Adobe Flash Responsible For Six of the Top 10 Bugs Used By Exploit Kits In 2016

Trailrunner7 quotes a report from On the Wire: Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year, with a high-profile bug in Flash being found in seven separate kits, new research shows. Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it's no surprise that Flash and IE exploits dominated the landscape. Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it's deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future's analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups. "Adobe Flash Player's CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter," the analysis by Recorded Future says.

More holes than swiss cheese

How can *one* piece of software have so many fucking critical vulnerabilities over the years? Seriously, Flash has had new exploits just about every month, going back 10 years or more. There comes a point where the opposite of Hanlon's razor becomes likely; this simply can't be incompetence anymore, it must be malice. Is the NSA running the show at Adobe or something?

Why is this the case?

[goombah99]

Is there something instrinsic about the functions that Adode Flash does that makes this inevitable or is it that Adobe started with an unfixable design model or is it that Adobe is incompetent. Offhand I don't see a fourth option. Well maybe just bad luck.

SO for example. In the first option, we can compare the functionality of adobe to other systems. Silver light or H264 is not the same thing since unless I'm mistaken Adobe flash is not just a codec but also a language. So a better point of comparison is Java. If it's a matter of functionality leading to intrinsic vulnerabilities in a browser setting then one would expect Java and Flash to have the same frequency of exploits. Perhaps what saves Java is that it's usually off by default and asks permission to run.

Alternatively if it's an unfixable design model, I don't see a dimes worth of difference between this an incompetence except that the former is worse because one knows the design was incompetent but persists in selling it. It's like the difference between premeditated murder and manslaughter..

So given they could eliminate most expoits why don't all browsers quarantine Adobe or classify it as suspect malware.

Re:Official statement from Adobe:

It is only hard to understand by people like you because you think that a bug is the same as a vulnerability. Guess what?? THEY AREN'T THE SAME THING.

You can have millions of bugs and the application can be without a single vulnerability.

Also, not all vulnerabilities are equal. Anything that requires physical access to the device is low on the vulnerability scale, while something that only requires somebody to visit a web-page is HIGH and dangerous.