Adobe Flash Responsible For Six of the Top 10 Bugs Used By Exploit Kits In 2016

Trailrunner7 quotes a report from On the Wire: Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year, with a high-profile bug in Flash being found in seven separate kits, new research shows. Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it's no surprise that Flash and IE exploits dominated the landscape. Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it's deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future's analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups. "Adobe Flash Player's CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter," the analysis by Recorded Future says.

Re:More holes than swiss cheese

[bmo]

>How can *one* piece of software have so many fucking critical vulnerabilities over the years?

Because it's spaghetti code. It's so bad that the single Linux maintainer flipped his shit years ago and wrote an angry blog post about it. I tried looking for the article, but that is too much of a needle/haystack problem.

Apparently it's been a fucking mess from the beginning.

--
BMO

Re:More holes than swiss cheese

[msauve]

If someone's ever actually interacted with an Adobe product, they know. They're shit. Really. Open an Acrobat index, and the search dialog (which is what you want to get to) appears _behind_ a blank document window, which is useless. WTF?

Adobe's contribution to computing began and ended with Postscript. I'll also give some credit for the pdf format/concept itself, despite obvious flaws in the implementation. Photoshop is a convoluted mess which is successful in spite of its faults, purely due to inertia and lack of competition. All else they've ever created simply sucks.

I'd believe the spaghetti code explanation, but that's a rationalization, not an excuse.

Re:That's still just postscript (zipped)

[Dusthead+Jr.]

Flash wasn't created by Macromedia either. It was created by FutureWave to complete against Macromedia's Shockwave. Macromedia bought FutureWave.

Re:Official statement from Adobe:

[Bert64]

Flash gets targeted because its a monoculture, 95% of potential victims are running the same flash plugin with the same vulnerabilities, there aren't really any alternative flash plugins.
Targeting the browser is less effective these days as there are several major browsers and your potential victims could be using any of them.

Targeting IE instead of Firefox is still more effective as its a default install. Anyone running Firefox has generally gone out of their way to install it and is more likely to keep it up to date, users running IE are generally doing so just because it's there and are likely to be less tech savvy.
Back when IE had 95% of the browser market it was the obvious target.