Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    Analysis Finds Flash Top Exploit Target as Adobe Fixes Latest Flaws

    Written by

    Robert Lemos
    Published November 11, 2015
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Software maker Adobe issued an update on Nov. 10 to fix 17 critical vulnerabilities in its ubiquitous Flash player, the day after an analysis found that the program was the most popular target of exploit-kit developers.

      The patch, released the same day as Microsoft’s regular Patch Tuesday, closes a variety of vulnerabilities found by researchers working with the Zero Day Initiative, Google’s Project Zero and security firm Endgame.

      Adobe Flash is the most popular software targeted by exploit kits, with eight Flash vulnerabilities in the top-10 list of security issues referenced in discussions of exploit kits, according to an analysis released by data-research firm Recorded Future the day before the update.

      The analysis suggests that companies and consumers should patch their Flash as soon as possible, Scott Donnelly, senior analyst with Recorded Future, told eWEEK. “The goal of this analysis is to drive the decision making of vulnerability management teams,” he said. “This is to show the obvious security steps that people should be thinking about—patch Adobe.”

      Exploit kits are ready-made software packages used by cyber-criminals to infect and then further compromise victims’ computers. A number of popular programs—such as Oracle’s Java, Microsoft’s Office and Adobe’s Flash and Acrobat—are perennial favorites of the developers who create the kits, because the potential user base is so large.

      While many exploit kits focused on Java over the past three years, the trend appears to be changing, Donnelly said.

      “Java was the darling of exploit kits until a couple of years ago,” he said. “Adobe Flash has such a strong install base, that it’s becoming a more popular target. It is all about targets of opportunity and taking advantage of the most popular software.”

      Record Future found that exploits targeting eight vulnerabilities in Flash were the most discussed security issues in exploit kit forums. The company used natural language processing to mine forums and social media for discussions on 108 different exploit kits and found the vulnerabilities most often mentioned in exploit-kit discussions. Flash dominated the forums, with an Internet Explorer vulnerability taking the ninth slot and a Microsoft Silverlight vulnerability coming in tenth.

      The most popular exploit kit among discussions boards is Angler, which has been linked to several high-profile criminal campaigns using tactics such as malvertising and ransomware. The developers behind Angler quickly adopt new exploits and incorporate new evasion techniques to dodge defenders.

      Adobe stressed that Flash’s popularity makes the software a target and that the company regularly updates Flash to fix security flaws. In addition, most exploit-kit attacks aim at older flaws that have already been patched, so users who keep their software up-to-date will be better protected, an Adobe spokesperson stated in answer to an email request.

      “We employ comprehensive security software engineering practices and processes in building our products and responding to security issues,” the spokesperson said. “We are continuously working to improve Flash Player security as the threat landscape evolves, and when issues arise as in this case, we work to quickly address them.”

      The Recorded Future analysis does not necessarily identify the most serious or threatening exploits. A zero-day attack, for example, would not be discussed, but would cause a lot more damage, if included in an exploit kit, Donnelly said. Instead, the analysis identified the most talked about issues—the celebrities of the exploit-kit world.

      “This could be seen almost more as a media analysis than what the actual security teams have to worry about,” Donnelly said. “But that still leaves the obvious first step, which is to make sure that Flash is patched.”

      The company’s analysis of Web sources incorporates social media, forums and technical reporting, Recorded Future said.

      Editor’s Note: This story has been updated to include comments from Adobe.

      Robert Lemos
      Robert Lemos
      Robert Lemos is an award-winning journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.