On January 1st, 2021, Flash will be officially marked as End of Life. This means that any new CVEs found in Flash will not be patched, and so Flash will quickly become even more of an attack surface for malicious actors than it is widely recognized as today.
Network metadata is an excellent tool in your arsenal to lockdown usage of flash, letting you find usage of Flash on your system, even where you were sure you had uninstalled it. To make it easier for you to track usage of Flash on your network, we have created the Flash EOL Dashboard! This data is pulled from unencrypted HTTP traffic exclusively, and so it is not an exhaustive list of Flash usage, but should help you find systems which are still either hosting Flash content, and clients on your network which are running Flash .
The Dashboard consists of 4 key metrics, 2 tables showing the hosts involved, and a table listing all requests we saw.
The entire dashboard runs against HTTP traffic seen on the network, and filters down to only count events which match either:
- Flash mimetype was seen in the response
- The URI requested has a known Flash filename extensions
4 Metrics are shown first on your dashboard. These show the number of:
- Unique Clients seen making a Flash request
- Unique Clients seen making a Flash request to an external source
- Unique Servers seen receiving a Flash request
- Unique Servers seen receiving a Flash requests from an external source.
Each metric treats each unique IP as ac unique client or server.
Host Data Tables
Below the Metrics, the Clients Table has 3 fields:
- Client IP - The IP seen performing Flash requests
- User Agent - the Agent seen performing requests
- Requests - the count of requests seen by this User Agent & IP combination.
If a Client uses 10 different agents to use flash, then 10 different rows will appear.
The Server Table has 3 fields:
- Server IP - The IP seen responding to Flash requests
- Host - the name of the host serving up flash files.
- Requests - the count of requests seen by this IP & host combination
If a Server has 10 different host names offering flash, then 10 different rows will appear.
Below this, is a more detailed view of what Flash requests are being made, the columns used are:
- Client IP - the IP making the request
- User Agent - the User agent used to make the request
- Server IP - the IP responding to the request
- uri - the exact URI requested
- Last resp_mime_types - the mime type of the response
- Last Host - the name of the host that was accessed
- Latest hostname - the hostname of the Server
- Requests - the number of times this request was made.