Click to Skip Ad
Closing in...

Another unpatchable security flaw proves Flash needs to die

Published Jun 14th, 2016 4:33PM EDT
Adobe Flash
Image: Adobe

Given the endless stream of security vulnerabilities that have continued to plague Adobe Flash for years, it’s almost a surprise that Flash isn’t entirely dead just yet. The latest Flash vulnerability to make waves is a zero-day exploit that was initially relayed to us via a security advisory from Adobe itself. Notably, researchers from Kaspersky Labs helped unearth the exploit.

According to the advisory, the critical vulnerability affects machines running Windows, Macintosh, Linux, and Chrome OS. Or, in other words, everybody. “Successful exploitation,” Adobe notes, “could cause a crash and potentially allow an attacker to take control of the affected system.”

And as if that weren’t worrisome enough, Adobe notes that it won’t have a patch ready to address the vulnerability until later in the week.

DON’T MISS: My 5 favorite new iOS 10 features that no one is talking about

Kaspersky Labs provides us with some additional information regarding the exploit and the groups who have been using it.

Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks.

We believe these attacks are launched by an APT Group we call “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

It’s funny to think back to a time when the debate over Flash was actually a hotly contested topic in the tech community. But these days, you’d be hard pressed to find anyone who disagrees with the notion that Flash is effectively on its last legs and should be shown the door, permanently.

Thankfully, though, both Google and Apple are slowly but surely doing what they can to show Flash the door for good. Just this past May, Google laid another brick on the road to Flash obsolescence when it announced its intention to make HTML 5 the default on all websites save for the top 10 websites that still rely upon it.

And just this week, we learned that Apple will also be implementing a move that will place yet another nail in Flash’s coffin. Specifically, Apple engineer Ricky Mondello explains that the upcoming version of Safari in macOS Sierra will have Flash turned off by default.

Mondello’s blogpost on the topic reads in part:

On websites that offer both Flash and HTML5 implementations of content, Safari users will now always experience the modern HTML5 implementation, delivering improved performance and battery life. This policy and its benefits apply equally to all websites; Safari has no built-in list of exceptions. If a website really does require a legacy plug-in, users can explicitly activate it on that website.

By default, Safari no longer tells websites that common plug-ins are installed. It does this by not including information about Flash, Java, Silverlight, and QuickTime in navigator.plugins and navigator.mimeTypes. This convinces websites with both plug-in and HTML5-based media implementations to use their HTML5 implementation.

Of these plug-ins, the most widely-used is Flash. Most websites that detect that Flash isn’t available, but don’t have an HTML5 fallback, display a “Flash isn’t installed” message with a link to download Flash from Adobe. If a user clicks on one of those links, Safari will inform them that the plug-in is already installed and offer to activate it just one time or every time the website is visited. The default option is to activate it only once. We have similar handling for the other common plug-ins.

We’ll let you know once a patch for the latest Flash bug becomes available. In the meantime, you should take a long, hard look at your computer, and have a serious think about uninstalling Flash for good.

Yoni Heisler Contributor

Yoni Heisler has been writing about Apple and the tech industry at large for over 15 years. A life long Mac user and Apple expert, his writing has appeared in Edible Apple, Network World, MacLife, Macworld UK, and TUAW. When not analyzing the latest happenings with Apple, Yoni enjoys catching Improv shows in Chicago, playing soccer, and cultivating new TV show addictions.