If there’s unanimity among security professionals in anything, it’s in their loathing of Adobe’s Flash Player. There’s yet to be an APT or exploit kit that hasn’t welcomed vulnerabilities in the development platform with open arms. And for all that misery tallied up in lost intellectual property and industrial secrets, and stolen passwords and credit card numbers, there’s been an equally passionate call for the tech industry to dump Flash on its backside.
“Flash is a really a fantastic example of what happens when you have legacy code within an app that’s been around a long time,” said Cody Pierce, director of vulnerability research and prevention at Endgame. “Flash provides a rich development experience for users, yet suffers because it’s trying to be a rich platform. Anytime you do that and have to support legacy file formats, you end up in a situation where attackers have a nearly unlimited attack surface—video, audio, images, different protocols and a really rich scripting language in ActionScript. It’s ripe for exploitation and vulnerability discovery.”
Adobe this week took one of its first baby steps away from Flash and toward HTML5, playing perhaps the first notes of Flash’s swan song. The company announced that it has renamed Flash Professional CC to Animate CC, which will be available early next year, and deemed it Adobe’s preferred tool for developing HTML5 content.
“Our customers have clearly communicated that they would like our creative applications to evolve to support multiple standards and we are committed to doing that,” Adobe said in announcing the move.
Adobe did not completely toss Flash in the trash bin and said it will continue to develop security and feature updates for Flash and continue working with its browser partners such as Microsoft, Mozilla and Google to lessen the risks surrounding Flash. Not to mention that too many legacy applications and existing web content rely on Flash to create an immediate ripple, experts said.
“The key message is this is not going away any time soon,” said Mike Hanley, program manager R&D and Duo Security. “At best, this is a recognition that there is a future where Flash will no longer be a dominant platform on the web, but with no clear timeline or planned deprecation schedule, many legacy applications and web content will continue to rely on historically problematic platforms like Flash to get the broadest possible adoption for years to come.”
Flash continues to attract the worst of the worst in hackers. Month after month in scheduled security updates, Adobe pushes out dozens of patches for Flash, not to mention an increasing number of out-of-band updates addressing zero-day vulnerabilities. Once low point came this summer when it was discovered among the wreckage of the Hacking Team breach that the controversial surveillance company had at its disposal a number of Flash zero days that it was using and had not disclosed to Adobe.
Hacking Team is not alone in coveting Flash zero days. Zerodium, the new company started in September by VUPEN founder Chaouki Bekrar recently published its price chart, which showed it would pay between $50,000 and $80,000 for Flash zero days.
“With large numbers of users still running vulnerable player applications, it also provides attackers with a versatile intrusion vector,” said Nick Buchholz, senior network security analyst at Damballa. “We’re bound to see Flash exploit development continue long after the announcement, and demand for the exploits will likely remain unchanged.”
While Adobe continues to fight the good fight, Google and Mozilla have already made moves deny exploits the ability to automatically load and execute via click-to-play plugins for Chrome and Mozilla.
“The push to end use of Flash will likely continue to come from other companies and working groups whose users are most often exploited through the Flash platform,” said Duo Security’s Hanley.
In the meantime, expect hackers to remain fond of exploiting cross-platform programs such as Flash and Java where exploits can be written once and tweaked to work on multiple arenas, including embedding malicious Flash objects inside a Microsoft Office document that can be delivered via phishing or spam emails.
“I believe Flash is an attractive target with attackers because of this cross-browser, cross-platform support,” said Craig Young, security researcher at Tripwire. “The ability to run code on client systems is a huge attack vector as we see with Java, ActiveX, and JavaScript. Traditionally Flash has been prevalent across multiple browsers on multiple platforms allowing for more effective exploitation.
“My expectation is that there will be a large Flash install base for many years to come and as such it will continue to be a thorn in endpoint security,” Young said. “I do expect that some sites and services will quickly replace Flash with HTML5 content, but Flash itself will remain a viable attack vector for as long as popular web browsers continue to support it.”
