SECURITY EVANGELIST

You, me and millions other people in the world use Flash Player. To most of us, it’s a necessity and we don’t pay much attention to it, because it’s that thing that runs in the background that some apps need in order to work.

But here’s why you should care:

Adobe Flash is one of the preferred methods that cyber criminals use to attack users worldwide!

You might wonder why, so I’m going to take you on a short and informative ride through its troubled history, showing how all this affects you specifically.

Here are some numbers to start you off with:

According to Adobe:

  • more than 500 million devices are addressable today with Flash technology, and it is projected there will be over 1 billion addressable devices by the end of 2015.
  • more than 20,000 apps in mobile markets, like the Apple App Store and Google Play, are built using Flash technology.
  • 24 of the top 25 Facebook games are built using Flash technology. The top 9 Flash technology enabled games in China generate over US$70 million a month.
  • More than 3 million developers use the Adobe Flash technology to create engaging interactive and animated web content.

But here’s the worrying statistic of the set that Adobe provides:

  • More than 400 million connected desktops update to the new version of Flash Player within six weeks of release.

Six weeks is a very long time when it comes to cyber security. In six weeks, millions of Flash users can be compromised. And the worse news is that they usually become victims of cyber attacks.

Do you how many Adobe Flash vulnerabilities were identified in the past 6 weeks?

Thirty!

And out of those 30 security vulnerabilities, 16 were critical, allowing information exposure, allowing attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors or to execute arbitrary code.

Translation: vulnerabilities in the code provided cyber criminals with the opportunity to infiltrate their own code into the victims’ computers. From there, they could do pretty much what they want, including collecting your login data, your credit card information or encrypting your computer and asking a hefty ransom.


But what does Flash actually do and why do we need it?

Adobe created Flash (formerly called Macromedia Flash and Shockwave Flash) as a platform that allows developers to create vector graphics, animation, browser games, rich Internet applications, desktop applications, mobile applications and mobile games.

Here’s what Flash can do:

  • Display text and graphics to provide animations, video games and applications
  • Allows audio and video streaming
  • Can capture mouse, keyboard, microphone and camera input.

It can do lots of other things as well, but you probably already got the idea:

Flash is deeply ingrained in your web browser, your applications, and the websites you use every day.

FACTS:

  • Flash Player is used on 110 million websites aka 11% of all the websites in the world!
  • Adobe Air, also built in Flash, reaches more than 1 billion connected desktops!
  • Adobe Reader is used by 2.9 million customers worldwide.

And all of them are constantly exposed to vulnerabilities which turn into cyber threats which, more often than not, turn into fully blown cyber attacks.

Let’s see how the number of Flash vulnerabilities has evolved in the past decade:

adobe flash vulnerabilities evolution years
Source.

As you can see from the statistics, this year the number of security vulnerabilities in Flash has skyrocketed:

In 2014, it had a total of 76 vulnerabilities, but since the 1st of January 2015 it’s amassed 94!

Here’s a breakdown of these by type:

  • 32 vulnerabilities allowed DoS attacks – attackers could execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
  • 68 vulnerabilities allowed code execution from malicious sources.
  • 17 vulnerabilities allowed overflow – an anomaly where a program that causes a violation of memory safety. The buffer overflow can modify how a program works, which may result in erratic program behavior, including memory access errors, incorrect results, crashes, or a breaches of system security.
  • 28 vulnerabilities allowed memory corruption, as discussed above.
  • 18 vulnerabilities allowed cyber criminals to bypass something and gain access to the victim’s computer and resources.
  • 13 vulnerabilities allowed attackers to gain information from the victims’ computers.

vulnerabilities in flash by type percentage
Source.

And these types of threats can sometimes be combined to incur even more damage.


Can’t software developers use other, more secure platforms?

For a long time, Flash has been the platform of choice. Now developers can choose to use HTML 5 as an alternative, but this option hasn’t gained enough popularity to oust Flash as market leader.

And chances are, as another platform will become the go-to solution for developers, it will suffer the same fate as Flash.

But let’s see how things actually work:


So how do cyber criminals actually use Flash vulnerabilities against me?

The more complex software gets, the more security holes it has. It’s as simple as that.

This is a simple version of how things happen in real life:
A vulnerability or more are discovered.
The software maker, in this case Adobe, work on an update to fix it.
They release the update – sometimes relatively fast, because users are sure targets for cyber attacks – and more bugs appear.
And this loop NEVER ends.

BUGS IN THE CODE

Here’s how cyber criminals use vulnerabilities in Flash or other software to penetrate your system:

how an exploit works - 600

That’s why we insist that unpatched software is a huge security threat. By ignoring cyber threats and allowing vulnerabilities to exist, we’re fueling the malware economy, which is impacting all of us.

Cyber criminals have a number of approaches they use when targeting their victims:

  • They can infiltrate advertising networks that deliver banners and infect those banners (which sometimes are displayed on healthy, normal websites)
  • They can infect browser games
  • They can be PDF documents that exploit vulnerabilities in readers, such as Adobe Reader, to drop ransomware or other types of malware
  • They can penetrate desktop applications and many more.

To put it bluntly: they can be anywhere, without you ever knowing it.


Why most exploits kits target Flash and go undetected ‘till it’s too late

One of the most common methods of infection that cyber criminals use are exploit kits.

An exploit kit is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser.

Here are the most heavily used exploit kits of 2014, according to Trustwave Global Security Report 2015:

most prevalent exploit kits in 2014

And the award for most exploited application in 2014 goes to…. Adobe Flash!

With a whopping 33,2% share, Flash makes it to the top of the list, becoming a favorite vector for cyber attacks. The reason is, of course, the never-ending string of vulnerabilities presented at the beginning of this article.

top exploited applications in 2014

And there’s another important aspect to it. Exploit kits are incredibly popular tools in the malware market! Cyber security specialist Lenny Zeltser explains why:

A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.

Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

Furthermore, exploits kits pose a serious challenge to traditional cyber security products, such as antivirus.

Antivirus can’t protect you from advanced exploit kits. Find out what can!

The thing is antivirus can’t protect you against these highly advanced exploit kits, because they sometimes never place a single file on your system. Since antivirus employs a file-detection system to identify a threat or an infection, it won’t be able to block an exploit kit such as Angler.

There are, of course, next generation anti-hacking tools that can help you enhance your protection against sophisticated threats, so I recommend you test them to see what fits your needs best.


Hot topic: the Zero Day vulnerability problem

Exploits kits are especially dangerous when they go after Zero Day vulnerabilities. A Zero Day vulnerability is a security hole in software that is unknown to the software vendor. That means that cyber criminals can exploit that hole before any updates that can fix it are released.

Here’s the Zero Day scenario, as depicted in the 2015 Trustwave Global Security Report:

zero day vulnerability trustwave

If you want to go online protected from Zero Hour exploits and exploit kits in general, I recommend using a mix of security products that includes:

  • an antivirus solution
  • a product that ensure anti-exploit protection
  • a security product that filters your Internet traffic for threats (and blocks them before reaching your system)
  • and a patching tool that delivers updates as soon as they’re available!

Some of these products can be found standalone, and some of them include these features bundled, so a taking the time to do a bit of research could save you a lot of trouble in the future.

When it comes to Flash, it also has a history of Zero Day vulnerabilities that’s not something to ignore. In fact, the last Zero Day vulnerability to make headlines happened just last week!

high profile zero days in 2014
Source: Trustwave Global Security Report 2015


The latest vulnerability in Flash Player: Magnitude exploit kit integrates Flash Player vulnerability

It’s only been 4 days from the latest critical security update released by Adobe and another misfortune bring up Flash’s security problems again.

The Magnitude exploit kit has integrated the most recent Flash Player (CVE-2015-3113) vulnerability and is currently using it in several malvertizing and drive-by campaigns.

The attack bypasses the majority of all traditional antivirus solutions, as well as a large number of gateways and security appliances, which the payload can slip past.

This leaves vulnerable installations open to several types of penetration and system manipulation:

  • total information disclosure, resulting in all system files being revealed
  • total compromise of system integrity – there is a complete loss of system protection, resulting in the entire system being compromised
  • total shutdown of the affected resource – by which the attacker can render the resource completely unavailable
  • very little knowledge or skill is required to exploit this security vulnerability
  • authentication is not required to exploit the vulnerability.

Among the many campaigns which make use of Magnitude exploit kit, there is one that’s particularly active and extensive in scope. The campaign is delivered through a variety of dedicated drive-by domains, which we have already blocked through the Heimdal Secure DNS. A small section can be found below (sanitized by Heimdal Security):

carcs [.] in
pure wide [.] in
waypassed [.] in
Volume weeks [.] in
foodpartys [.] in
notedvalid [.] in
comingjumps [.] in
holiday final [.] in
inputtedhole [.] in
sidesmanuals [.] in
trace windows [.] in
childrenopens [.] in
lecturescause [.] in
quietlygrowth [.] in
station status [.] in
userssuspends [.] in
citizen seconds [.] in

The above are FQDNs (fully qualified domain names), but the campaign is designed with thousands of subdomains. The payload is delivered by determining which country the client comes from.

Read ahead for guidelines that you can use to protect yourself from these types of vulnerabilities.

UPDATE: 03.07.2015: A new and previously undocumented vulnerability that exists in multiple versions of Adobe Flash Player, has been reported from several sources, including Fortinet.

Heimdal Security has analyzed the exploit, and can confirm that it is different from previous exploits we have looked at.

The vulnerability is however patched with the latest security update from Adobe. This means that Adobe Flash Player version 17.0.0.188 and newer are not vulnerable. All vulnerable versions have long been patched for the Heimdal users.

As it appears from Fortinet’s blog and from out technical review, this is a different exploit than we have observed in the past. A spraying vector is used in combination with a glowfilter object and an established safety circumvention known as the “CFG bypass”.

That exploit recorded is Magnitude exploit kit, which is a commercial exploit kit that we have seen supplying also Cryptowall3 and Pony against vulnerable machines in Denmark.

The exploit achieves only very limited antivirus detection (5/55) and is transported to the client through script injections on legitimate web pages and through malvertizing.

A small sample of the CryptoWall distribution domains are reproduced below (sanitized by Heimdal Security):

microforgeandfitting [.] in
magaligilbert [.] com
matheusprado [.] net
loccidigital.com [.] br
noivasefestas [.] net
vllusionshop [.] org
loveyourneighbortour [.] com
mundofomix [.] com
mevtutorial [.] in
mduinfo [.] com
phulwaribiotech [.] com
ppinvesting [.] me
klovertel [.] com

All domains have already been blocked in the Heimdal Secure DNS.

As already mentioned, the exploit has a low AV detection (5/55), as we can see from the Virus Total page.

UPDATE: 09.07.2015: It´s only been 6 days since Adobe had to publish a critical security update for Flash Player. Now, less than a week later, they have to do it again.

This derives from a 0-day vulnerability which was leaked after the breach of Italian security company “Hacking Team”. This has exposed a so-far unknown vulnerability in the popular and widely used media player. We are therefore dealing with a 0-day vulnerability where a complete proof of concept is available.

The published exploit is confirmed to work on Windows 7 with a fully patched version of Flash Player. The vulnerability can be exploited by embedding code on a website which the victims are tricked to visit. Upon visiting the website, the exploit is ran and the arbitrary code runs with the same rights as the logged in user.

The exploit was part of a package in the surveillance tool “Da Vinci” that was published last weekend after the controversial company was hacked.

The vulnerability is called CVE-2015-5119. It exists in Adobe Flash Player from version 18.0.0.194 back all older versions for Windows and Macintosh. It also appears on Adobe Flash Player version 11.2.202.468 and also exists in all older versions on Linux.

Heimdal has already deployed an update that automatically patches all vulnerable installations. You can also consult the latest Adobe Security Bulletin for more details.


So how do you protect yourself from cyber threats targeting Adobe Flash?

If you’ve read this blog before, you must’ve heard this plenty of times. Still, here it goes again:

 

Keep your software updated at all times!

 

Now there are 2 ways you can do this:
1. Manually
2. Automatically

If you choose to update your software manually, you should never ignore an update prompt!

But what if you’re somewhere where you have limited Internet access?
Or click away the update window?
Or turn off your computer by mistake, run out of battery, etc., etc.?

Then you should choose option number 2. Automatic updates can be delivered via the Flash product itself or through various applications that have Flash built-in, such as Google Chrome.

The easiest way, however, is to use a patching application, that will update not only Flash, but also other vulnerable software on your system, such as browsers. You’ll never have to worry about another update again!

Also, since exploits use your browser most of the time, make sure you secure it properly. You can use the advice in this guide to enhance your browser’s protection and give you a bit more peace of mind.

Of course, you should always use the appropriate security products that offer a multi-layered protection. One product can’t solve all security problems, and there are plenty of those, as you’ve read.

But is there another possible solution?


Can you live without Flash?

Yes, you can, but you might find it annoying if you’re used to having everything ready to go.

Security specialist Brian Krebs did an experiment earlier this month and tried to go without Flash Player for a month.

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing).

Moreover, Brian Krebs suggest another 2 possible solutions for those who want to be safe and use Flash Player once in a while, when they really, really have to.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

In hindsight, Steve Job’s decisions to give up Flash was very appropriate, although it may not have seemed so for many at that time.

The ongoing debate over the death or near-death of Flash might take some time to unfold, and Flash may even recover from its current state – who knows? Oracle’s Java used to be the main vector used by cyber criminals, and now 14,5% of exploits target it – which is not great, but it’s not disastrous either.


Conclusion

But until Flash’s security increases, we should all be cautious. Using free software may sometimes cost you your privacy or security, or both. Don’t let that be the case.

Keep your software up to date, use the appropriate cyber security tools and keep an eye out for trouble. That’s what you need to enjoy everything that the web has to offer!

Comments

[…] Fall of Flash: In a detailed survey of the security dangers of the Adobe Flash plugin, com describes it as “one of the preferred methods that cyber criminals use to attack users […]

[…] by Adobe and find out. Flash is a notorious source of vulnerabilities for its users, so reading this guide we put together may help you understand why and what you can do about […]

We must use flash for the Swedbank , swedens largest bank(?),

The secure online tool used there to create new e-Visa/mastercards demands flashplayer..

Hi there! We have a guide to help you keep safe while using online banking platforms: https://heimdalsecurity.com/blog/online-financial-security-guide/

[…] software, you’ll leave security holes open for cybercriminals to take advantage of. For example, Flash and Java are notorious for their security issues and for exposing their users to cyberattacks of […]

[…] Zaharia (2015) states that over 3 million developers use Flash to create interactive content. Flash is primarily used to display text, graphics, and animations for video games and applications, allows audio and video streaming, and it can capture mouse, keyboard, microphone and camera input. Flash is deeply integrated into web browsers and is used in 11% of the worlds web sites. As of 2015, Adobe reports that more than 500 million devices, 20,000 apps, 400 million connected desktops, and 24 of the top 25 Facebook games, all use Flash making it a very popular target for attackers. Adobe Flash is one of the preferred methods attackers like to use because of its wide spread use, and a seemingly endless string of vulnerabilities that are constantly being discovered. Flash security vulnerabilities have sharply increased since 2005. In 2015 there were 90 Flash security vulnerabilities reported with 16 of those classified as critical. A breakdown of the type of vulnerabilities found are as follows: […]

[…] Player is a favorite hacking target for cybercriminals because of its numerous vulnerabilities, so it’s a good idea if you disable it altogether.  Some website […]

[…] In the observed attacks, the payload is delivered by taking advantage of various recent vulnerabilities in Adobe Flash Player, a cyber criminals’ favourite. […]

[…] exploiting vulnerabilities mainly in Adobe Flash (a serial culprit for ransomware infections), TeslaCrypt moves on to bigger targets, such as European […]

[…] websites of this sort require a Flash plugin, which can be hit and miss on my machine (and is a huge security risk on any computer). But Canva just […]

thats all fine and dandy to keep flash constantly updated but it can be extremely annoying to have to restart our computers every time theres a update that needs to be installed.. why can’t Adobe make their flash thingy update in the background without the need to restart everything so many frickin’ times??

Software updates can be a nag, I know. That’s why we created Heimdal FREE: to keep your apps up to date for you, automatically and silently. Give it a try: https://heimdalsecurity.com/en/products/heimdal-free (it handles Adobe Flash as well).

[…] Flash has a huge number of vulnerabilities, so cyber criminals target it in the majority of their attacks. By using these security holes in […]

[…] are a major source of vulnerabilities and a rich source of attack opportunities for cyber criminals. Flash and Java are especially unsafe, so I recommend uninstalling them altogether. You can uninstall […]

[…] If you look closely at the numbers, it is highly concerning that Java has an average of roughly 9 new vulnerabilities discovered every month. That is an extreme number. Looking at Adobe’s products, that number is significantly lower but still very alarming, ranging from 3 vulnerabilities on average in Acrobat Reader to 4 in Adobe Flash Player. […]

[…] browsers do have vulnerabilities, and don’t even get me started on browser plugins (oh, Flash, not you again!). Here’s a quick table that shows how many vulnerabilities the top 3 browsers had […]

[…] often read that software such as Java or Adobe Flash are cyber criminals’ sweet spot. These two seem to be plagues by vulnerabilities, which is why […]

[…] Recommended readings: Why are Java’s Vulnerabilities One of the Biggest Security Holes on Your Computer? Adobe Flash vulnerabilities – a never-ending string of security risks […]

[…] Flash is one of the most vulnerable pieces of software today and there’s no denying it. In fact, we dedicated a comprehensive article to the subject that supports this claim: Adobe Flash vulnerabilities – a never-ending string of security risks. […]

[…] Flash already has one of the worst reputations in terms of software vulnerabilities. So of course that the team behind Angler looks at it first, because Flash offers so many security holes to exploit. […]

[…] contrastada. Ya me gustaría que se acabara con Flash, siendo uno de los problemas de seguridad más comunes en los equipos de escritorio. Mis ordenadores nuevo ya no tienen Flash instalado. Too […]

[…] Fall of Flash: In a detailed survey of the security dangers of the Adobe Flash plugin, com describes it as “one of the preferred methods that cyber criminals use to attack users […]

[…] programma Flash is tamelijk berucht vanwege de aanhoudende reeks lekken     (ook al voor de HT hack). Het programma is op zeer veel apparaten geïnstalleerd (en daardoor aantrekkelijk voor […]

[…] a half year dominated by Flash vulnerabilities and critical Zero Days, Java is stepping into the spotlight […]

[…] article after article, research paper after research paper from various security companies on the never ending vulnerabilities of the plugin, and after being inspired by some security blog on the internet, I […]

[…] Adobe Flash plugin requires the most attention, as we’ve depicted Flash’s security issues in a dedicated post, which we’re updating with every new critical Zero Day vulnerability. That seems now to be a […]

[…] updated our recent article on Flash and its troubled recent history to include the […]

[…] keep your OS and software up to date! Adobe Flash has had two major security vulnerabilities in the past 2 weeks. And they’re not alone. These security holes in software are easily exploited […]

[…] this week we’ve had Adobe Flash vulnerabilities and a strong ransomware campaign that delivered CryptoWall 3.0 via Google […]

[…] this week we’ve had Adobe Flash vulnerabilities and a strong ransomware campaign that delivered CryptoWall 3.0 via Google […]

[…] keep your OS and software up to date! Adobe Flash has had two major security vulnerabilities in the past 2 weeks. And they’re not alone. These security holes in software are easily exploited […]

Thanks cutie for the valuable information

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP