7 Infamous Moments in Adobe Flash's Security History

Figure 3:

Show of hands for those who will mourn Adobe Flash – and it's hellish 1,500-plus critical security holes – when its flame dies out on Jan. 1. Anyone? Anyone? That's what we thought. But make no mistake: The ecosystem that spawned such a security nightmare is likely pregnant again with another software security horror because "Flash was not a fluke," according to At-Bay founder/CEO Rotem Iram, it in his most excellent ode to the end of a software security serial killer.

But for now at least, let's take the time to be thankful for what we won't miss when Flash is laid to rest in this panned memorial.

Figure 4: (Image: tinkerfrost via Adobe Stock

Crash and Burns

A series of vulnerabilities in 2009, including clickjacking and the JBIG2 vulnerability, was quickly followed by a security advisory issued by US-CERT and the Department of Homeland Security about a critical zero-day vulnerability. CVE-2009-1862 "could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said.

But don't worry: Adobe had already assured us that "We Care," which prompted some security researchers to proclaim, "Adobe is off to a great start in rehabilitating its image and that it still had a long way to go."

Yeah, that proved to be a very long way to go – right up to Dec. 31, in this, the Year of Covid-19, when 2.5% of Internet users still used Flash every day.

Figure 5: (Image: Brad Pict via Adobe Stock)

Bad BOGO Crime Kit Deals

Flash forward to 2015, when an exploit for a new Flash flaw was packaged with a notorious crimeware kit. Specifically, a researcher discovered "one version of Angler EK sending three different attacks targeting Flash Player, one of which is a zero-day."

In other words, Flash was integrated into the Angler Exploit Kit to add scale to attacks via advertisements on high-traffic websites. According to Malwarebytes, the Kit "installed botnet malware for Bedep, a botnet that is able to load multiple payloads onto victim machines."

Definitely the worst BOGO deal ever. Buy one product, get one attack to go … and another … and another …

Figure 6: (Image: fergregory via Adobe Stock)

Final Coffin Nails That Aren't

By mid-2015, folks proclaimed Flash as good as dead when a doxing attack against an Italian surveillance company netted the attackers some nasty new tools for breaching Flash everywhere else. One of the exploits was added to the Angler exploit crime kit almost immediately.

All told, four significant and lasting impacts came from that breach. The responses were brutal and unrelenting. For example, Facebook security chief Alex Stamos tweeted: "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day."

The security community was unforgiving, but the four new coffin nails presumed and declared final did not hold. Users kept on using Flash as if they rose undead and undisturbed from the bytes of its flawed fangs. Flash Zombies, you might call them.

Figure 7: (Image: Elnur via Adobe Stock)

Phishing for Spies and Saboteurs

Later in 2015, Russian cyberespionage group Pawn Storm did an obnoxious Flash dance on its success in spear-phishing attacks on a variety of foreign affairs ministries. The dirty deed was done via Fake News posing as political reports loaded with links to sites hosting the Flash exploits.

The group loves to show off and often takes credit for attacks assumed to be backed by the Russian government against agencies belonging to other nation-states. The group uses an impressive collection of tools and techniques to which it had now added yet another unique Adobe Flash zero day to its crime kit.

While phishing will remain with us for all eternity, we won't miss the Flash connection seemingly custom-made for spies and saboteurs hailing from any country.

Figure 8: (Image: Даша Мельник via Adobe Stock)

Adobe Says, 'Later Gator,' but Here For Now Brown Cow

Two years later, Flash, officially dubbed "one of the buggiest widely used apps out there" and a regular cornerstone of crime kits everywhere, was working on borrowed time. Adobe announced in 2017 that its execution date would be the end of 2020.

The company said Flash would be obsolete by then, but it was really because the security community absolutely hated it. Even so, much of the market still loved its fav Flash-y honey pot, as targets are wont to do.

Flash was to be executed and put to final rest – three years after the announcement – presumably so Adobe could milk the last of its market worth.

Figure 9: (Image: Patcharanan via Adobe Stock

Flash Zero Days No Longer in Vogue but Still Common on Sales Racks

ScarCruft North Korean APT group got busted in 2018 for using a new Flash zero day. Surprised researchers said, “Flash zero-days are not that popular anymore.”

Indeed, North Korea was late to the nation-state Flash exploit feasts, But hey, the hacking group didn't have to develop them either. Instead, it picked them up on an underground bargain rack.

Flash exploits were cheap and common, and yet the end date was still two years away. Just how much more value did Adobe think the bargain basement Flash still had anyway?

Figure 10: (Image: Sergey via Adobe Stock

The Day Flash Dies – Maybe

Finally, after all of the security horrors, on Dec. 31, 2020, the end of this pandemic-fueled year of terror will finally, supposedly, see the official end-of-life for Flash. That means Adobe will supposedly not be releasing any more updates – even security updates – for it anymore. The end. Kaput. Final coffin nails nailed that stay nailed.

But is it possible some kind of new, actively exploited zero day found on that day or later be just so horrible that Adobe has to release an out-of-band fix for it? Who knows.

After all, the Flash Zombies are still here, and they likely will continue to use Flash with or without Adobe's support. It's not like a lack of security was a grave marker for them anyway.