F-Secure Labs has discovered a surge in the number of exploits targeting Adobe’s Flash plug-in. Given the consistent use of Flash vulnerabilities in crimeware, F-Secure is adding their voice to other security researchers suggesting that Adobe and other companies reconsider using the popular plug-in.
Flash vulnerabilities were thrust in the limelight after a zero-day exploit used by the Italy-based surveillance company Hacking Team was stolen in a recent attack, resulting in its proliferation in exploits kits used by criminals. According to F-Secure Labs, detections of Flash exploits from exploit kits increased by 82% in the days following the attack.* Researchers are attributing this increase to the adoption of the zero-day exploit stolen in the hack, as well as the subsequent discovery of two additional zero-day exploits.** Consequentially, security researchers are becoming more vocal in their criticism of Flash’s security flaws.**
“Criminals using exploit kits typically target insecure software that’s widely used, and Flash has given them an easy target for at least the past seven or eight months,” said F-Secure Senior Researcher Timo Hirvonen. “Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies, and stop using Flash completely.”
Businesses Need to Better Manage Flash-Based Risks
Exploit kits are sets of tools that criminals use to create crimeware campaigns, and largely attempt to infect computers with malware that exploits vulnerabilities in software. Exploit kits have historically been proficient at exploiting vulnerabilities in Java and older versions of Microsoft Windows, but exploits targeting Flash have become more prominent in 2015.
According to F-Secure Security Advisor Sean Sullivan, businesses need to pay closer attention to how employees expose themselves to online threats by carelessly browsing the web. “I characterize Flash as a low-hanging fruit because it’s become such a popular target for opportunistic attacks,” he said. “Businesses need to be proactive about protecting their employees from this threat. F-Secure’s software is able to detect these exploits, and products like Software Updater ensure Flash and similar applications are promptly patched as soon as new vulnerabilities are discovered.”
Software Updater is a feature offered on F-Secure’s Business Suite and Protection Service for Business lines of corporate security products. F-Secure Booster is a consumer-oriented product that people can use to protect themselves from exploit kits by keeping their personal Windows PCs updated with the latest security patches.