October 5, 2015 By Douglas Bonderud 2 min read


Halloween is just around the corner, and companies are doing everything they can to make sure the rest of 2015 is all treat and no trick. But for Adobe and its popular Flash Player, security flaws just won’t stay in the ground. According to CSO Online, a Flash bypass supposedly patched by the company’s last security update didn’t solve the problem. Now the bug is back from the digital grave to bother users again. Here are all the spooky details.

Adobe Rises Up

The Flash bypass technique CVE-2015-5560 was first caught in August 2015 and targeted by security update 18.0.0.232. While reproducing the bug to ensure its product would detect it, security company Morphisec discovered a few oddities. First, the exploit was encrypted upon delivery and required access to a server-side component to conclude. In practice, this is a more difficult attack vector and took Morphisec some time to duplicate, but it also means the exploit is disposable and, in turn, much more difficult for signature-based detection programs to identify and eliminate.

But the company also noticed something else: The attack still used vector exploitation of Flash version 18.0.0.209 despite assurances the problem had been fixed. Even with a major redesign to Flash and the addition of two specific mitigations, Morphisec found that Adobe “failed to mitigate the most popular and easiest method of vector corruptions to exploit.”

In other words, this wasn’t a case of corporate ignorance, but rather an excellent example of the current software security market: Nothing is ever perfectly secure. And solutions like Flash, which is still used by thousands of companies worldwide, offer big rewards for cybercriminals who discover critical flaws — enough that malicious actors are willing to find workarounds even after mitigation to bring these exploits back from the dead.

Familiar Door

This isn’t the first time Flash has been on the receiving end of an exploit attack. According to BBC, for example, similar warnings were issued in June 2015 about a vulnerability in version 18.0.0.160, which used the Angler toolkit to gain access and potentially deploy ransomware. Both the BBC and CSO Online noted that companies are often slow to update Flash despite existing vulnerabilities, with many running two or three versions behind.

Of course, it can be hard to keep up: ZDNet discussed the surprise critical update Adobe released on Sept. 21, which targeted 23 critical vulnerabilities. Some experts speculated that the off-schedule patch was a way to avoid disclosure dates for specific flaws and ensure users were patched ahead of public exploit knowledge.

Bottom line? The sheer number of Flash users coupled with its aging code makes it a gold mine for cybercriminals. Adobe is doing its best to keep up with emerging problems and stay ahead of disclosure dates, but as the most recent vector exploit demonstrated, even bugs that are in the ground don’t always stay dead.

For companies using Flash, it’s critical to patch frequently and also rely on regularly updated, real-time detection tools. For businesses that can avoid this long-in-the-tooth technology, meanwhile, staying out of the graveyard is a better choice than following the crowd.

More from

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today