Security Experts:

Flash Flaws Most Common in Exploit Kits: Report

Eight of the top ten vulnerabilities used by exploit kits this year affect Adobe Flash Player, a new report from threat intelligence company Recorded Future shows.

Using its threat intelligence engine, which covers 8 billion data points across 700,000 public, deep and dark web sources in seven different languages, the security firm identified a total of 108 exploit kits, including well known names such as Angler, Neutrino and Nuclear Pack.

A meta analysis of blogs, forums and other websites detailing these exploit kits, unsurprisingly, revealed that Adobe Flash Player is by far the most popular target for exploitation. The Flash vulnerability most commonly used by exploit kits is CVE 2015-0313, a flaw patched by Adobe in February after it was spotted in malvertising attacks involving the Angler exploit kit. Recorded Future reported seeing 410 references of this security hole tied to an exploit kit in 2015.

The second most common Flash exploit is for CVE-2015-0359, a flaw patched by Adobe in April and added to several exploit kits shortly after. Unsurprisingly, two of the top Flash bugs found in exploit kits are ones leaked this summer as a result of the breach suffered by the Italian spyware maker Hacking Team.

The list of Flash Player exploits commonly found in crimeware kits this year also includes vulnerabilities discovered by APT actors, and ones integrated into kits shortly after they were patched by Adobe.

In addition to Flash Player, Internet Explorer also makes the top 10 with a vulnerability (CVE-2015-2419) brought to light following the Hacking Team leak. The last position is occupied by a Microsoft Silverlight flaw (CVE-2015-1671), which was the first non-Flash exploit used by Angler since the second half of 2014 when its authors started focusing on Flash.

While experts have often advised users to abandon Flash Player because the software is plagued by numerous security holes that can be easily exploited by malicious actors, Adobe is not giving up on the product just yet. The company has worked with security experts for the implementation of exploit mitigations, and it has been trying to patch vulnerabilities, especially zero-days, as quickly as possible. More than 15 Flash Player updates have been released this year.

“While each organization needs to decide for itself if installing the steady stream of Adobe Flash updates is feasible, steps can be taken as a stop-gap to Adobe exploits. This includes enabling ‘Click to Play’ which provides a check on use of Adobe Flash Player in an unknown environment,” Recorded Future said in its report.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.