As if you need more reasons to hate Adobe Flash, it’s unsurprisingly a favorite among cyber criminals to roll into exploit kits. The most popular exploit kit right now is Angler, which has been around since 2013, but it is still “regularly tied to malware including Cryptolocker.”
According to a new report by Recorded Future, eight of the top 10 vulnerabilities used by exploit kits target Adobe Flash Player. The remaining two non-Flash flaws favored in the crimeware as a service (CaaS) ecosystem were in Microsoft Internet Explorer versions 10 and 11 and other “Microsoft products including Silverlight.”
After conducting threat intelligence analysis of 108 exploit kits, Recorded Future found that Adobe Flash Player had thousands of references and dominated the list of top vulnerabilities. “Understanding what vulnerabilities are targeted by exploit kits can better inform patch management functions within organizations,” explained the company.
For this research, Recorded Future did not reverse engineer any malware; instead it focused on “meta-analysis of available information from information security blogs, forum postings, etc.” from Jan. 1 to Sept. 30, 2015. Exploit kits may use “dozens of other vulnerabilities,” but Adobe Flash is the top target of popular exploit kits.
The top 10 results can be seen below.
The top bug affected Flash Player 126.96.36.1996; although Adobe patched the critical flaw in Feb. 2015, it was regarded as a zero day exploit as far back as Dec. 2014. Recorded Future said it “observed 410 references of CVE-2015-0313 tied to an exploit kit in 2015.” The same vulnerability has recently been seen in the Hanjuan, Angler and Fiesta exploit kits.
Exploits tied to the third and fifth most mentioned Adobe Flash vulnerabilities were added immediately to exploit kits after the Hacking Team was hacked and the Flash flaws were released in the wild.
The fact that Adobe Flash Player seems to be almost constantly vulnerable and those flaws are popular with advanced persistent threat (APT) groups like Pawn Storm, it “calls into question Flash’s place in a secure operating environment,” wrote Recorded Future.
It seems likely that it calls into question Flash’s place in any environment. Even if a person is Johnny-on-the-spot patcher, it doesn’t mean their system is safe. Just in October there was yet another new zero-day in Flash immediately after Adobe released a mega-fix for former vulnerabilities. Before that, Adobe supposedly added improved exploit defenses to Flash; cyber crooks bypassed that quickly and added the new Flash exploit to the Angler exploit kit. Many security firms have warned against using Flash, explaining how Flash exploits are soaring.
Recorded Future concluded, “While each organization needs to decide for itself if installing the steady stream of Adobe Flash updates is feasible, steps can be taken as a stop-gap to Adobe exploits. This includes enabling ‘Click to Play’ which provides a check on use of Adobe Flash Player in an unknown environment.”
The cries to kill off Flash have grown louder throughout 2015. Yet Adobe just came out with a new beta version of Flash Player 20, codenamed Rankin. The beta release includes “new features as well as enhancements and bug fixes released to security, stability, performance and device compatibility,” and is supposed to work better for Windows 10 users.