General security

Flash Fades, Adobe Crumbles

Infosec Institute
February 11, 2015 by
Infosec Institute

Oh, Adobe Flash. I knew you well, starting from when you were known as Macromedia Flash in the late 1990s. The dynamic web content you provided me was amazing. Streaming video over 56k would've been a major test of my patience, hence YouTube didn't launch until 2005. But the games... Oh, the games! They were fun. Wait fifteen minutes to download, then five minutes of amusement could be had before it got tiring. Webmasters loved the razzle dazzle of Flash applets even more than JavaScript applets for tacky animated menus and the like. Back when websites had "Best viewed with Netscape," or "Best viewed with Internet Explorer" icons on their home pages, some web developers really enjoyed one upping each other in needless Flashiness. "Look ma, this ain't GeoCities no more!"

 

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

As web developers started to emphasize function over gimmickry, they started to focus their energy on interesting and useful web apps and streaming video as opposed to taking the sentiment behind the old HTML <blink> tag way too far. With Flash, the possibilities seemed endless. If you could make a very good SWF applet, people really appreciated it, especially once most people had Flash plugins in their web browsers. And of course, Flash was necessary for YouTube. YouTube launched the same year Adobe bought Macromedia, 2005. YouTube was such a phenomenon that Google had the good sense to buy it a year later.

Adobe is good at developing creative tools, however proprietary they are. What they're not good at is security. No bloody way! Security bugs are inevitable in all applications from developers both big and small. But, they're way more common in Adobe Acrobat and Adobe Flash than is typical for similar applications. One of the things I habitually do in my security hardening routine for both personal and professional client PCs is uninstall Acrobat, and replace it with another PDF viewer, such as Foxit Reader, when the machine I'm working on runs Windows. Even though the end user doesn't realize that I've given them a more secure application to open PDFs in, they always appreciate how their new application patches without popups, and gives them a better designed GUI, better in-browser functionality, and an overall better user experience.

I'm really happy to be able to say that now I can do the same thing to Flash as I do to Acrobat. Except, I don't have to install another application to replace it. All I've got to ask an end user is, "do you ever go to YouTube?" They've always said yes.

The really computer illiterate end users don't know what Flash is, nor do they know that they sometimes view YouTube videos as an embedded applet on a webpage that's not hosted at youtube.com. Asking them if they enjoy other websites that use Flash is an exercise in futility. "Huh? Do I use Google or Foxfire?" (Why oh why do they call Firefox "Foxfire?" Explaining to them the difference between the Google search engine and the Google Chrome web browser has made me ruin my manicures here and there.) But I could usually assume that they needed Flash for YouTube most of the time. A few years ago, they really needed it for games in Facebook, as well.

The first nail in the coffin was mobile. The late Steve Jobs, although I strongly dislike the guy, was correct when he said, "Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it."

Although Adobe really wanted to port Flash to mobile platforms, that effort was never successful. It was never available for iOS. It was available at times for Symbian, Palm OS, and webOS. It was available for some devices running Android versions 2.2 through 4.0.4. It never really seemed to catch on, once smartphones and tablets became the primary way for consumers to enjoy content from the Internet.

W3C started working on HTML 5 in 2004. It was usable for me to play around in starting in 2010. But I'm more of a web page developer than a web app developer, so my web development was focused on standards compliance and cross browser and device compatibility rather than creating nifty things with the canvas element. Nonetheless, the introduction of the <video> tag made it a lot easier to embed video without Flash than ever before. And other new tags and functions in HTML 5, combined with sophisticated CSS and JavaScript use, rendered Flash unnecessary for dynamic apps, as well.

HTML 5, when used by a competent developer, works just as well on mobile as it does on desktop platforms, and that was apparent well before HTML 5 became officially stable on October 28th, 2014. In fact, I can't think of a more successful and widespread beta release off the top of my head. Unless you directly worked in web browser and engine development, October 28th would've been just another Tuesday.

Adobe announced that they had given up on developing Flash for mobile in November 2011. That well predated HTML 5's stable release.

In addition to games and other web apps using open standard alternatives to Flash, YouTube started to make HTML 5 compatible videos available in January 2010, via WebM and H.264. Also, there are native mobile apps for watching YouTube videos outside of the web.

So, the thorough acceptance of cross platform open standards, especially HTML 5, combined with everyone and their grandma using mobile devices and Adobe's struggle with it, sealed Flash's doom.

Then, on January 27th of this year, YouTube announced that HTML 5 video is now default in Chrome, Internet Explorer 11, Safari 8, and the latest Firefox releases. If your browser uses one of the same rendering engines, such as the latest stable versions of WebKit and Trident, you'll probably experience the same.

A Brief Summary of Adobe's Security Problems

This is by far not a complete summary of all of the security problems Flash (and Acrobat) has had, but I'll explain some of the major ones.

In 2007, an Adobe (Acrobat) Reader bug exposed the local filesystems of users' computers to anyone who knew how to exploit it.

Trojan Adobe Flash Player and Reader updates started to become prevalent in 2008. It's been such a problem that when I see an update popup on a user's machine, I assume it's malicious until I determine otherwise. So, that's been a huge problem for consecutive years now. How come all kinds of other applications, open and closed, from developers of all sizes can patch without popups users have to interact with, but Adobe can't manage to do that? That's a massive trojan vector, and there are two disastrous sides to that coin. The vast majority of end users lack my expertise, particularly in malware. A Flash or Reader update popup could be a trojan. Sometimes end users have had experience with Adobe trojans already, so someone like me may have advised them to exercise caution when they see such a popup. But the popup could necessitate interaction for a legitimate and very necessary security patch. So with end users unable to determine whether or not a popup is a trojan, not interacting with it could be the less secure rather than more secure thing to do.

In 2009, Symantec's Internet Security Threat Report explained how Adobe, with Flash and Reader, had one of their most insecure years ever. Adobe's Chuck Geschke was tremendously arrogant when he was interviewed by John Paczkowski about that.

Paczkowski: "Both Apple and Microsoft have said publicly now that Flash has issues with reliability, security, and performance. Do you think those complaints are legitimate?"

Geschke: "I think they're old news. Go to our website and read the actual facts about Flash. We enumerate the facts about Flash there as we see them. They may have a different set of facts that they believe are accurate. It's up to you to decide."

Ummm, Mr. Geschke... Facts are never subjective by their very definition. Facts are facts, period. You sound like a bloody Scientologist. "Today, I feel like 2 + 2 = 5. It just feels right to me, but your mathematics professor may have a different set of facts they believe are accurate."

Here are the facts. This is what Symantec's 2009 report actually said, and I hold them in much higher esteem than I do Adobe:

"In 2009, Symantec documented 321 vulnerabilities affecting plugins for web browsers. ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plugin technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe Reader had 49 vulnerabilities, QuickTime had 27 vulnerabilities, and Adobe Flash Player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox...

"Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009. Additionally, Adobe vulnerabilities have been associated with malicious code attacks such as the Pidief.E Trojan."

Ouch! And Adobe's position as one of the most insecure major software vendors ever didn't cease in 2009. It still isn't "old news," Mr. Geschke.

Malicious PDFs were used to sucessfully attack Rackspace, Adobe, and Google in 2010.

A remote access bug was discovered in Flash in 2011. When properly exploited, one could acquire full control of an affected client machine.

Flash Player made it to the top of Symantec's list of most exploitable plugins in 2012.

In October 2013, Adobe was attacked, revealing the sensitive data of 2.9 million users. The sensitive data affected included credit card and debit card information.

The same day, YouTube announced default HTML 5 video, January 27th, 2015, Adobe had to release a security patch for two really major Flash vulnerabilities.

Independent security researcher Kafiene discovered vulnerability CVE-2015-0311. It allowed Flash to be used as a vector for malicious code injection which could, once again, give complete control of an affected machine to a blackhat.

A security researcher named Bilou discovered CVE-2015-0312. It was very similar to CVE-2015-0311, it also enables remote code injection.

And of course, with Adobe being Adobe, barely a week passed before fifteen vulnerabilities had to be addressed in a patch that released on February 5th. Yet again, these vulnerabilities enable remote malicious code injection and execution.

If you're still using Flash in Windows, OS X, and GNU/Linux, this is what you must know about eighteen additional CVE listings:

  • "Users of Adobe Flash Player for Windows and OS X should update to Adobe Flash Player 16.0.0.305.
  • Users of Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269.
  • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442.
  • The Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305."

I can safely assume that we'll continue to learn about really major vulnerabilities that pertain to Flash and Reader for as long as those products continue to be developed by Adobe. I base that assumption not only on Adobe's reputation and their tendency to take a head in the sand approach to security, but also on Adobe's patch management style. Their patches address vulnerabilities that are near the surface of their applications, rather than the really deep vulnerabilities at the center of their really old code bases. Way too much of the code is unchanged from the 1990s. I'd love for a security firm with much greater resources than I have to do a really thorough penetration test of the most recent versions of Flash and Reader for Windows, OS X, and GNU/Linux. The reported findings would probably require a forest's worth of pulp if printed on paper.

So, yes, security vulnerabilities can be found in products from all developers. But Adobe is much worse than the norm.

Alternative PDF viewers and creators are available for pretty much all mobile and desktop platforms. And open web standards such as HTML 5 have made Flash obsolete. Heck, I even use GIMP instead of Photoshop.

Here's my advice. Whether you're enterprise or a consumer, get Adobe out of your abode. Now you can do it for content creation and consumption. And it's easy.

References

Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched- Shaun Nichols, The Register

http://www.theregister.co.uk/2015/02/05/adobesighpatches_anothersighflash_zeroday_vulnerability/

YouTube flushes Flash for future flicks- Simon Sharwood, The Register

http://www.theregister.co.uk/2015/01/28/youtube_flushes_flash_for_future_flicks/

YouTube now defaults to HTML 5 <video>- Richard Leider, YouTube Engineering and Developers Blog

http://youtube-eng.blogspot.com.au/2015/01/youtube-now-defaults-to-html5_27.html

Another day, yet another Adobe Flash patch. Because that's how we live now- Iain Thomson, The Register

http://www.theregister.co.uk/2015/01/27/adobe_issues_second_emergency_flash_patch_this_month/

Adobe has an epically abysmal security record- Jose Pagliery, CNN Money

http://money.cnn.com/2013/10/08/technology/security/adobe-security/

Adobe says hackers accessed data for 2.9 million customers- James O'Toole, CNN Money

http://money.cnn.com/2013/10/03/technology/security/adobe-hack/index.html?iid=EL

Thoughts on Flash- Steve Jobs, Apple.com

https://www.apple.com/hotnews/thoughts-on-flash/

Why You Should Ditch Adobe Shockwave- Brian Krebs, Krebs on Security

http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/

YouTube says HTML5 video ready for primetime, makes it default- Ron Amadeo, ArsTechnica

http://arstechnica.com/gadgets/2015/01/youtube-declares-html5-video-ready-for-primetime-makes-it-default/

The tooth gnashing you hear is from Flash users installing a new 0day patch- Dan Goodin, ArsTechnica

http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/

How secure is Flash? Here's what Adobe won't tell you- Ed Bott, ZDNet

http://www.zdnet.com/article/how-secure-is-flash-heres-what-adobe-wont-tell-you/

Adobe issues emergency Flash update for Windows and Mac- Dara Kerr, C|Net

http://www.cnet.com/news/adobe-issues-emergency-flash-update-for-windows-and-mac/

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.