Microsoft Subnet An independent Microsoft community View more

Jobs's revenge: Flash piles up the zero-day exploits

Three zero-days in six weeks make Steve Jobs look even more prescient about the state of Flash.

Steve Jobs's legendary rant against Adobe Flash turned out to be as personal as it was about technology. He published the missive in 2010, going into great detail explaining why Flash must die. One year later, when Walter Issacson published his biography on Jobs, the other shoe dropped. Jobs held a massive grudge against Adobe for abandoning Apple in the late 1990's and never forgave the firm for bailing on the Mac (page 380).

Still, it's hard to disagree with his points, least of all that Flash is buggy and prone to exploits. This year, he's really being proven right. In the six weeks since 2015 began, there have been three major zero-day exploits in Flash. Tip of the hat to The Tech Report for being the first to notice this.

First came CVE-2015-0310 on January 22, along with an immediate fix. Two days later came CVE-2015-0311, also with an immediate fix. Then on February 4 came CVE-2015-0313 along with the fix, and this was the most severe problem because it allowed hackers to crash a system and take control of it. Mac users were not immune, either.

Malwarebytes said on its security blog that the latest exploit has been in the wild for at least two months, since December 3. It also noted that people visiting several prominent websites, including dailymotion.com, theblaze.com and nydailynews.com, were being rerouted to drive-by malware delivery sites by the exploit. Apparently, kits are being sold on the Internet black market that make using these exploits easy, so people who otherwise wouldn't have the skill to exploit the vulnerabilities are doing just that.

What makes the problem even more of a headache is that Adobe's update utility for Flash is poorly designed. The Adobe Update tool only updates Internet Explorer or a browser using it as a plugin, like Firefox and Chrome, but not both at the same time. The updater only checks for new builds when you reboot, not when you come out of sleep mode. Even more obnoxious, it installs McAfee Security Center, which you will likely have to uninstall.

Windows 8 uses its own update mechanism to get updates via Windows Update, which most of us run once a month, on Patch Tuesday. And then Chrome does its own thing by getting Flash updates through Chrome's own browser update system. So there is no consistency of delivery across browsers or platforms.

The best defense is to use Google's Chrome, since Trend Micro found that the exploit cannot break out of Chrome's sandbox. You can also enable ActiveX filtering in IE. After that, your options are to disable/uninstall Flash or at least get the latest version.

With YouTube's recent move to ditch Flash in favor of HTML5, Flash's demise can't come fast enough.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.