There has been no shortage of vulnerabilities exploiting Adobe Flash in the past few months. In March, Adobe announced updates that "address critical vulnerabilities that could potentially allow an attacker to take control of the affected system." Only a few months earlier, another patch was issues that addressed a different critical security flaw.
This was hardly the first time such Adobe has warned users of impending doom, and then released a patch. In fact, reporters have begun poking fun at the topic with headlines such as BGR's "Here we go again: New Adobe Flash vulnerability lets hackers take over your PC," or Engadget's lead, "Stop me if you've heard this one," followed by a report of a Flash vulnerability.
While in some respects a new Flash vulnerability is the low hanging fruit for tech jokes, many of these cyber threats are serious, including the most recently discovered CVE-2016-1019.
A serious flaw, a quick fix
Like many of the security flaws that came before it, CVE-2016-1019 may "potentially allow an attacker to take control of an affected system." Specifically, the vulnerability targets Windows, Linux, Macintosh and Chrome OS users who are running Flash Player version 20.0.0.306 and earlier. According to findings from Trend Micro, the vulnerability is being leveraged by the Magnitude Exploit Kit to disseminate Locky ransomware, which has been notorious of late for locking down the computer systems in hospitals and other institutions.
The good news, according to ZDNet contributor Charlie Osborne, is that while the vulnerability has the potential to cause Flash to crash and introduces the possibility of a hacker gaining control during this time, Flash versions 21.0.0.182 and 21.0.0.197 are protected against a complete system compromise thanks to recent patches.
As for fixing the actual vulnerability, Adobe released emergency updates in early April that identify and remediate the zero-day threat.
Why so many vulnerabilities?
Even with the most recent threat being addressed, the incident raises some important questions about the state of Adobe Flash Player's cyber security. It's positive that for every newly discovered vulnerability, Adobe is quick to provide a fix. However, these patches feel more like band-aids than a panacea for what's really ailing Flash.
In fact, many tech pundits, including the late Steve Jobs, have called for the scrapping of Adobe Flash Player altogether. The main reason is the fact that Flash seems to be buggy and rife with cyber security problems. According to Network World, eight of the top 10 vulnerabilities leveraged by exploit kits are aimed at Flash. Meanwhile, in his 2010 letter calling for the end of Flash, Steve Jobs said that the program was the "number one reason Macs crash."
So why is Flash a breeding ground for zero-day threats? According to Ars Technica contributor Dan Goodin, the number of zero-day threats in 2015 doubled from 2014, and unsurprisingly, Adobe led the way in vulnerabilities. Goodin explained that Flash's continual shortcomings might have something to do with the program's massive and somewhat antiquated code base.
While many are opposed to Flash, others have not taken a very hard-line stance on the issue. Last August, Engadget contributor Jared Newman reached out to some of the most well-known Flash-based Web content providers including HBO, NBC, CBS, Zynga, King, Showtime, Pandora and Spotify, Major League Baseball, Slacker Radio, Hulu and the BBC. Many of them declined to comment, while others didn't respond at all. The takeaway here seems to be that users may have to continue to deal with these vulnerabilities for the foreseeable future. As long as this is the case, they should exercise awareness and caution when it comes to Flash-based vulnerabilities.
For starters, if you haven't already upgraded to the new version of Adobe Flash, you should do so sooner rather than later to avoid becoming the victim of cyber crime.
