Is Adobe Flash still a vulnerability?

Adobe Flash has been popular since it was first released 20 years ago. The freeware software was used for a multitude of purposes, including playing games or streaming audio or video files on the internet. This has been the case for almost two decades now, with flash player being used to execute rich internet applications and viewing multimedia on the Adobe Flash platform.

However, recent years have not been so good to Adobe, for a lot of security flaws and vulnerabilities have been associated with Adobe in the past two years. Things have become so bad for Adobe that Google does not run ads by default using flash player anymore, with Firefox also blocking its plug-in. In the light of recent events, we take a look at whether Flash Player is still more of a security issue than a useful software.

Recent issues in security

Adobe has faced some tough times in recent years because of many critical vulnerabilities and security flaws being discovered in their software. We take a look at the recent ones:

  1. CVE-2015-7645

This vulnerability surfaced around October 2015. News about this threat was issued just hours after Adobe rolled out its usual Patch Tuesday bundle of updates. The fact that this vulnerability was labelled critical meant that Adobe had to roll out fresh patches to protect their users from getting victimized due to the exploitation of the vulnerability. This critical flaw affected Adobe Flash Player 19.0.0.207 and earlier and was known to affect Windows and Mac systems. The seriousness of this flaw was so extreme that if exploited, the hacker could take over the user’s system and read his or her personal data.

The issue was released following the Pawn Storm gang attacking a number of users across Europe and in USA. They would drop intricately crafted emails to their targets to make them believe that they were important. These messages would have subject lines as “Syrian troops make gains as Putin defends air strikes”. The messages would contain tampered word documents or would lead the victims to links which contained exploit kits to infect the user’s system.

  1. Early 2016 security fix for over 77 exploits

Adobe released a new version of Flash Player in early 2016 to fix close to 77 exploits including stack and buffer overflow, integer overflow, and memory corruption issues that led to code execution. Although these exploits were rated critical, Adobe assured people that there has been no suggestion of them being used by hackers to attack users. The critical vulnerabilities addressed in this issue affected Adobe Flash Player 19.0.0.245 and earlier. It was found for Windows and Mac operating systems. Google itself released a new version of Chrome to update Flash to fix some 7 security issues.

  1. CVE-2016-1019

In the first week of April 2016, an advisory was published stating that a critical vulnerability in Adobe, CVE-2016-1019 had been found to affect Flash Players version 21.0.0.197 on Windows, Linux, Mac, and Chrome OS. The flaw was reported to have been actively exploited on Windows XP and 7 systems that were running Flash Player version 20.0.0.306 or earlier. It was also reported that successful exploitation of the vulnerability could cause a crash and even allow the attacker to gain control of the system affected. Flash Player version 21.0.0.182 and above have a mitigation that prevents them from getting affected by this issue.

Conclusion

Adobe has faced heavy criticism from global tech giants. The many security flaws that have been resulting in the software have caused annoyance and frustration in many technical leaders. Notable people like Steve Jobs and Alex Stramos, Chief of Security at Facebook, have made their criticism of Adobe Flash Player being known publicly. Chrome disabled Flash ads and Firefox disabled Flash Player, with many security researchers suggesting to uninstall it completely.

Although Flash Player is still widely used by people, they are becoming more and more conscious of the many issues that come with using it. Flash Player is treading on thin ice, with the software now seen more as a liability than a benefit.

 

Introducing iSheriff Cloud Security

Internet Security, cybersecurity

Subscribe to Email Updates

About iSheriff

iSheriff is the leading provider of content and endpoint security from the cloud. We keep organizations and individuals safe from cybercrime, malware and digital threats. Thousands of businesses across a wide array of industries have deployed our solutions, including some of the most sophisticated buyers of security technology worldwide.