Flash Player Zero-Day Vulnerabilities: Why So Many Lately?
Even for the vulnerability-troubled Adobe Flash Player, the emergence of multiple Flash zero-days over just a few weeks is unusual, according to a cybersecurity expert. Adobe has reported and issued updates for three zero-day exploits since January.
"It's an odd case," said Karl Sigler, threat intelligence manager for the Chicago-based cybersecurity firm Trustwave. "We haven't seen it before."
While there "could be different things behind it," Sigler said, he added that he suspects the quick succession of zero-days suggests the same perpetrators have been responsible for all three recent exploits.
'A Lot of Redirection'
The recent zero-days launched infections automatically through advertising malware delivered unknowingly through legitimate Web sites. For example, one Flash exploit tracked by researchers at Trend Micro was traced to ads on the popular video-sharing site Dailymotion.
Delivered through the until-now little-noticed Hanjuan Exploit Kit, the latest Flash zero-day "uses a lot of redirection" but is based on a relatively simple set of codes, Sigler told us. While other exploit kits such as Angler feature "extensive logic," the Hanjuan kit is both simpler and "more targeted," he said.
Adobe on Thursday released a number of security updates aimed at the recent zero-days. The vulnerabilities have affected Mac, Linux and Windows (8.1 and earlier) systems running the Internet Explorer or Firefox browsers. They work by redirecting users to a series of URLs until they eventually land on a malicious site where the exploit is hosted. After arriving there, the exploit "could potentially allow an attacker to take control of the affected system," Adobe warned.
Use Gateway Protection and Network Monitoring
Beyond ensuring their systems' anti-malware protections are up to date, users can protect themselves against such attacks in several ways, Sigler said. All the major browsers, for example, offer plug-ins that can control how Flash is deployed on a system. Trustwave also has a secure browsing plug-in that supports a wide range of operating systems, browsers and protocols.
Businesses -- which face special security challenges as a growing number of employees bring their own devices in to work -- can also use Web and anti-malware gateways to block access to online exploit kits and malvertising, Sigler said. Furthermore, he added, "You need to make sure you have excellent network monitoring."
The recent zero-day issues are yet another indication that the days of Flash may be numbered, Sigler added. More sites are now using HTML5 instead of Flash, although the reason for that is more likely often the native support for HTML5 on mobile devices rather than security, he said. YouTube recently announced its default video player would be HTML5 rather than Flash-based.
"Flash doesn't have a very good history from a zero-day perspective," Sigler said. "The tradeoff is becoming a little harder to swallow."