Adobe Flash Player Vulnerabilities
Zaharia (2015) states that over 3 million developers use Flash to create interactive content. Flash is primarily used to display text, graphics, and animations for video games and applications, allows audio and video streaming, and it can capture mouse, keyboard, microphone and camera input. Flash is deeply integrated into web browsers and is used in 11% of the worlds web sites. As of 2015, Adobe reports that more than 500 million devices, 20,000 apps, 400 million connected desktops, and 24 of the top 25 Facebook games, all use Flash making it a very popular target for attackers. Adobe Flash is one of the preferred methods attackers like to use because of its wide spread use, and a seemingly endless string of vulnerabilities that are constantly being discovered. Flash security vulnerabilities have sharply increased since 2005. In 2015 there were 90 Flash security vulnerabilities reported with 16 of those classified as critical. A breakdown of the type of vulnerabilities found are as follows:
- 32 vulnerabilities that allowed DoS attacks.
- 68 vulnerabilities that allowed code execution from malicious sources.
- 17 vulnerabilities related to buffer overflow.
- 28 vulnerabilities related to memory corruption.
- 13 vulnerabilities that allowed attackers to gain information from victim computers.
The sharp rise in Flash vulnerabilities has been attributed to Flash becoming larger with additional added functionality which in turn increases its popularity with developers. The larger Flash becomes, the more bugs appear resulting in more vulnerabilities. When vulnerabilities are discovered Adobe usually releases a patch fairly quickly, but Flash is a seemingly unending source of zero day exploits for attackers to focus on meaning that many attacks go undetected until it is too late for many users (Zaharia, 2016).
Until recently Flash has been the platform of choice for interactive content, but now developers can get much of this functionality using HTML 5. HTML 5 is gaining in popularity, but Flash still remains the market leader and go-to solution for interactive applications (Zaharia, 2015).
At the time this article was written, the last Flash vulnerability identified had been designated as CVE-2016-7855 by the National Vulnerability Database. It affects Adobe Flash Player before 220.127.116.11 on Windows and OS X, and before 18.104.22.1683 on Linux. This is a “use-after-free” vulnerability which allows remote attackers to execute arbitrary code via unspecified vectors, and has been confirmed as exploited in the wild as of October 2016 (CVE-2016-7855, n.d.).
Leopando (2016) reports that Adobe has released a Flash update which fixes this vulnerability. This update brings the current version of Flash to 22.214.171.124. Flash update mechanisms will either automatically install the update or prompt users to do so. Versions of Flash that are integrated into Google Chrome and Microsoft Edge/Internet Explorer will receive updates via the update mechanisms of those browsers. For Adobe Flash Player for Linux, the current version is 126.96.36.1993.