Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
7 Infamous Moments in Adobe Flash's Security History
End-of-life is here: Adobe's support for Flash is gone as of Jan. 1. Here's what we won't miss about the multimedia software platform.
Figure 3:
Show of hands for those who will mourn Adobe Flash – and it's hellish 1,500-plus critical security holes – when its flame dies out on Jan. 1. Anyone? Anyone? That's what we thought. But make no mistake: The ecosystem that spawned such a security nightmare is likely pregnant again with another software security horror because "Flash was not a fluke," according to At-Bay founder/CEO Rotem Iram, it in his most excellent ode to the end of a software security serial killer.
But for now at least, let's take the time to be thankful for what we won't miss when Flash is laid to rest in this panned memorial.
Figure 4: (Image: tinkerfrost via Adobe Stock
Crash and Burns
A series of vulnerabilities in 2009, including clickjacking and the JBIG2 vulnerability, was quickly followed by a security advisory issued by US-CERT and the Department of Homeland Security about a critical zero-day vulnerability. CVE-2009-1862 "could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said.
But don't worry: Adobe had already assured us that "We Care," which prompted some security researchers to proclaim, "Adobe is off to a great start in rehabilitating its image and that it still had a long way to go."
Yeah, that proved to be a very long way to go – right up to Dec. 31, in this, the Year of Covid-19, when 2.5% of Internet users still used Flash every day.
Figure 5: (Image: Brad Pict via Adobe Stock)
Bad BOGO Crime Kit Deals
Flash forward to 2015, when an exploit for a new Flash flaw was packaged with a notorious crimeware kit. Specifically, a researcher discovered "one version of Angler EK sending three different attacks targeting Flash Player, one of which is a zero-day."
In other words, Flash was integrated into the Angler Exploit Kit to add scale to attacks via advertisements on high-traffic websites. According to Malwarebytes, the Kit "installed botnet malware for Bedep, a botnet that is able to load multiple payloads onto victim machines."
Definitely the worst BOGO deal ever. Buy one product, get one attack to go … and another … and another …
Figure 6: (Image: fergregory via Adobe Stock)
Final Coffin Nails That Aren't
By mid-2015, folks proclaimed Flash as good as dead when a doxing attack against an Italian surveillance company netted the attackers some nasty new tools for breaching Flash everywhere else. One of the exploits was added to the Angler exploit crime kit almost immediately.
All told, four significant and lasting impacts came from that breach. The responses were brutal and unrelenting. For example, Facebook security chief Alex Stamos tweeted: "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day."
The security community was unforgiving, but the four new coffin nails presumed and declared final did not hold. Users kept on using Flash as if they rose undead and undisturbed from the bytes of its flawed fangs. Flash Zombies, you might call them.
Figure 7: (Image: Elnur via Adobe Stock)
Phishing for Spies and Saboteurs
Later in 2015, Russian cyberespionage group Pawn Storm did an obnoxious Flash dance on its success in spear-phishing attacks on a variety of foreign affairs ministries. The dirty deed was done via Fake News posing as political reports loaded with links to sites hosting the Flash exploits.
The group loves to show off and often takes credit for attacks assumed to be backed by the Russian government against agencies belonging to other nation-states. The group uses an impressive collection of tools and techniques to which it had now added yet another unique Adobe Flash zero day to its crime kit.
While phishing will remain with us for all eternity, we won't miss the Flash connection seemingly custom-made for spies and saboteurs hailing from any country.
Figure 8: