Adobe Flash Responsible For Six of the Top 10 Bugs Used By Exploit Kits In 2016

Trailrunner7 quotes a report from On the Wire: Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year, with a high-profile bug in Flash being found in seven separate kits, new research shows. Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it's no surprise that Flash and IE exploits dominated the landscape. Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it's deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future's analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups. "Adobe Flash Player's CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter," the analysis by Recorded Future says.

That's still just postscript (zipped)

[raymorris]

You give them credit for Postscript and for pdf. Pdf is essentially Postscript, zipped, with some of the code commented out. So really they deserve credit just for Postscript.

Except that postscript was largely created at Xerox PARC, before John Warnock and Chuck Geschke left. Warnock and Geschke wanted Xerox to sell Postscript (then called Interpress) as a standalone product, but Xerox chose not to. So the two left and created Adobe to sell Xerox's idea.

So anyway their one great thing, Postscript, wasn't created by Adobe.

In the days when cross-browser Javascript/Actionscript was darn near impossible, Adobe Flash was *conceptually* a good idea - a plugin that carried the same dialect of JavaScript/Emacscript to every browser. Unfortunately they really, really suck at security.

Re:Why is this the case?

[mentil]

Flash is a pileup of every problem you mention and more. A vector animation plugin had a scripting language (ActionScript) tacked on top of it, and there are multiple versions of this language, each with its own legacy bugs, and newer versions of the plugin support older versions of ActionScript (so that old Flash files won't break). When I coded in it circa 2003, ActionScript was incredibly buggy, with many functions malfunctioning or being completely broken; it's safe to say that few to no parameters were being sanity-checked or sanitized. It was created in the ActiveX era where "rush it out the door before the competitors can" was at the top of the priority list, and anyone expressing concern for security was handed a pink slip and laughed out the door. New features were being added all the time at top speed and who has time to make it secure?
By the time ActiveX got tamped down on in the XP SP2 days, it became more clear how bad Flash (and Java) was in the security department, but I imagine many of the original coders had left, likely with little to no code documentation so it was effectively unmaintainable. Putting out fires of perceived insecurity by fixing publicly found vulnerabilities was the actual security goal then, with little proactive finding of vulnerabilities. Macromedia only made money from their Flash authoring software, not the plugin itself, and there were eventually free/cheaper programs that let you create or at least maintain Flash content, so the money for securing the plugin was never there.
Thankfully Chrome is leading the charge in killing it off for good. Nearly everything it does is done better (and more securely) by another technology now.