20

It's no secret that 2015 was a rough year, security-wise, for Adobe's Flash Player. Aside from Adobe itself beginning to essentially deprecate Flash development largely due to Flash Player's longstanding status a primary target for attackers, the vulnerability report and security update stats tell a tale. The relevant page on Adobe's site lists 22 separate days on which it pushed out patches for Flash Player, including a sizable number of out-of-band releases to fix zero-days. (Like the Hacking Team zero-days. And the Pawn Storm zero-day. And the Christmas zero-day.) The National Vulnerability Database lists 330 discrete CVE ids that were issued for reported Flash Player vulnerabilities in 2015. Not fun numbers.

But the baffling thing to me is less that so many vulnerabilities were found in Flash Player in 2015 and more that so many more vulnerabilities were found in it in 2015 than in previous years. According to the NVD, in 2013 56 CVEs were issued for Flash Player vulnerabilities. In 2014, the number increased somewhat to 74. But going from 74 to 330 is an astonishing jump.

So what was behind that dramatic surge last year? The only hypothetical factors that have occurred to my mind were (a) chance, (b) some major change in the way Adobe defines separate vulnerabilities, and (c) some shift in the focus of security researchers to hunting for Flash Player vulns as targets like Java client and Windows have (arguably) been hardened. But those are just wild, pseudo-educated guesses that even I don't find terribly compelling. Does anyone have anything more solid about why the number of Flash Player vulnerabilities/zero-days/patches exploded last year?

Community
  • 1
mostlyinformed
  • 2,715
  • 16
  • 38
  • Typically, it's a result of programmers without adequate training in secure development practices. ;) – Mark Buffalo Jan 04 '16 at 15:03
  • 2
    @MarkBuffalo Systemic problems like this should be thought of as not having one single cause. Lack of training comes from a lack of concern for security. Not caring about security is often a cultural value within the entire organization. Culture usually filters down from the top, so if the top management cares (above everything else) about features, or deadlines, or is stuck in some bygone era where you just tack security on at the end, then the security gets pushed aside. Problems such as this can't be fixed at the individual developer level, and need to be organizational changes. – Steve Sether Jan 04 '16 at 15:15
  • @SteveSether Good point. I do agree... however, I also believe that individual developers *can* contribute. – Mark Buffalo Jan 04 '16 at 15:16
  • Didn't Hacking Team or something like that get hacked and they were holding a ton of zero days? – ford prefect Jan 04 '16 at 15:54
  • So these are legit security issues and my "GFY Firefox, I'm not updating Flash for the 35th time this year" policy is a bad one? Duly noted. – coburne Jan 04 '16 at 17:28
  • A lot of chickens coming home to roost over all the time Flash has been in operation. And 2015 was the year of the big coop cleanout shovel to remove what chickens convert bugs into. Despite that, Flash still is being patched for nasty bugs. – Fiasco Labs Jan 04 '16 at 22:25

2 Answers2

8

I think that the answers you get here are mostly speculations. But the question is interesting nevertheless. I see the following main reasons:

  • Other usual attack vectors like Java or ActiveX were harder to exploit because the relevant functionality was either switched off or layers of interaction were added (i.e. click to play, warnings with unsigned code and similar). Thus other attack vectors need to be found. Since flash is almost everywhere and known to be buggy it makes a good attack vector.
  • Adobe fixed known exploits faster and browsers like Firefox or Chrome made sure that you don't use a known vulnerable version any longer. Because of the smaller time frame in which an exploit could be used in public (sometimes a few days only now) more exploits were needed. And it looks like there were always enough new exploits available because lots of money can be made today by developing and selling new exploits.
  • Creating botnets, sending spam, injecting advertisements is a business where lots of money can be made. On the other side the basic protection from operating system and antivirus got better. This means that more new and unknown exploits need to be used to keep a high infection rate, that is more zero-day or half-day exploits where used. Money earned this way then will be used to develop or buy new exploits. There is actually a real industry now where some sell or rent exploit kits and keep them up-to-date, others use these kits to transport their own malware and more just using the services of established botnets to send spam or do DDOS attacks.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
4

Part of the reason is more people looking for vulnerabilities I think:

Throughout 2015, vulnerability disclosure programs and the security community have been immensely helpful in identifying CVE’s. Approximately one-third of our reports this year were via Project Zero alone. Many of these were non-trivial as many of the reported bugs required significant manual research into the platform. With the help of the security community and partners like Microsoft and Google, Adobe has been able to introduce important new exploit mitigations into Flash Player and we are excited about what we are queuing up for next year’s improvements.

Source: Community Collaboration Enhances Flash

null
  • 1,193
  • 6
  • 16