April 4, 2018 • The Recorded Future Team
For better or worse, Adobe Flash is no longer the king of the hill. According to our research of the top vulnerabilities exploited by threat actors in 2017, seven of the top 10 vulnerabilities that went on to be exploited targeted Microsoft products, while only three targeted Flash. This provides a window into both the shifting practices of threat actors and the declining use of Flash around the web. But make no mistake — Flash still holds an outsize position in web and mobile applications, including apps that handle financial data and social media giants like Facebook, and it accounted for dozens of critical vulnerabilities identified last year. All Flash users should make sure to take precautionary steps to protect themselves.
Flash originally gained popularity because it provided a simple way to display text, graphics, and streaming video in applications, and it was capable of capturing device inputs, making it handy for web development, games, and other apps. As better and more secure technologies like HTML5 have appeared, Flash has begun to be phased out, and Adobe will stop supporting it entirely in 2020.
According to Adobe, in 2015, an estimated 1 billion devices, from desktop computers to phones to tablets, ran Flash software, and over 20,000 mobile apps, including apps with access to financial information like the Apple App Store and Google Play, used Flash. But many apps, including most Google services, no longer use it, and generally, Flash has seen a steady decline in use since 2015 — by one measure, some 80 percent of web users would encounter at least one web page with Flash content a day in late 2014, but by July 2017, that number was down to around 17 percent.
However, some 5.6 percent of all websites still use Flash in some form, including one major player: Facebook. The third most visited website globally, Facebook still uses Flash to run its videos and other applications, and its 2.1 billion monthly active users view billions of videos daily. It’s also consistently used in web games — 24 of the top 25 games on Facebook run Flash.
Flash hides in other Adobe technologies as well. Many popular apps continue to be built using Adobe Air, a runtime system that incorporates Flash alongside other technologies across mobile and desktop operating systems. Adobe Reader, which uses Flash, is used to open around 200 billion PDFs every year, providing another popular vector for exploits.
The trouble is, according to Adobe’s own statistics, some hundreds of millions out of the billions of Flash users will update to the new version of Flash player within six weeks. Although Adobe seems to tout this as a laudable statistic, in cybersecurity terms, six weeks may as well be an eternity. Research has shown that newly discovered vulnerabilities are exploited within two weeks on average, or not at all, meaning that updating vulnerable software after six weeks is about as effective as getting last winter’s flu shot this spring.
And even as Flash usage declines, numerous vulnerabilities continue to be identified. In 2017, 63 security vulnerabilities were identified in Flash, and of those, 57 were critical vulnerabilities, meaning they would allow attackers to get past security measures and either collect sensitive information or execute their own code.
According to our research and analysis of open, deep, and dark web sources, criminal exploit kits and phishing campaigns have shifted toward Microsoft products and away from Adobe Flash. In 2017, seven of the top 10 vulnerabilities exploited targeted Microsoft products, with the remaining three targeting Flash. This is a steep decline from previous years — Flash accounted for six of the top 10 in 2016, and eight in 2015.
There are a few reasons for this shifting focus, but the main reason is likely simply because of Flash’s overall decline in use. One reason for this in particular is because Google Chrome, which is now the browser of choice for about 60 percent of users, currently blocks Flash by default, using HTML5 instead. Whether this default stance is the cause of Flash’s continued decline or an effect of it is another question.
Evolving criminal uses may also explain the decline of exploits targeting Flash. Exploit kits are generally being used less and less as threat actors have focused their efforts on cryptocurrency mining malware, in line with the exploding popularity — and value — of cryptocurrency in the past year. Threat actors who target cryptocurrency mining processes have seen benefits like spending less time on collecting victim ransomware payments and avoiding rising Bitcoin transaction fees.
Although Flash is no longer the top avenue of exploitation, using it still opens yourself up to attack. To protect yourself, consider the following steps:
For more information on vulnerabilities exploited by threat actors in 2017, download your complimentary copy of “The Top 10 Vulnerabilities Used by Cybercriminals.”