Halloween is just around the corner, and companies are doing everything they can to make sure the rest of 2015 is all treat and no trick. But for Adobe and its popular Flash Player, security flaws just won’t stay in the ground. According to CSO Online, a Flash bypass supposedly patched by the company’s last security update didn’t solve the problem. Now the bug is back from the digital grave to bother users again. Here are all the spooky details.

Adobe Rises Up

The Flash bypass technique CVE-2015-5560 was first caught in August 2015 and targeted by security update 18.0.0.232. While reproducing the bug to ensure its product would detect it, security company Morphisec discovered a few oddities. First, the exploit was encrypted upon delivery and required access to a server-side component to conclude. In practice, this is a more difficult attack vector and took Morphisec some time to duplicate, but it also means the exploit is disposable and, in turn, much more difficult for signature-based detection programs to identify and eliminate.

But the company also noticed something else: The attack still used vector exploitation of Flash version 18.0.0.209 despite assurances the problem had been fixed. Even with a major redesign to Flash and the addition of two specific mitigations, Morphisec found that Adobe “failed to mitigate the most popular and easiest method of vector corruptions to exploit.”

In other words, this wasn’t a case of corporate ignorance, but rather an excellent example of the current software security market: Nothing is ever perfectly secure. And solutions like Flash, which is still used by thousands of companies worldwide, offer big rewards for cybercriminals who discover critical flaws — enough that malicious actors are willing to find workarounds even after mitigation to bring these exploits back from the dead.

Familiar Door

This isn’t the first time Flash has been on the receiving end of an exploit attack. According to BBC, for example, similar warnings were issued in June 2015 about a vulnerability in version 18.0.0.160, which used the Angler toolkit to gain access and potentially deploy ransomware. Both the BBC and CSO Online noted that companies are often slow to update Flash despite existing vulnerabilities, with many running two or three versions behind.

Of course, it can be hard to keep up: ZDNet discussed the surprise critical update Adobe released on Sept. 21, which targeted 23 critical vulnerabilities. Some experts speculated that the off-schedule patch was a way to avoid disclosure dates for specific flaws and ensure users were patched ahead of public exploit knowledge.

Bottom line? The sheer number of Flash users coupled with its aging code makes it a gold mine for cybercriminals. Adobe is doing its best to keep up with emerging problems and stay ahead of disclosure dates, but as the most recent vector exploit demonstrated, even bugs that are in the ground don’t always stay dead.

For companies using Flash, it’s critical to patch frequently and also rely on regularly updated, real-time detection tools. For businesses that can avoid this long-in-the-tooth technology, meanwhile, staying out of the graveyard is a better choice than following the crowd.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…