Microsoft Subnet An independent Microsoft community View more

Cybercrooks quickly bypass Adobe Flash Player's improved security protections

adobe flash player v10 icon
Credit: Adobe Systems

Adobe added improved exploit defenses to Flash Player, which were supposed to make security flaws harder to exploit, but cybercriminals evaded the extra security measures and added a new Flash exploit to the Angler Exploit Kit.


As of today, Google's Chrome browser will automatically pause ads that use Flash by default. Most Flash ads were converted to HTML5 and those HTML5 ads will still work. Flash can quickly suck the power from a laptop battery, but even worse is the never-ending supply of Flash vulnerabilities.

Supposedly, the version of Flash Player released in July had "additional protections to make entire classes of security flaws much harder to exploit in the future." The future is now then, because cybercriminals have wasted no time circumventing those extra security protections.

On the Malware don't need Coffee blog, security researcher Kafeine reported that the Angler Exploit Kit has a new exploit for Flash. It uses the "same Diffie-Hellman Key Exchange technique described by FireEye" on August 10. Of 56 antivirus solutions listed on VirusTotal, only TrendMicro detected the malware sample submitted by Kafeine.

In August, Adobe released the latest critical security updates for Adobe Flash Player; the most resent version of Flash is Google's Project Zero had previously reported that Flash version included mitigations that could be a "useful defense-in-depth for attacks." If you didn't patch yet, you better get on it because Kafeine explained that Flash version is now being exploited by the Angler Exploit kit...that was Adobe's new-and-improved version released in July that had additional security protections which cyberthugs have already evaded. You should not delay upgrading to the newest Flash version if you have not yet done so. Better yet, kick Flash to the curb.

Additionally, two weeks ago, Zscaler reported a "massive uptick" in the use of the Neutrino Exploit Kit, which was reportedly incorporated in the Hacking Team's Flash zero-day. Neutrino campaign attackers compromised WordPress sites running version 4.2 and older to redirect Internet Explorer victims to the Neutrino Exploit Kit which would then serve up CryptoWall 3.0 ransomware.

It's definitely time to kill Flash.

As of today, Amazon no longer accepts Adobe Flash ads.

In July, Facebook security chief Alex Stamos said, "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day."

One day later, Mozilla was ready to kill off Flash. It blocked Flash from running in Firefox until Adobe patched. At that time, Mark Schmidt, head of Firefox Support, said, "Nothing relies on Flash as much as malware."

Then there's Google; blocking Flash ads will supposedly affect "every single company in the ad tech industry." If Flash were already "dying a death by 1,000 cuts," then Google's move to pause Flash ads may deliver the nail in Flash's coffin that pushes the tech industry into abandoning Flash altogether.

You would think the sheer number of critical vulnerabilities could have done it sooner, but cybercrooks are happy to keep exploiting Flash as long as people use it. If you do use Flash, but procrastinate instead of update when a new version is released, then cybercriminals will be happy to infect your machine.

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies