VMware has a KB article out (linked below) about the Adobe Flash crashes that happen if you’re running the latest version of Flash (188.8.131.52). A lot of us were caught off guard recently when our PCs updated themselves and we couldn’t get into our VMware vSphere environments.
The VMware KB article suggests downgrading your Flash client. Left by itself this is completely irresponsible advice.
1. The Adobe Flash update addresses a critical security vulnerability that is being exploited in the wild. The security advisory (linked below) states:
Adobe has released a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.
Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.
(as an aside, Adobe acknowledges Kaspersky Labs staff, which makes me think that they’re making good on their promises to figure out how Russian hackers used their software to exfiltrate NSA data).
2. If you downgrade your Flash installations you will need to disable the auto-updaters, which is what got us all into these situations. I don’t know about you but I always forget to re-enable the updaters, and that’s bad.
3. There are workarounds. The HTML5 client, though incomplete, gets many people back in business. Microsoft Edge and Internet Explorer seem to work with Flash on Windows 10 1703, too, at least for all my team’s environments.
So what’s my advice?
- Limp along with Microsoft Edge and the HTML5 client until VMware updates their clients. I think it’s safe to assume they’re working on it. Start making plans to patch your vCenter in the next few weeks.
- If you don’t have the HTML5 client you can get it as a VMware Fling (link below).
- If you absolutely have to downgrade Flash don’t run the vulnerable Flash on a PC you use for anything else. It’s annoying but you can survive a few weeks of this, provided you’re running a supported version of vSphere.
- Use network- & host-based firewalls to prevent all traffic that isn’t destined for your vSphere implementations. You’ll probably need to allow DNS, as well, but I’d keep it really locked down. I would even think twice about joining it to Active Directory.
- You should already be running antivirus and antimalware on your systems but it’s especially important for systems that are intentionally out of date.
- Use a virtual machine running in VMware Workstation for the insecure client. Make it non-persistent and use it for nothing else. Or a Windows Server installation with Terminal Services enabled.
- Put a calendar reminder in for your team to clean this whole thing up in a month.
- If you have dedicated IT security personnel (CISOs and such) reach out to them proactively. Make a business case around this — you need to do this to be able to support the environments, but you’re being responsible about the risk.
- If you’re running an unsupported version of vSphere you need to upgrade ASAP. This is a great business driver for it. Never let a crisis go to waste! vSphere 5.5 goes end-of-support on 09/19/2018 so I’d even consider using this as a driver to get to 6.5…
Good luck & stay safe.