'm going to code it up and apply it to my own IP and see how much it breaks.
We are doing partially what you are trying to accomplish (using some of the MediaTypes you higlighted) and we get regular calls from users trying to view training videos and some web applications that are flash-based (there are surprisingly still a lot out there.)
We took the "whitelisting the exceptions" approach, systematically whitelisting the legitimate sites users are trying to reach and it's been somewhat of a pain, but still manageable. Flash is such a pain in the neck security-wise tat I still prefer having some users call me and allowing their sites on an exception basis than having to deal with the ransomware...