Euro Security Watch with Mathew J. Schwartz

Risk Management , Technology

2016 Resolution: Ditch Flash Zero-Day Attackers Target Aging Plug-In Yet Again
2016 Resolution: Ditch Flash

Out with the old, in with the new.

See Also: Detecting Insider Threats Through Machine Learning

That's Adobe's holiday message for users of Flash, warning that attackers are actively exploiting a zero-day flaw in all versions of its Flash - a.k.a. Shockwave - browser plug-in software and that users should update immediately, or else.

"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day." 

On Dec. 28, Adobe released software updates that patch 19 separate security flaws in Flash as well as Adobe AIR, which is its cross-operating-system runtime that can combine HTML, JavaScript and Flash, among other technologies. Some of those flaws are labeled as being "critical," which in Adobe-speak means they potentially can be used by attackers to execute malicious code on a vulnerable system, possibly without a user being aware.

"These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe's product security team says in a blog post.

Barring another emergency patch from Adobe before New Year's Day, the company this year will have patched 316 flaws in Flash, according to the Flash Tester website, which works out to the equivalent of more than 6 new bugs per week this year.

One of the 19 most recently patched flaws, described only as an "integer overflow vulnerability" and designated as CVE-2015-8651, "is being used in limited, targeted attacks," Adobe adds. "Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin." The company says credit for discovering that flaw goes to researchers at Chinese networking and telecommunications giant Huawei.

Even if attackers can't exploit that flaw to seize control of a targeted PC, "failed exploit attempts will likely result in denial-of-service conditions," warn security researchers from Symantec in a blog post.

Vulnerable software fixed in the latest update cycle includes all previous versions of the Adobe Flash Player Desktop Runtime for Windows and Mac OS X; the Adobe Flash Player for Google Chrome, plus Edge and Internet Explorer versions 10 and 11 - running on Windows 8.0, 8.1 or 10 - as well as Adobe Flash Player for Linux. Prior versions of Adobe AIR and related software development kits and compilers designed to run on Windows, Mac OS X, Android and iOS are also vulnerable.

But security experts recommend that users of recent versions of modern browsers - Google Chrome, Mozilla Firefox and Microsoft Edge and Internet Explorer - at least enable "click to play," so Flash won't execute without a user's permission. That can also help block related attacks, especially if they target zero-day flaws in the browser plug-in.

Why Use Flash?

The latest warning from Adobe that its plug-in software is being felled by zero-day attacks begs the question: Why do friends let friends run Flash anymore? (see Update or Uninstall Flash, Experts Warn).

Flash debuted in 1996, just three years after Adobe's then-proprietary PDF standard was first released. But whereas PDFs eventually became usable - I credit Apple - Flash has become the second-worst security nightmare plug-in that won't die, after Java.

How Flash Rates

What technology cyberattackers targeted in 2015. Source: Kaspersky Lab.

Security experts say that Flash's popularity with the hacking community is due to the plug-in's wide install base and the fact that buggy versions can be easily and automatically exploited en masse by crimeware toolkits, thus giving attackers an easy way to "pwn" many PCs at once. From there, they typically install malware to ransack the systems for financial information, install ransomware to extort bitcoins from victims, or turn infected systems into spam relays or nodes for launching large-scale distributed denial-of-service attacks (see Malware Hides, Except When It Shouts).

No End in Sight

Although Flash and Java are akin to the Steven Seagal of the security continuum - "Tough to Kill" and annoyingly persistent - experts are still trying to take it down. In July, Facebook's security chief, Alex Stamos, called on Adobe to set a date for Flash to die and for browsers to enforce the end of Flash so that developers will be forced to migrate to HTML5. He's just the latest in a long line of technologists - including the late Steve Jobs, who declined to let Flash run on iOS - to say that it's time to move to HTML5 and WebGL, which offer many of the capabilities of Flash, but in an open source and easier to secure form.

"Nobody takes the time to rewrite their tools and upgrade to HTML5 because they expect Flash4Eva," Stamos said via Twitter. And there are signs that even advertisers are finally dumping the plug-in, the Guardian reports.

But don't hold your breath over Flash's imminent demise. On Nov. 30, Adobe announced that it soon plans to rebrand its Flash Professional CC tool - for creating Flash animations - as Animate CC. Adobe says the tool is designed "for developing HTML5 content while continuing to support the creation of Flash content. "



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network