Is Flash’s Exploit Crown Slipping?

April 4, 2018 • The Recorded Future Team

Key Takeaways

  • Exploits targeting Adobe Flash made up three of the top 10 vulnerabilities exploited in 2017.
  • Although this marks a significant decline from past years, Flash still maintains a large presence on the web, due in part to its use on popular websites like Facebook and in other major applications.
  • Flash users should take some precautionary steps like making sure to update Flash to the latest version whenever patches are released, and should consider switching to browsers, like Chrome, that do not enable Flash by default.

For better or worse, Adobe Flash is no longer the king of the hill. According to our research of the top vulnerabilities exploited by threat actors in 2017, seven of the top 10 vulnerabilities that went on to be exploited targeted Microsoft products, while only three targeted Flash. This provides a window into both the shifting practices of threat actors and the declining use of Flash around the web. But make no mistake — Flash still holds an outsize position in web and mobile applications, including apps that handle financial data and social media giants like Facebook, and it accounted for dozens of critical vulnerabilities identified last year. All Flash users should make sure to take precautionary steps to protect themselves.

Flash’s Unenviable Pole Position

Flash originally gained popularity because it provided a simple way to display text, graphics, and streaming video in applications, and it was capable of capturing device inputs, making it handy for web development, games, and other apps. As better and more secure technologies like HTML5 have appeared, Flash has begun to be phased out, and Adobe will stop supporting it entirely in 2020.

According to Adobe, in 2015, an estimated 1 billion devices, from desktop computers to phones to tablets, ran Flash software, and over 20,000 mobile apps, including apps with access to financial information like the Apple App Store and Google Play, used Flash. But many apps, including most Google services, no longer use it, and generally, Flash has seen a steady decline in use since 2015 — by one measure, some 80 percent of web users would encounter at least one web page with Flash content a day in late 2014, but by July 2017, that number was down to around 17 percent.

However, some 5.6 percent of all websites still use Flash in some form, including one major player: Facebook. The third most visited website globally, Facebook still uses Flash to run its videos and other applications, and its 2.1 billion monthly active users view billions of videos daily. It’s also consistently used in web games — 24 of the top 25 games on Facebook run Flash.

Flash hides in other Adobe technologies as well. Many popular apps continue to be built using Adobe Air, a runtime system that incorporates Flash alongside other technologies across mobile and desktop operating systems. Adobe Reader, which uses Flash, is used to open around 200 billion PDFs every year, providing another popular vector for exploits.

The trouble is, according to Adobe’s own statistics, some hundreds of millions out of the billions of Flash users will update to the new version of Flash player within six weeks. Although Adobe seems to tout this as a laudable statistic, in cybersecurity terms, six weeks may as well be an eternity. Research has shown that newly discovered vulnerabilities are exploited within two weeks on average, or not at all, meaning that updating vulnerable software after six weeks is about as effective as getting last winter’s flu shot this spring.

And even as Flash usage declines, numerous vulnerabilities continue to be identified. In 2017, 63 security vulnerabilities were identified in Flash, and of those, 57 were critical vulnerabilities, meaning they would allow attackers to get past security measures and either collect sensitive information or execute their own code.

Exploit Preferences Shift Away From Flash

According to our research and analysis of open, deep, and dark web sources, criminal exploit kits and phishing campaigns have shifted toward Microsoft products and away from Adobe Flash. In 2017, seven of the top 10 vulnerabilities exploited targeted Microsoft products, with the remaining three targeting Flash. This is a steep decline from previous years — Flash accounted for six of the top 10 in 2016, and eight in 2015.

There are a few reasons for this shifting focus, but the main reason is likely simply because of Flash’s overall decline in use. One reason for this in particular is because Google Chrome, which is now the browser of choice for about 60 percent of users, currently blocks Flash by default, using HTML5 instead. Whether this default stance is the cause of Flash’s continued decline or an effect of it is another question.

Evolving criminal uses may also explain the decline of exploits targeting Flash. Exploit kits are generally being used less and less as threat actors have focused their efforts on cryptocurrency mining malware, in line with the exploding popularity — and value — of cryptocurrency in the past year. Threat actors who target cryptocurrency mining processes have seen benefits like spending less time on collecting victim ransomware payments and avoiding rising Bitcoin transaction fees.

Flash Remains Risky — Here’s How to Stay Protected

Although Flash is no longer the top avenue of exploitation, using it still opens yourself up to attack. To protect yourself, consider the following steps:

  • Prioritize patching Flash if you use critical software that relies on it, making sure to update all systems to the newest version in less than two weeks.
  • Remove software that runs Flash if it doesn’t impact key business processes.
  • Consider Google Chrome as a primary browser.
  • Be aware that Facebook and other social media sites use Flash technology and users frequently enable Flash to run on these sites.
  • Use browser ad-blockers to prevent exploitation via malvertising.
  • Frequently back up systems, particularly of shared files, which are regular ransomware targets.
  • Train employees to be skeptical of emails that request additional information or prompt them to click on any links or attachments. Companies will not generally ask customers for personal or financial data, but when in doubt, contact the company directly by phone and confirm if they actually need the information.

For more information on vulnerabilities exploited by threat actors in 2017, download your complimentary copy of “The Top 10 Vulnerabilities Used by Cybercriminals.”