Analysis Finds Flash Top Exploit Target as Adobe Fixes Latest Flaws

Adobe releases an update for 17 critical Flash vulnerabilities the day after an analysis finds that Flash is the most popular target of exploit kits.

Adobe Flash Flaws 2

Software maker Adobe issued an update on Nov. 10 to fix 17 critical vulnerabilities in its ubiquitous Flash player, the day after an analysis found that the program was the most popular target of exploit-kit developers.

The patch, released the same day as Microsoft's regular Patch Tuesday, closes a variety of vulnerabilities found by researchers working with the Zero Day Initiative, Google's Project Zero and security firm Endgame.

Adobe Flash is the most popular software targeted by exploit kits, with eight Flash vulnerabilities in the top-10 list of security issues referenced in discussions of exploit kits, according to an analysis released by data-research firm Recorded Future the day before the update.

The analysis suggests that companies and consumers should patch their Flash as soon as possible, Scott Donnelly, senior analyst with Recorded Future, told eWEEK. "The goal of this analysis is to drive the decision making of vulnerability management teams," he said. "This is to show the obvious security steps that people should be thinking about—patch Adobe."

Exploit kits are ready-made software packages used by cyber-criminals to infect and then further compromise victims' computers. A number of popular programs—such as Oracle's Java, Microsoft's Office and Adobe's Flash and Acrobat—are perennial favorites of the developers who create the kits, because the potential user base is so large.

While many exploit kits focused on Java over the past three years, the trend appears to be changing, Donnelly said.

"Java was the darling of exploit kits until a couple of years ago," he said. "Adobe Flash has such a strong install base, that it's becoming a more popular target. It is all about targets of opportunity and taking advantage of the most popular software."

Record Future found that exploits targeting eight vulnerabilities in Flash were the most discussed security issues in exploit kit forums. The company used natural language processing to mine forums and social media for discussions on 108 different exploit kits and found the vulnerabilities most often mentioned in exploit-kit discussions. Flash dominated the forums, with an Internet Explorer vulnerability taking the ninth slot and a Microsoft Silverlight vulnerability coming in tenth.

The most popular exploit kit among discussions boards is Angler, which has been linked to several high-profile criminal campaigns using tactics such as malvertising and ransomware. The developers behind Angler quickly adopt new exploits and incorporate new evasion techniques to dodge defenders.

Adobe stressed that Flash's popularity makes the software a target and that the company regularly updates Flash to fix security flaws. In addition, most exploit-kit attacks aim at older flaws that have already been patched, so users who keep their software up-to-date will be better protected, an Adobe spokesperson stated in answer to an email request.

"We employ comprehensive security software engineering practices and processes in building our products and responding to security issues," the spokesperson said. "We are continuously working to improve Flash Player security as the threat landscape evolves, and when issues arise as in this case, we work to quickly address them."

The Recorded Future analysis does not necessarily identify the most serious or threatening exploits. A zero-day attack, for example, would not be discussed, but would cause a lot more damage, if included in an exploit kit, Donnelly said. Instead, the analysis identified the most talked about issues—the celebrities of the exploit-kit world.

"This could be seen almost more as a media analysis than what the actual security teams have to worry about," Donnelly said. "But that still leaves the obvious first step, which is to make sure that Flash is patched."

The company's analysis of Web sources incorporates social media, forums and technical reporting, Recorded Future said.

Editor's Note: This story has been updated to include comments from Adobe.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...