Adobe Flash Accounts for 8 of the Top 10 Vulnerabilities Used in Exploit Kits

[Exterminator]

Content source

http://news.softpedia.com/news/adobe-flash-accounts-for-8-of-the-top-10-vulnerabilities-used-in-exploit-kits-495920.shtml

Internet Explorer and Silverlight get the other 2 spots
Threat intelligence research company Recorded Future has put together a list of the most used vulnerabilities currently integrated in exploit kits (EK).

Their research covered the period from January 1, 2015, to September 30, 2015, and included data from the analysis of over 100 exploits kits currently used for various types of attack scenarios.

For the uninitiated, an exploit kit is a collection fo hacking tools that facilitate the infection of a user's computer with a particular piece of malware, specifically targeting known security vulnerabilities.

Some of today's most famous exploit kits include the Angler EK, the Fiesta EK, the Hanjuan EK, the Nuclear EK, and the Neutrino EK.

By looking at the type of security vulnerabilities exploit kits leverage to deliver their malicious payloads, the researchers from Recorded Future were able to create a top 10 of the most used security flaws.

Nobody was surprised to see Flash in the Top 10
As everyone expected, the top spot went to a Flash vulnerability, of which Adobe had plenty this year. In fact, Flash was so plagued by security issues that the first eight spots in the top 10 went to various security flaws discovered this year alone.

Coming in on number 9, we find an Internet Explorer bug, followed by another Microsoft product, the deprecated Silverlight platform.

All the top 10 vulnerabilities are issues discovered this year, showing that EK operators don't generally waste time when it comes to integrating the most recent security bugs into their code.

While many have mitigated for deprecating and giving up on Flash, including Facebook's CSO, the reality is that Flash Player still accounts for a huge market share.

What makes it even worse is another recent study carried out by Secunia (now part of Flexera Software) which points to the fact that 80% of all Flash users don't run the most recent version of Flash.

This means that despite Adobe's best efforts in keeping Flash Player bug-free, users still run outdated versions, even using versions marked as EOL (End-of-Life).

 

[Kalimirro]

Adobe Flash = AIDS of the Web.

 

[LabZero]

Obviously disabling or uninstalling the Flash plugin eliminates the problem of Flash exploits. In this case, however, the use of some web page content will be limited. The click2play is a good compromise, any flash content is blocked and therefore also exploits. But the problem could occur with enabling Flash content, believed legitimate and instead is compromised. Same problem with the scripts control. As I myself use a double check with my scripts on Firefox often I get tired to enable every single script in order to enjoy the content of a certain web page, and then temporarily I enable the entire page when I have little time to waste. Theoretically the two mechanisms and a ready replacement of new versions of Flash, when available, should eliminate much of the potential risks. But just having installed an anti-exploit app gives us an extra security.
Each of us is aware that Flash has (now) certainly many exploitable flaws even in the latest version that many people have installed, which are (still) unknown to the same Adobe team, and we can conclude why history unfortunately repeats itself , and if we assume that attackers are able, tomorrow, to see in the latest Flash version a remotely exploitable bug and implement it as exploit ... you just have to navigate on any compromised web site (in this case maybe yesterday was safe and tomorrow is compromised) and would be exposed to an impairment of our OS.

 

[OokamiCreed]

Well said @Klipsh

While heavy web users like myself still require Flash Player, having click 2 play (as you said above) is no problem. Some browsers like Opera have this feature built in and I believe there are add ons for Firefox/Chrome that disallow flash objects to automatically play. You could even use a script block or swf blocker/flash blocker and allow as needed.

And also as you said, a web site today could be compromised tomorrow. So even if you chose to navigate only to trusted pages, you are still at risk for infection from those same sites a second, minute, day, week, month, or even year(s) later. Especially in this day and age. It's better to be prepared than to be sorry and try to protect yourself after an infection. I've never seen click 2 play features on some browser destroy the way flash operates when later allowed so I believe it should become a sort of standard to protect end users. Otherwise (which I prefer more) to create something that can run flash without the need for flash player. However even that will be exploitable, just not nearly as much as Adobe Flash Player.

 

[jamescv7]

Not a surprise result, Flash player holds a big contributor to the internet in terms of multimedia technology landscape so many companies propose to give up but revenues is still an importance for them which mentioned on the article about market shares.

So in such fate, Flash player like Windows will follow through many flaws continuously and will remain as top notch products no matter what circumstances.

Dangers is not in the vocabulary term for them but rather already accept those risks.

 

[gusthebus]

If I were writing a web exploit, I would certainly look toward flash before any other browser extension, but not solely because of its popularity. Extensions like Adobe Reader, Silverlight, and Java should also be exploitation targets based on their user base, but Flash always manages to top the charts. Not only is flash known for its lack of security, but it also harbors a number of additional problems.

With that said I personally think Adobe should seriously rework Flash, or browsers like Chrome and Firefox should simply package a safer, faster alternative with their software.