In recent years, the Adobe Flash Player has been a magnet for cyber criminals. The platform has been exploited and utilized as a launchpad for attacks on users, and several zero-day vulnerabilities have been discovered, including two identified in 2015. Because the media player has a considerable number of users, chances are good that it will continue to be a high-value target in the near future as well.
2015 brings two zero day discoveries
Flash began the year with several difficulties, including the discovery of two zero-day vulnerabilities within the first few weeks of 2015. According to Trend Micro, the first threat was uncovered toward the end of January and impacted users of Adobe Flash Player for Microsoft Windows.
This weakness enabled attackers to run specific code or entire software programs on victims’ computers, taking control of the system as if they were the device owners.
“Anything you can do on your computer, the attacker’s program can do,” Trend Micro stated in a release. “In a worst case like this, they can load malware on your computer.”
This initial vulnerability also leveraged the Angler exploit kit, enabling the attack to spread quicker than if this tool was not involved. Adobe did eventually release a patch for this weakness, making it important in all cases that systems are continually kept as up-to-date as possible.
At the beginning of February, Trend Micro announced that yet another zero-day exploit was discovered in connection with Flash. This time, the vulnerability was utilized for advertisements containing malware. The exploit, dubbed CVE-2015-0313, also hinged upon the Angler exploit kit and was similar to the other zero day discovered earlier this year.
Trend Micro had been tracking this exploit since mid-January, and discovered peaks in traffic connected with this weakness on or around Jan. 27. Many of the users who were encouraged to visit the malicious URL were based in the U.S, and as of Feb. 2, there were a total of 3,294 hits to the server connected with CVE-2015-0313. Adobe also released a patch for this vulnerability, which came about a week after its discovery.
2014 vulnerabilities: Fiesta exploit kit
Last year saw a number of Flash-based vulnerabilities as well, including one using the commercial exploit kit Fiesta, according to PCWorld. This weakness, subsequently named CVE-2014-0569, was patched by Adobe, but many users did not install the patch before they were targeted and attacked by cyber criminals.
This weakness was initially uncovered by Kafeine, an online researcher, who thought the exploit targeted an earlier-patched vulnerability, but another researcher from F-Secure found that it was pinpointing a newer issue. Kafeine also noted that the speed at which the exploit was included in the well-known Fiesta kit signaled considerable connections on the part of the hacker that created it.
“Kafeine expressed surprise that a CVE-2014-0569 exploit landed in Fiesta so quickly,” wrote PCWorld contributor Lucian Constantin. “Either the author has some really skilled contacts or someone might have been induced by money to break a non-disclosure agreement.”
One of the biggest issues seen with this vulnerability was the fact that so many users were attacked even after a patch was released. Constantin noted that this weakness was used in several large-scale attacks only a few days after the patch was made available. This once again demonstrates the importance of keeping systems up-to-date. Adobe has released a number of patches for the range of vulnerabilities that have been discovered, and ensuring that these patches are put in place as soon as possible can help mitigate the possibility of an attack.
Another vulnerability discovered in early 2014 was similar to the one uncovered this year in that it allowed hackers to take over the systems of their victims. This attack, however, impacted users of the Windows, Mac and Linux operating systems, according to security expert Brian Krebs. Adobe released an unscheduled patch to prevent attacks for all three OSs.
2013 vulnerability: Adobe releases emergency update
Security researchers discovered other vulnerabilities in early 2013, causing Adobe to make an emergency update available to patch the two weaknesses, Ars Technica reported. The vulnerabilities targeted Mac users and enabled hackers to exploit online activities and install malicious programs on victim’s devices. Although researchers only found instances of attack involving OS X users, updates were offered for Linux and Android systems as well.
Ensuring systems and up to date for security
Overall, Flash’s history of zero-day and other vulnerabilities illustrate just how important it is to ensure that systems are up-to-date. Although users still risk attack and infection with zero-day weaknesses, individuals should install patches as soon as they are released to help prevent any malicious activities from taking place on their machines. Trend Micro also suggested that users consider disabling their Flash Players at the first notice that a zero-day vulnerability has been discovered. This will ensure that hackers are unable to target their systems, and the platform can be enabled after an Adobe update has been released and downloaded.
