October 5, 2015 By Douglas Bonderud 2 min read

Halloween is just around the corner, and companies are doing everything they can to make sure the rest of 2015 is all treat and no trick. But for Adobe and its popular Flash Player, security flaws just won’t stay in the ground. According to CSO Online, a Flash bypass supposedly patched by the company’s last security update didn’t solve the problem. Now the bug is back from the digital grave to bother users again. Here are all the spooky details.

Adobe Rises Up

The Flash bypass technique CVE-2015-5560 was first caught in August 2015 and targeted by security update While reproducing the bug to ensure its product would detect it, security company Morphisec discovered a few oddities. First, the exploit was encrypted upon delivery and required access to a server-side component to conclude. In practice, this is a more difficult attack vector and took Morphisec some time to duplicate, but it also means the exploit is disposable and, in turn, much more difficult for signature-based detection programs to identify and eliminate.

But the company also noticed something else: The attack still used vector exploitation of Flash version despite assurances the problem had been fixed. Even with a major redesign to Flash and the addition of two specific mitigations, Morphisec found that Adobe “failed to mitigate the most popular and easiest method of vector corruptions to exploit.”

In other words, this wasn’t a case of corporate ignorance, but rather an excellent example of the current software security market: Nothing is ever perfectly secure. And solutions like Flash, which is still used by thousands of companies worldwide, offer big rewards for cybercriminals who discover critical flaws — enough that malicious actors are willing to find workarounds even after mitigation to bring these exploits back from the dead.

Familiar Door

This isn’t the first time Flash has been on the receiving end of an exploit attack. According to BBC, for example, similar warnings were issued in June 2015 about a vulnerability in version, which used the Angler toolkit to gain access and potentially deploy ransomware. Both the BBC and CSO Online noted that companies are often slow to update Flash despite existing vulnerabilities, with many running two or three versions behind.

Of course, it can be hard to keep up: ZDNet discussed the surprise critical update Adobe released on Sept. 21, which targeted 23 critical vulnerabilities. Some experts speculated that the off-schedule patch was a way to avoid disclosure dates for specific flaws and ensure users were patched ahead of public exploit knowledge.

Bottom line? The sheer number of Flash users coupled with its aging code makes it a gold mine for cybercriminals. Adobe is doing its best to keep up with emerging problems and stay ahead of disclosure dates, but as the most recent vector exploit demonstrated, even bugs that are in the ground don’t always stay dead.

For companies using Flash, it’s critical to patch frequently and also rely on regularly updated, real-time detection tools. For businesses that can avoid this long-in-the-tooth technology, meanwhile, staying out of the graveyard is a better choice than following the crowd.

More from

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today