• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   The fix is in for Adobe’s newest Flash flaw

The fix is in for Adobe’s newest Flash flaw

  • Posted on:May 2, 2016
  • Posted in:Industry News
  • Posted by:Christopher Budd (Global Threat Communications)
0
New zero-day threats have been detected and patched.

There has been no shortage of vulnerabilities exploiting Adobe Flash in the past few months. In March, Adobe announced updates that "address critical vulnerabilities that could potentially allow an attacker to take control of the affected system." Only a few months earlier, another patch was issues that addressed a different critical security flaw.

This was hardly the first time such Adobe has warned users of impending doom, and then released a patch. In fact, reporters have begun poking fun at the topic with headlines such as BGR's "Here we go again: New Adobe Flash vulnerability lets hackers take over your PC," or Engadget's lead, "Stop me if you've heard this one," followed by a report of a Flash vulnerability.

While in some respects a new Flash vulnerability is the low hanging fruit for tech jokes, many of these cyber threats are serious, including the most recently discovered CVE-2016-1019.

A serious flaw, a quick fix

Like many of the security flaws that came before it, CVE-2016-1019 may "potentially allow an attacker to take control of an affected system." Specifically, the vulnerability targets Windows, Linux, Macintosh and Chrome OS users who are running Flash Player version 20.0.0.306 and earlier. According to findings from Trend Micro, the vulnerability is being leveraged by the Magnitude Exploit Kit to disseminate Locky ransomware, which has been notorious of late for locking down the computer systems in hospitals and other institutions.

The good news, according to ZDNet contributor Charlie Osborne, is that while the vulnerability has the potential to cause Flash to crash and introduces the possibility of a hacker gaining control during this time, Flash versions 21.0.0.182 and 21.0.0.197 are protected against a complete system compromise thanks to recent patches.

As for fixing the actual vulnerability, Adobe released emergency updates in early April that identify and remediate the zero-day threat.

Why so many vulnerabilities?

Even with the most recent threat being addressed, the incident raises some important questions about the state of Adobe Flash Player's cyber security. It's positive that for every newly discovered vulnerability, Adobe is quick to provide a fix. However, these patches feel more like band-aids than a panacea for what's really ailing Flash.

In fact, many tech pundits, including the late Steve Jobs, have called for the scrapping of Adobe Flash Player altogether. The main reason is the fact that Flash seems to be buggy and rife with cyber security problems. According to Network World, eight of the top 10 vulnerabilities leveraged by exploit kits are aimed at Flash. Meanwhile, in his 2010 letter calling for the end of Flash, Steve Jobs said that the program was the "number one reason Macs crash."

So why is Flash a breeding ground for zero-day threats? According to Ars Technica contributor Dan Goodin, the number of zero-day threats in 2015 doubled from 2014, and unsurprisingly, Adobe led the way in vulnerabilities. Goodin explained that Flash's continual shortcomings might have something to do with the program's massive and somewhat antiquated code base. 

While many are opposed to Flash, others have not taken a very hard-line stance on the issue. Last August, Engadget contributor Jared Newman reached out to some of the most well-known Flash-based Web content providers including HBO, NBC, CBS, Zynga, King, Showtime, Pandora and Spotify, Major League Baseball, Slacker Radio, Hulu and the BBC. Many of them declined to comment, while others didn't respond at all. The takeaway here seems to be that users may have to continue to deal with these vulnerabilities for the foreseeable future. As long as this is the case, they should exercise awareness and caution when it comes to Flash-based vulnerabilities.

For starters, if you haven't already upgraded to the new version of Adobe Flash, you should do so sooner rather than later to avoid becoming the victim of cyber crime.

Related posts:

  1. Update: The Hacking Team Flash Zero-Day Trifecta
  2. History of Flash: Zero day and other vulnerabilities
  3. New Adobe Flash Critical Vulnerability Exploited in the Wild.
  4. Update: Hacking Team Flash Zero Day – Not Out of the Woods

Security Intelligence Blog

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Answering IoT Security Questions for CISOs
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • How To Be An Informed Skeptic About Security Predictions
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • The Shared Responsibility Model
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • What Worries CISOs Most In 2019

Follow Us

Trend Micro In The News

  • Trend Micro Takes On Palo Alto Networks With Cloud Conformity Buy
  • Trend Micro Partners with Snyk to Fix Vulnerabilities for DevOps
  • Trend Micro Partners With Snyk To Advance DevSecOps
  • Hackers to stress-test Facebook Portal at hacking contest
  • NEW TECH: Trend Micro inserts 'X' factor into 'EDR' - endpoint detection response
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.