Latest Bug for Adobe Flash the Nail in the Coffin?

Latest Bug for Adobe Flash the Nail in the Coffin?

Could the most recent bug spell death for Adobe Flash? Will Adobe Flash live to see 20? Version 20 that is. Well the only way to ensure your system is protected is to remove it. That is a sound indication of death. Adobe is planning on releasing a new version of Flash on October 16 according to the CVE-2015-7645. The vulnerability “if successfully exploited, ‘could cause a crash and potentially allow an attacker to take control of the affected system'” (Endgadget). Per BGR “every version of Adobe Flash Player on Windows, Mac and Linux is affected.”

Trend Micro warns of this vulnerability and has already developed some sample email subjects used to exploit the software and states that the Adobe Flash zero-day affects at least Adobe Flash Player versions and Examples include:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

Most exploitation seems to be coming from a single source according to Raw Story. “The Pawn Storm group, which targets high-profile political targets in countries like the U.S., Russia, Ukraine and the U.K., has been linked to the Russian government, but without conclusive proof due to the technical difficultly of attribution in cyberattacks. ” The problem with tracking these attacks is the deletion of logs or spoofing of IP and/or MAC Addresses. This makes tracking the attackers steps near impossible.

Our Analysis

This certainly creates chaos within the tech community. Adobe Flash is widely used and for streaming online programs and websites in a manner that does not particularly allow for a quick fix. Several protocol, software, and coding changes would have to occur to enable Flash’s true death.

Flash has long been seen by security researchers as a major security risk and most advise users to disable it altogether. However, despite its numerous issues, Flash persists and many popular websites, including HBO, Spotify and the BBC still require users to have Flash enabled for their desktop sites to work properly — giving hackers a big attack surface to compromise users.(Raw Story)

We tend to agree with CNET‘s sentiment: “Citing Flash’s poor track record with security, some researchers recommend Web users disable or remove the plug-in altogether.” This is consistent with minimizing a computer and/or organization’s software footprint. The less software installed, the fewer the opportunities attackers have in exploiting software. This is known as minimizing the attack surface. While minimizing the attack surface is not a 100% solution, it certainly helps, especially when combined with disabling unnecessary services, ports, and protocols and using strong passwords. Another vital step to take to head this exploit off at the proverbial pass is user awareness training. Train your users to look for the subject lines mentioned above and similar ones, they should be vigilant. We can help you with training here.

Similar Stories:

Cyberwar Begins New Arms Race

When will Flash stop being the exploit of choice?

Uninstalling this software is the only way to protect your computer and your valuable data, and there are other, better, safer ways to enjoy content on the web. This site offers links to disable Flash in every web browser you have (Tech Insider).

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.


Trend Micro Blog
Raw Story

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required


About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.