It has been a known fact that one of the cyber criminals most used vector of attack is flash vulnerabilities. A report conducted by researchers at Bromium shows the extent by which these security flaws have spiked. By the end of 2015, the number of reported flash vulnerabilities has nearly tripled. This shows that the increasing trend of cyber attacks will carry well into 2016.
Adobe Flash is platform used in web technologies and devices to render interactive media like music, video and games. The reason Adobe Flash is such an attractive vector for cyber attackers is due to its proliferate use. A great number of websites and services are dependent on this technology. Also, a Bromium researcher states the Adobe AVM contains multiple vulnerabilities for hackers to exploit.
Security researcher Thu Pham outlined the following ways vulnerabilities are used in flash:
Exploit Kits insert in Flash Vulnerabilities: Exploit kits are programs which target the vulnerabilities in a system to execute arbitrary code which grants control of the machine. Because Adobe has an abundant number of vulnerabilities, 8 of the top 10 vulnerabilities are targeted at Adobe. A recent example of this is the Angler Exploit Kit.
Flash Exploits via DNS: the Domain Name Server or DNS is the internet’s “phonebook” that links all the domain names to their respective IP addresses. Hackers, via stolen DNS credentials, can insert subdomains that redirect to landing site for malware.
Infection via malvertisement: Using advertising services, cyber criminals can post ads on legitimate sites that redirect the user to a landing site.
Most of these attacks happen due to users running older versions of Adobe Flash, which are lacking in critical security patches. Part of the reason flash is used as means of delivering malware is because the average users do not always keep their versions of Flash(or any software) up to date. To secure one’s system, make sure that Adobe Flash is up to date or, for the more cynical, disable Adobe Flash completely. However, the ladder will affect some multimedia elements when web browsing.
As shown in figure 1, 2015 turned out to be a bountiful year for cyber-criminals and malware. Due to Adobe Flash being proprietary software, any patches that fix security flaws have to be released by Adobe. Vulnerabilities in Flash would not be nearly as proliferate if the code was open sourced and available for IT community to secure. Nonetheless, this is highly unlikely of happening for obvious reasons. Some circles debate that perhaps it is a better idea to get rid of Adobe Flash all together. This will be difficult since Flash is pretty much standard as an internet technology.