Halloween is just around the corner, and companies are doing everything they can to make sure the rest of 2015 is all treat and no trick. But for Adobe and its popular Flash Player, security flaws just won’t stay in the ground. According to CSO Online, a Flash bypass supposedly patched by the company’s last security update didn’t solve the problem. Now the bug is back from the digital grave to bother users again. Here are all the spooky details.
Adobe Rises Up
The Flash bypass technique CVE-2015-5560 was first caught in August 2015 and targeted by security update 18.104.22.168. While reproducing the bug to ensure its product would detect it, security company Morphisec discovered a few oddities. First, the exploit was encrypted upon delivery and required access to a server-side component to conclude. In practice, this is a more difficult attack vector and took Morphisec some time to duplicate, but it also means the exploit is disposable and, in turn, much more difficult for signature-based detection programs to identify and eliminate.
But the company also noticed something else: The attack still used vector exploitation of Flash version 22.214.171.124 despite assurances the problem had been fixed. Even with a major redesign to Flash and the addition of two specific mitigations, Morphisec found that Adobe “failed to mitigate the most popular and easiest method of vector corruptions to exploit.”
In other words, this wasn’t a case of corporate ignorance, but rather an excellent example of the current software security market: Nothing is ever perfectly secure. And solutions like Flash, which is still used by thousands of companies worldwide, offer big rewards for cybercriminals who discover critical flaws — enough that malicious actors are willing to find workarounds even after mitigation to bring these exploits back from the dead.
This isn’t the first time Flash has been on the receiving end of an exploit attack. According to BBC, for example, similar warnings were issued in June 2015 about a vulnerability in version 126.96.36.199, which used the Angler toolkit to gain access and potentially deploy ransomware. Both the BBC and CSO Online noted that companies are often slow to update Flash despite existing vulnerabilities, with many running two or three versions behind.
Of course, it can be hard to keep up: ZDNet discussed the surprise critical update Adobe released on Sept. 21, which targeted 23 critical vulnerabilities. Some experts speculated that the off-schedule patch was a way to avoid disclosure dates for specific flaws and ensure users were patched ahead of public exploit knowledge.
Bottom line? The sheer number of Flash users coupled with its aging code makes it a gold mine for cybercriminals. Adobe is doing its best to keep up with emerging problems and stay ahead of disclosure dates, but as the most recent vector exploit demonstrated, even bugs that are in the ground don’t always stay dead.
For companies using Flash, it’s critical to patch frequently and also rely on regularly updated, real-time detection tools. For businesses that can avoid this long-in-the-tooth technology, meanwhile, staying out of the graveyard is a better choice than following the crowd.