Adobe Flash vulnerabilities – a never-ending string of security risks
It’s time you learnt how to live without Flash (spoiler: it’s easier than you think)
You, me and millions other people in the world use Flash Player. To most of us, it’s a necessity and we don’t pay much attention to it, because it’s that thing that runs in the background that some apps need in order to work.
But here’s why you should care:
Adobe Flash is one of the preferred methods that cyber criminals use to attack users worldwide!
You might wonder why, so I’m going to take you on a short and informative ride through its troubled history, showing how all this affects you specifically.
Here are some numbers to start you off with:
- more than 500 million devices are addressable today with Flash technology, and it is projected there will be over 1 billion addressable devices by the end of 2015.
- more than 20,000 apps in mobile markets, like the Apple App Store and Google Play, are built using Flash technology.
- 24 of the top 25 Facebook games are built using Flash technology. The top 9 Flash technology enabled games in China generate over US$70 million a month.
- More than 3 million developers use the Adobe Flash technology to create engaging interactive and animated web content.
But here’s the worrying statistic of the set that Adobe provides:
- More than 400 million connected desktops update to the new version of Flash Player within six weeks of release.
Six weeks is a very long time when it comes to cyber security. In six weeks, millions of Flash users can be compromised. And the worse news is that they usually become victims of cyber attacks.
Do you how many Adobe Flash vulnerabilities were identified in the past 6 weeks?
And out of those 30 security vulnerabilities, 16 were critical, allowing information exposure, allowing attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors or to execute arbitrary code.
Translation: vulnerabilities in the code provided cyber criminals with the opportunity to infiltrate their own code into the victims’ computers. From there, they could do pretty much what they want, including collecting your login data, your credit card information or encrypting your computer and asking a hefty ransom.
But what does Flash actually do and why do we need it?
Adobe created Flash (formerly called Macromedia Flash and Shockwave Flash) as a platform that allows developers to create vector graphics, animation, browser games, rich Internet applications, desktop applications, mobile applications and mobile games.
Here’s what Flash can do:
- Display text and graphics to provide animations, video games and applications
- Allows audio and video streaming
- Can capture mouse, keyboard, microphone and camera input.
It can do lots of other things as well, but you probably already got the idea:
Flash is deeply ingrained in your web browser, your applications, and the websites you use every day.
- Flash Player is used on 110 million websites aka 11% of all the websites in the world!
- Adobe Air, also built in Flash, reaches more than 1 billion connected desktops!
- Adobe Reader is used by 2.9 million customers worldwide.
And all of them are constantly exposed to vulnerabilities which turn into cyber threats which, more often than not, turn into fully blown cyber attacks.
Let’s see how the number of Flash vulnerabilities has evolved in the past decade:
As you can see from the statistics, this year the number of security vulnerabilities in Flash has skyrocketed:
In 2014, it had a total of 76 vulnerabilities, but since the 1st of January 2015 it’s amassed 94!
Here’s a breakdown of these by type:
- 32 vulnerabilities allowed DoS attacks – attackers could execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
- 68 vulnerabilities allowed code execution from malicious sources.
- 17 vulnerabilities allowed overflow – an anomaly where a program that causes a violation of memory safety. The buffer overflow can modify how a program works, which may result in erratic program behavior, including memory access errors, incorrect results, crashes, or a breaches of system security.
- 28 vulnerabilities allowed memory corruption, as discussed above.
- 18 vulnerabilities allowed cyber criminals to bypass something and gain access to the victim’s computer and resources.
- 13 vulnerabilities allowed attackers to gain information from the victims’ computers.
And these types of threats can sometimes be combined to incur even more damage.
Can’t software developers use other, more secure platforms?
For a long time, Flash has been the platform of choice. Now developers can choose to use HTML 5 as an alternative, but this option hasn’t gained enough popularity to oust Flash as market leader.
And chances are, as another platform will become the go-to solution for developers, it will suffer the same fate as Flash.
But let’s see how things actually work:
So how do cyber criminals actually use Flash vulnerabilities against me?
The more complex software gets, the more security holes it has. It’s as simple as that.
This is a simple version of how things happen in real life:
A vulnerability or more are discovered.
The software maker, in this case Adobe, work on an update to fix it.
They release the update – sometimes relatively fast, because users are sure targets for cyber attacks – and more bugs appear.
And this loop NEVER ends.
Here’s how cyber criminals use vulnerabilities in Flash or other software to penetrate your system:
That’s why we insist that unpatched software is a huge security threat. By ignoring cyber threats and allowing vulnerabilities to exist, we’re fueling the malware economy, which is impacting all of us.
Cyber criminals have a number of approaches they use when targeting their victims:
- They can infiltrate advertising networks that deliver banners and infect those banners (which sometimes are displayed on healthy, normal websites)
- They can infect browser games
- They can be PDF documents that exploit vulnerabilities in readers, such as Adobe Reader, to drop ransomware or other types of malware
- They can penetrate desktop applications and many more.
To put it bluntly: they can be anywhere, without you ever knowing it.
Why most exploits kits target Flash and go undetected ‘till it’s too late
One of the most common methods of infection that cyber criminals use are exploit kits.
An exploit kit is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser.
Here are the most heavily used exploit kits of 2014, according to Trustwave Global Security Report 2015:
And the award for most exploited application in 2014 goes to…. Adobe Flash!
With a whopping 33,2% share, Flash makes it to the top of the list, becoming a favorite vector for cyber attacks. The reason is, of course, the never-ending string of vulnerabilities presented at the beginning of this article.
And there’s another important aspect to it. Exploit kits are incredibly popular tools in the malware market! Cyber security specialist Lenny Zeltser explains why:
A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.
Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.
Furthermore, exploits kits pose a serious challenge to traditional cyber security products, such as antivirus.
Antivirus can’t protect you from advanced exploit kits. Find out what can!
The thing is antivirus can’t protect you against these highly advanced exploit kits, because they sometimes never place a single file on your system. Since antivirus employs a file-detection system to identify a threat or an infection, it won’t be able to block an exploit kit such as Angler.
There are, of course, next generation anti-hacking tools that can help you enhance your protection against sophisticated threats, so I recommend you test them to see what fits your needs best.
Hot topic: the Zero Day vulnerability problem
Exploits kits are especially dangerous when they go after Zero Day vulnerabilities. A Zero Day vulnerability is a security hole in software that is unknown to the software vendor. That means that cyber criminals can exploit that hole before any updates that can fix it are released.
Here’s the Zero Day scenario, as depicted in the 2015 Trustwave Global Security Report:
If you want to go online protected from Zero Hour exploits and exploit kits in general, I recommend using a mix of security products that includes:
- an antivirus solution
- a product that ensure anti-exploit protection
- a security product that filters your Internet traffic for threats (and blocks them before reaching your system)
- and a patching tool that delivers updates as soon as they’re available!
Some of these products can be found standalone, and some of them include these features bundled, so a taking the time to do a bit of research could save you a lot of trouble in the future.
When it comes to Flash, it also has a history of Zero Day vulnerabilities that’s not something to ignore. In fact, the last Zero Day vulnerability to make headlines happened just last week!
The latest vulnerability in Flash Player: Magnitude exploit kit integrates Flash Player vulnerability
It’s only been 4 days from the latest critical security update released by Adobe and another misfortune bring up Flash’s security problems again.
The attack bypasses the majority of all traditional antivirus solutions, as well as a large number of gateways and security appliances, which the payload can slip past.
This leaves vulnerable installations open to several types of penetration and system manipulation:
- total information disclosure, resulting in all system files being revealed
- total compromise of system integrity – there is a complete loss of system protection, resulting in the entire system being compromised
- total shutdown of the affected resource – by which the attacker can render the resource completely unavailable
- very little knowledge or skill is required to exploit this security vulnerability
- authentication is not required to exploit the vulnerability.
Among the many campaigns which make use of Magnitude exploit kit, there is one that’s particularly active and extensive in scope. The campaign is delivered through a variety of dedicated drive-by domains, which we have already blocked through the Heimdal Secure DNS. A small section can be found below (sanitized by Heimdal Security):
carcs [.] in
pure wide [.] in
waypassed [.] in
Volume weeks [.] in
foodpartys [.] in
notedvalid [.] in
comingjumps [.] in
holiday final [.] in
inputtedhole [.] in
sidesmanuals [.] in
trace windows [.] in
childrenopens [.] in
lecturescause [.] in
quietlygrowth [.] in
station status [.] in
userssuspends [.] in
citizen seconds [.] in
The above are FQDNs (fully qualified domain names), but the campaign is designed with thousands of subdomains. The payload is delivered by determining which country the client comes from.
Read ahead for guidelines that you can use to protect yourself from these types of vulnerabilities.
UPDATE: 03.07.2015: A new and previously undocumented vulnerability that exists in multiple versions of Adobe Flash Player, has been reported from several sources, including Fortinet.
Heimdal Security has analyzed the exploit, and can confirm that it is different from previous exploits we have looked at.
The vulnerability is however patched with the latest security update from Adobe. This means that Adobe Flash Player version 220.127.116.11 and newer are not vulnerable. All vulnerable versions have long been patched for the Heimdal users.
As it appears from Fortinet’s blog and from out technical review, this is a different exploit than we have observed in the past. A spraying vector is used in combination with a glowfilter object and an established safety circumvention known as the “CFG bypass”.
That exploit recorded is Magnitude exploit kit, which is a commercial exploit kit that we have seen supplying also Cryptowall3 and Pony against vulnerable machines in Denmark.
The exploit achieves only very limited antivirus detection (5/55) and is transported to the client through script injections on legitimate web pages and through malvertizing.
A small sample of the CryptoWall distribution domains are reproduced below (sanitized by Heimdal Security):
microforgeandfitting [.] in
magaligilbert [.] com
matheusprado [.] net
loccidigital.com [.] br
noivasefestas [.] net
vllusionshop [.] org
loveyourneighbortour [.] com
mundofomix [.] com
mevtutorial [.] in
mduinfo [.] com
phulwaribiotech [.] com
ppinvesting [.] me
klovertel [.] com
All domains have already been blocked in the Heimdal Secure DNS.
As already mentioned, the exploit has a low AV detection (5/55), as we can see from the Virus Total page.
UPDATE: 09.07.2015: It´s only been 6 days since Adobe had to publish a critical security update for Flash Player. Now, less than a week later, they have to do it again.
This derives from a 0-day vulnerability which was leaked after the breach of Italian security company “Hacking Team”. This has exposed a so-far unknown vulnerability in the popular and widely used media player. We are therefore dealing with a 0-day vulnerability where a complete proof of concept is available.
The published exploit is confirmed to work on Windows 7 with a fully patched version of Flash Player. The vulnerability can be exploited by embedding code on a website which the victims are tricked to visit. Upon visiting the website, the exploit is ran and the arbitrary code runs with the same rights as the logged in user.
The exploit was part of a package in the surveillance tool “Da Vinci” that was published last weekend after the controversial company was hacked.
The vulnerability is called CVE-2015-5119. It exists in Adobe Flash Player from version 18.104.22.168 back all older versions for Windows and Macintosh. It also appears on Adobe Flash Player version 22.214.171.1248 and also exists in all older versions on Linux.
Heimdal has already deployed an update that automatically patches all vulnerable installations. You can also consult the latest Adobe Security Bulletin for more details.
So how do you protect yourself from cyber threats targeting Adobe Flash?
If you’ve read this blog before, you must’ve heard this plenty of times. Still, here it goes again:
Keep your software updated at all times!
Now there are 2 ways you can do this:
If you choose to update your software manually, you should never ignore an update prompt!
But what if you’re somewhere where you have limited Internet access?
Or click away the update window?
Or turn off your computer by mistake, run out of battery, etc., etc.?
Then you should choose option number 2. Automatic updates can be delivered via the Flash product itself or through various applications that have Flash built-in, such as Google Chrome.
The easiest way, however, is to use a patching application, that will update not only Flash, but also other vulnerable software on your system, such as browsers. You’ll never have to worry about another update again!
Also, since exploits use your browser most of the time, make sure you secure it properly. You can use the advice in this guide to enhance your browser’s protection and give you a bit more peace of mind.
Of course, you should always use the appropriate security products that offer a multi-layered protection. One product can’t solve all security problems, and there are plenty of those, as you’ve read.
But is there another possible solution?
Can you live without Flash?
Yes, you can, but you might find it annoying if you’re used to having everything ready to go.
Security specialist Brian Krebs did an experiment earlier this month and tried to go without Flash Player for a month.
In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing).
Moreover, Brian Krebs suggest another 2 possible solutions for those who want to be safe and use Flash Player once in a while, when they really, really have to.
If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.
Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).
In hindsight, Steve Job’s decisions to give up Flash was very appropriate, although it may not have seemed so for many at that time.
The ongoing debate over the death or near-death of Flash might take some time to unfold, and Flash may even recover from its current state – who knows? Oracle’s Java used to be the main vector used by cyber criminals, and now 14,5% of exploits target it – which is not great, but it’s not disastrous either.
But until Flash’s security increases, we should all be cautious. Using free software may sometimes cost you your privacy or security, or both. Don’t let that be the case.
Keep your software up to date, use the appropriate cyber security tools and keep an eye out for trouble. That’s what you need to enjoy everything that the web has to offer!