When exploit stories hit the internet, it is usually done by a small group of blogs and heavy tech-based websites but the mainstream media tends to overlook the story because it is not sexy. Although, the stories become increasingly sexier when those media outlets learn that they affect nearly every media player out there including YouTube that runs a flash-based player.
You may have heard of this Flash Zero-Day exploit that is supposed to bring about the end of the world, but many people do not have any idea where this came from. The problem is that it came from a hacking of a group ironically called Hacking Team. This group is an Italian surveillance software company that is accused of selling spying software to government and intelligence agencies. It is rumored that the United States is one of their customers.
When the hacking was reported, it was taken with a tongue-in-cheek approach but overlooking that hundreds of gigabytes of data was stolen and eventually leaked into the wild on the internet. Since then, it became clear that a zero-day exploit had been discovered in Adobe’s Flash Player. This is the foundation in many online videos and games on the internet.
What made this very scary is that Adobe actually confirmed the vulnerability and released an advisory. According to TrendLabs, “This advisory also confirms that this flaw has been assigned a CVE number, CVE-2015-5119. Adobe’s bulletin also confirms that all versions of Flash Player in use today are potentially vulnerable.” That meant any operating system running Flash in Windows, Mac OS and Linux.
Shortly after the exploit was exposed, Adobe released a patch but the issue did not stop there. After patching the original exploit, it was discovered that a “Use-After-Free() programming flaw (CVE-2015-5122) which is similar to the CVE-2015-5119 Flash vulnerability patched last week and allows an attacker to hijack vulnerable computers,” according to Thehackernews.
According to ArsTechnica, on Tuesday, a third exploit was discovered over the weekend to which Adobe is releasing another patch for that. All three critical vulnerabilities are present in Windows, Mac OS X and Linux. One of them, according to Ars, “was potent enough to pierce the vaunted Google Chrome security sandbox, most likely because it was combined with a separate privilege-escalation exploit for Windows.”
It is recommended that all users update their Flash software. If you are unsure if you received the update, go to their website and install it again to be sure. As a precaution, Firefox has blacklisted Flash on their browser requiring you to give it permission to show Flash-based video. However, when you give the browser permission it warns you that you could be open to a possible threat.
Since then, the debate between Flash and HTML has resurfaced with the security head of Facebook saying that Flash needs to be done with. While many people consider his point to be pointless, given that the world does not listen to a Facebook security head, it does reinforce the point that Adobe has to improve their player to something new.
As the exploit appeared on the scene, it should make Adobe wonder why they have not moved away from Flash since the mobile market moved to HTML, especially since iPhone users have not used it in many years. This could spur the company to stop sitting on their hands and actually make something better or someone else to come forward with a great alternative. After this debacle, you may have more companies looking to move away from Flash as quickly as possible.