14

Over the last couple of years Adobe Flash published bug fixes for (zero-day) exploits so often, that the installation is already annoying. But why are exploits so often found in this particular software?

One obvious reason: as with all widespread software Flash is one of the most widely used programs and therefore a prior target for criminals, intelligence agencies and others.

But I also think that the software engineers at a company like Adobe aren't unskilled and don't try to minimize attack vectors.

user3147268
  • 735
  • 6
  • 13

2 Answers2

15

Adobe Flash is 21 years old (started as FutureWave's SmartSketch), over the years it had to be able to deal with many different OS's, standards, and all the quirky restrictions they brought along with them.

Most of the work done on Flash is aimed at keeping it up-to-date with the latest technologies, adding more and more features over time. This doesn't leave much time for reviewing old code for potential security issues.

Combining these two factors gives a perfect recipe for long lasting bugs buried deep in the code.

ztk
  • 2,247
  • 13
  • 22
7

Adobe Flash Player is written in an unmanaged code language, vulnerable to the following commonly cited vulnerabilities:

  • Heap-based buffer overflow
  • Use-after-free vulnerability
  • Integer overflow
  • Stack-based buffer overflow
  • Double-free vulnerability
  • Unspecified "type confusion"
  • Crafted format-string argument

Typically, unmanaged code is also subject to a deep or enriched data flow and control flow. The deeper security researchers look into the code paths, the more memory-trespass vulnerabilities will be uncovered. Flash Player has a very deep control flow, making lots of decisions and invoking a lot of situational factors, adding to its complexity.

The state-of-the art in memory trespass vulnerabilities is continually updated by security researchers. In recent years, ROP chains have made exploit development an easier and broader process. Tools and techniques increase exponentially as more dedicated security researchers are recruited by increasingly-larger and more-powerful organizations. Take this Libformatstr blog post from just the other day where the researcher released a new framework to simplify the process of exploit development. It's an example of the explosive, novel research going on in the exploit development camp.

For these reasons, and the cross-pollination of Flash exploits into Exploit Kits found in Traffic-Distribution Systems especially via Domain Shadowing, I update Flash Player through Chrome and deliberately turn it off (i.e., chrome://plugins, disable), turning it on only for known-good destinations such as IT systems under my or my org's control. Java applets have had a similar history as Flash Player, which has caused Chrome to permanently discontinue support for these applets -- I expect that Flash applets will soon follow.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 3
    But you know that unmanaged code does *not* automatically mean that it has any of the listed problems (or any at all), and that using "managed" languages prevents nothing? (JRE etc.etc.) – deviantfan Jul 09 '15 at 02:10
  • 1
    @deviantfan: Yes, but of the list I gave above, only integer overflows affect managed languages. The others do not, yet you see them in that link of commonly cited vulns for Flash Player very, very often. – atdre Jul 09 '15 at 14:24
  • 1
    What I wanted to express with "JRE etc." is that all of them exist a layer below the own program. Adding another layer over native programs doesn´t mean that everything below is fine. And it´s very very unlikely that something of the size of Oracles JRE has no bugs. – deviantfan Jul 09 '15 at 17:54
  • There are a lot of managed languages besides Java. In fact, I agree with you, the JVMs have way too many bugs. I said "managed language" and you jumped to Java, not me. My original answer even cited that Chrome had done away with Java applets, a good move on Google's part. – atdre Jul 10 '15 at 18:02
  • Java was just one example. It´s not different with C# or anything else. *Every* program with a certain size can/will have bugs. – deviantfan Jul 10 '15 at 18:13
  • 6
    Yes, and managed languages provide an easier ability to understand and "manage" the data and control flows, which was my second point. Load 30 of the top FOSS projects from all 25-supported programming languages into SonarQube, doxygen, or Understand and see what I mean -- the unmanaged languages will have a deeper set of flows and complexities to them. Yes, sir, all will have bugs. I am not new to app development with 21 years under my belt -- I did not claim as much before. – atdre Jul 12 '15 at 15:27