F-Secure Labs has discovered a recent surge in the number of exploits targeting Adobe’s Flash plug-in. Given the consistent use of Flash vulnerabilities in crimeware, F-Secure is adding their voice to other security researchers, suggesting that Adobe and other companies reconsider using the popular plug-in.
Flash’s vulnerabilities were thrust into the limelight, after a zero-day exploit used by the Italy-based surveillance company Hacking Team was stolen in a recent attack, resulting in its proliferation in exploits kits used by criminals. According to F-Secure Labs, detections of Flash exploits from exploit kits increased by 82% in the days following the attack *.
Researchers are attributing this increase to the adoption of the zero-day exploit stolen in the hack, as well as the subsequent discovery of two additional zero-day exploits **. Consequentially, security researchers are becoming more vocal in their criticism of Flash’s security flaws ***.
“Criminals using exploit kits typically target insecure software that’s widely used and Flash has given them an easy target for at least the past seven or eight months,” said Timo Hirvonen, F-Secure’s senior researcher. “Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies and stop using Flash completely.”
Businesses need to manage Flash-based risks better
Exploit kits are sets of tools that criminals use to create crimeware campaigns and largely attempt to infect computers with malware that exploits vulnerabilities in software. Exploit kits have historically been proficient at exploiting vulnerabilities in Java and older versions of Microsoft Windows, but exploits targeting Flash have become more prominent in 2015.
According to Sean Sullivan, F-Secure’s security advisor, businesses need to pay closer attention to how employees expose themselves to online threats by carelessly browsing the web. “I characterise Flash as a low-hanging fruit because it’s become such a popular target for opportunistic attacks,” he said. “Businesses need to be proactive about protecting their employees from this threat. F-Secure’s software is able to detect these exploits and products like Software Updater ensure Flash and similar applications are promptly patched as soon as new vulnerabilities are discovered.”
Software Updater is a feature offered on F-Secure’s Business Suite and Protection Service for Business lines of corporate security products. F-Secure Booster is a consumer-oriented product that people can use to protect themselves from exploit kits, by keeping their personal Windows PCs updated with the latest security patches.
F-Secure has been defending tens of millions of people around the globe from digital threats for over 25 years. Our award-winning products protect people and companies against everything from crimeware to corporate cyberattacks, and are available from over 6000 resellers and 200 operators in more than 40 countries. We are on a mission to help people connect safely with the world around them, so join the movement and switch on freedom!Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.