By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData Collective
  • Analytics
    AnalyticsShow More
    predictive analytics in dropshipping
    Predictive Analytics Helps New Dropshipping Businesses Thrive
    12 Min Read
    data-driven approach in healthcare
    The Importance of Data-Driven Approaches to Improving Healthcare in Rural Areas
    6 Min Read
    analytics for tax compliance
    Analytics Changes the Calculus of Business Tax Compliance
    8 Min Read
    big data analytics in gaming
    The Role of Big Data Analytics in Gaming
    10 Min Read
    analyst,women,looking,at,kpi,data,on,computer,screen
    Promising Benefits of Predictive Analytics in Asset Management
    11 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-23 SmartData Collective. All Rights Reserved.
Reading: Flash Vulnerabilities & Exploits: An Information Security Primer
Share
Notification Show More
Latest News
ai digital marketing tools
Top Five AI-Driven Digital Marketing Tools in 2023
Artificial Intelligence
ai-generated content
Is AI-Generated Content a Net Positive for Businesses?
Artificial Intelligence
predictive analytics in dropshipping
Predictive Analytics Helps New Dropshipping Businesses Thrive
Predictive Analytics
cloud data security in 2023
Top Tools for Your Cloud Data Security Stack in 2023
Cloud Computing
become a data scientist
Boosting Your Chances for Landing a Job as a Data Scientist
Jobs
Aa
SmartData Collective
Aa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > IT > Security > Flash Vulnerabilities & Exploits: An Information Security Primer
Security

Flash Vulnerabilities & Exploits: An Information Security Primer

thu@duosecurity.com
Last updated: 2016/01/12 at 6:59 PM
thu@duosecurity.com
10 Min Read
SHARE

Contents
Nearly 700 Flash Vulnerabilities and CountingVulnerable Flash UsersHow Do Flash Exploits Work?Flash Vulnerabilities in Exploit KitsFlash Exploits Delivered via DNSFlash Infection via MalvertisingThe Impact on CompaniesProtecting Against Flash VulnerabilitiesOther ways to protect yourself:Check Your Current Version of FlashWhat’s Next for Flash

Adobe Flash Player is used to create and play animations, video games, advertisements and mobile apps – it’s considered a software necessity by many users and is used daily. But to criminal and malicious hackers, it’s also easy to exploit, due to many known vulnerabilities in old Flash versions.

More Read

data breach issues

A Guide to Using XDR Threat Protection to Stop Data Breaches

Four Strategies For Effective Database Compliance
Fortifying Enterprise Digital Security Against Hackers Weaponizing AI
5 Ways to Streamline Your Business Data for Maximum Efficiency
How To Keep Your Data Security Knowledge Up To Date?

Adobe Flash Player is used to create and play animations, video games, advertisements and mobile apps – it’s considered a software necessity by many users and is used daily. But to criminal and malicious hackers, it’s also easy to exploit, due to many known vulnerabilities in old Flash versions.

Nearly 700 Flash Vulnerabilities and Counting

Currently the Common Vulnerabilities and Exposures (CVE) database lists nearly 700 publicly disclosed vulnerabilities that affect Flash Player, with 581 of them receiving a ‘high severity’ score based on the Common Vulnerability Scoring System (CVSS).

Number of Reported Flash Vulnerabilities

The number of reported vulnerabilities jumped from 76 in 2014 to 314 in 2015, a more than 300 percent change in just a year, according to CVE statistics.

Vulnerable Flash Users

Users don’t always update their devices to the most recent version of software right away, leaving them susceptible to the hundreds of known vulnerabilities.

Malicious hackers can then exploit the vulnerabilities to insert their own code into users’ computers, allowing them to install malware, control your machine and steal your logins or other confidential data.

How Do Flash Exploits Work?

It can vary depending on the type of vulnerability. For example, a hacker may decide to use an exploit kit delivered by website redirect. That means, when a user clicks on a website link in their browser, an embedded script redirects the user to a hacker’s landing page that contains the exploit kit.

The kit checks if a user can be exploited using a Flash vulnerability. If users were running an outdated version of Flash, they could be susceptible to known vulnerabilities.

Flash Vulnerabilities in Exploit Kits

As explained above, an exploit kit is a toolkit that identifies software vulnerabilities on devices, then uploads and executes malicious code in order to steal data or control the machine.

Eight out of the top 10 vulnerabilities used by exploit kits this year targeted Flash, according to Recorded Future, while IE 10 and 11 were also major targets. The Angler exploit kit is one of the most notorious kits used to deliver malware – according to research by Sophos, malware was delivered mainly through exploits on Internet Explorer (59%) and Flash (41%).

The most recent research reveals that over 90,000 compromised websites involve Angler, which is also updated periodically, according to Palo Alto Networks. It’s also pretty smart – the malicious scripts can stay invisible to evade detection by virus scanners, and they can choose to target specific IP ranges and certain configurations, including IE users.

One real-life scenario is of the Guardian’s website that was serving up Angler on an older article, as reported by ZDNet.com. Angler contained two different vulnerabilities, including one that targeted a weakness in Windows Object Linking and Embedding (OLE) Automation. The other one checked a user’s machine before serving up a Flash exploit.

A compromised web page can be modified to include HTML that loads a malicious Flash file. Below is an example of the ActionScript within the file that would redirect the user to send traffic to the Angler exploit kit.

ActionScript Angler

This method of infection is called drive-by download, meaning a user can get hit by merely visiting a certain website.

Flash Exploits Delivered via DNS

Another way that attackers deliver the Angler exploit kit is by hacking domain name system (DNS) records, according to Sophos. By adding a few subdomains to the DNS records of legit domains, they can deliver the malware via websites that look somewhat authentic – this is called domain shadowing.

For example, a legit site could be: companywebsite.com. A subdomain of that site that a malicious hacker might set up could be hacker.companywebsite.com.

But domain shadowing is only possible with access to legit DNS records, which is typically via stolen DNS credentials. Securing DNS accounts with two-factor authentication and email notifications after any DNS changes can reduce the risk of exploitation.

Flash Infection via Malvertising

Last August, the third version of the RIG exploit kit reportedly infected 1.25 million machines since its release, owing its high rate of infection to the use of a few Adobe Flash exploits, according to Trustwave and ZDNet.com.

Ninety percent of traffic to the RIG exploit kit is due to malvertising. Attackers embedded malicious code into online advertisements shown across different websites, spread via advertising networks. When users click on them, they get redirected to the exploit kit.

Similar to the concept behind DNS shadowing, malvertising leverages ad networks for their credibility to spread to legit websites while remaining undetected, just as hackers leverage the credibility of legit DNS subdomains set up with real DNS accounts to bypass any threat detection software.

The Impact on Companies

If just one device on your network is running an older version of Flash, they could be exploited to run malware on your applications and systems, allowing you to steal confidential data from your company.

And according to Duo’s analytics, almost half of all users are running outdated versions of browsers, Flash and Java, leaving them (and their companies) susceptible to a long list of known vulnerabilities.

Outdated Plugins and Browsers

It’s not easy for administrators to control unmanaged devices – that is, laptops, phones, tablets and other user-owned devices that are used for work purposes. Users aren’t always aware of the latest updates, and may not realize the potential impact of waiting to update to the latest versions.

Protecting Against Flash Vulnerabilities

With Duo, you can find out which of your company’s devices are running Flash, as well as which versions are outdated and vulnerable by using our Device Insight and Device Analysis features that display the user data on an easy-to-read administrative dashboard.

Outdated Plugins

Duo also checks for outdated versions of browsers, such as IE, which is another popular target. Now that Microsoft announced that they’re dropping support for older versions of IE, including 8, 9 and 10, it’s even more of a security risk to allow your users to connect to your company’s resources using the old, insecure browser.

Administrators also have the option of enabling the Duo’s Self-Remediation feature for their users – that means, whenever a user logs into your company’s VPN or email account and completes Duo’s two factor, their device will be checked for outdated software. If found, Duo will notify the user and give them a link to update to the latest version, making your job easier and closing security gaps quickly.

Other ways to protect yourself:

  • Uninstall and disable Flash entirely – here’s how to do it in every browser
  • Enable Click-to-Play, which blocks Flash content from loading by default. Here’s how to do it in every browser
  • Switch to a browser that sends automatic, timely updates for plugins, like Chrome
  • Don’t use outdated browser versions – Microsoft ends support for old IE versions today

Check Your Current Version of Flash

If you’re unsure what version of Flash you’re currently running on your device, visit the Adobe site, which will tell you what version as well as a list of the most recent versions for different platforms and browsers.

What’s Next for Flash

Most are hoping it just dies – meaning developers stop creating apps, ads and videos using it, major browsers start blocking it, etc. Many predict it’s on its way out, as Adobe announced they were rebranding Adobe Flash Professional as Adobe Animate CC, part of the Creative Cloud update to come this month.

Adobe Animate will support HTML5, acknowledging the industry’s demand for animations that leverage web standards and the emergence of HTML5. However, Adobe will still continue to support Flash – but who knows for how long.

TAGGED: data security, information security
thu@duosecurity.com January 12, 2016
Share this Article
Facebook Twitter Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

ai digital marketing tools
Top Five AI-Driven Digital Marketing Tools in 2023
Artificial Intelligence
ai-generated content
Is AI-Generated Content a Net Positive for Businesses?
Artificial Intelligence
predictive analytics in dropshipping
Predictive Analytics Helps New Dropshipping Businesses Thrive
Predictive Analytics
cloud data security in 2023
Top Tools for Your Cloud Data Security Stack in 2023
Cloud Computing

Stay Connected

1.2k Followers Like
33.7k Followers Follow
222 Followers Pin

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

[mc4wp_form id=”1616″]

You Might also Like

data breach issues
Security

A Guide to Using XDR Threat Protection to Stop Data Breaches

6 Min Read
database compliance guide
Data Management

Four Strategies For Effective Database Compliance

8 Min Read
Digital Security From Weaponized AI
Security

Fortifying Enterprise Digital Security Against Hackers Weaponizing AI

11 Min Read
streamline business data effectively
Big Data

5 Ways to Streamline Your Business Data for Maximum Efficiency

6 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

data-driven web design
5 Great Tips for Using Data Analytics for Website UX
Big Data
AI and chatbots
Chatbots and SEO: How Can Chatbots Improve Your SEO Ranking?
Artificial Intelligence Chatbots Exclusive

Quick Link

  • About
  • Contact
  • Privacy
Follow US

© 2008-23 SmartData Collective. All Rights Reserved.

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?