Hacking Team incident prompts calls to retire Adobe Flash

 

Use of Adobe Flash is on the decline. Now security experts Adobe to end support of the technology.
Use of Adobe Flash is on the decline. Now security experts Adobe to end support of the technology.

In-brief: Adobe’s Flash technology may end up being the highest profile victim of the attack on software arms dealers the Hacking Team, as news of that group’s reliance on Flash vulnerabilities prompts calls for Adobe to permanently retire the web-enhancing technology.

Adobe’s Flash technology may end up being the highest profile victim of the attack on software arms dealers the Hacking Team, as news of that group’s reliance on Flash vulnerabilities prompts calls for Adobe to permanently retire the web-enhancing technology.

On Sunday, Alex Stamos, the Chief Security Officer at Facebook, became the most prominent figure to call on Adobe to set an “end of life” date for Flash – a move that would almost certainly hasten an already fast and widespread migration away from the bug-prone technology.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Stamos said via his Twitter account (@alexstamos) on Sunday. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.” A killbit is a feature of modern web browsers that allow browser makers to instruct the software not to use a specific piece of software.

Screen Shot 2015-07-13 at 9.18.23 PM

Stamos’s comments follow revelations stemming from the “doxing” of the firm The Hacking Team, including the release of hundreds of gigabytes of e-mail correspondence and source code for the firm’s software tools.

The leaks revealed the proprietary exploits that Hacking Team built into their software tools to allow them to exploit fully patched systems. Among other things, the hacking toolkits sold by the firm The Hacking Team included exploits for a number of previously unknown vulnerabilities in Flash.

As reported by The Security Ledger, they include CVE-2015-5119, which affects Windows, Linux, and Apple products. Successful exploitation can result in a crash and remote access to the infected machine Adobe has said it is working on an emergency patch, which could come as early as today. Another Flash Player vulnerability disclosed in the Hacking Team breach, CVE-2015-0349, had already been patched.

Security firms, including Trend Micro, subsequently built on the revelations from the Hacking Team leak to discover other, related vulnerabilities in platforms like Adobe Flash. As reported by Trend Monday, a third remotely exploitable hole CVE-2015-5123 was discovered based on intelligence gleaned from the Hacking Team leak.

Adobe Flash is a frequent source of exploitable vulnerabilities because it is widely deployed on the Internet, powering sophisticated user interface features on web sites. Prior to the hack of Hacking Team, Adobe issued critical patches for Flash in January, February and June of 2015. According to one recent survey, Flash is used by just over 10% of all web sites – a figure that has declined from close to 15 percent in the last year.

Apple was among the first to move away from the technology in 2010, when then CEO Steve Jobs indicated that newer versions of iOS, its operating system, would not support Flash because of poor security and excessive power consumption.

 

 

5 Comments

  1. Give me a break

    While I’m not the biggest fan of Flash from a security perspective, I’m curious what it is he is intending to push instead? HTML5? That has its own set of problems, and a WHOLE lot of privacy issues. Luckily for Facebook, of course, that benefits Facebook’s ever-gawping data maw.

    I’ll take NoScript and click-to-play over HTML5 any day. If he wants to argue anything about Flash that needs to be changing (and I agree some change could do us well), how about an industry-wide ban on third-party Flash ad inclusion. Or any Flash ads. That’s where most of the drive-by evil goes on, anyway. If you wanna get really pedantic, people might want to consider running checksums regularly on their internal flv/swf files too, just to be safer. But of course if your website’s owned, there’s a plethora of other driveby exploits to use, too.

    But we get it. You wanna be Mr. Man in your new job, Alex.

    How about being Mr. Man by creating actually beneficial privacy principles and protecting YOUR users instead, hmm?

  2. Give me a break

    BTW… I notice Alex Stamos isn’t advocating for informing vendors of security issues — which was of course the only way his ‘example’ could be all fire and brimstone anyway — no VUPEN-like companies, no buying 0day, no stockpiling 0day, no unpatched bugs… It’s clear he’s siding here with companies who buy and stockpile exploits instead of addressing one of the biggest problems in the industry: known bugs that people basically get paid to find and often paid again for as long as they are NOT fixed (like incentives). There needs to be a new word JUST for these sorts of bugs, because 0-days being held by wannabe ‘whitehats’ isn’t ‘whitehat’ behaviour.

    So if you don’t want to help your own users, maybe you can rage against that instead. Look, another root cause that doesn’t have anything to do with the base technology. I didn’t even bring up the other dozen or so. The next I’d mention was that OPM couldn’t even secure it’s own machines or get its own employees (who can’t code but code evil things anyway) to pick proper passwords for machines they can’t properly admin. I don’t see you mentioning how nice it’d be to have Android actually, you know, have rolling security patching either — or any of the other ways that HT’s despicable ‘software’ got in. Or hey, Alex, why don’t you talk about BGP. I might even get behind it if you talked about how BGP needs to go away or be fixed. I just want to keep going, but I was wrong — it’s not a dozen or so. It’s dozens. And you don’t care anyway.

  3. Give me a break

    Sorry, not OPM in that ‘OPM couldn’t even secure it’s own machines’. I meant ‘HT couldn’t even secure its own machines’. Though OPM clearly couldn’t do that stuff either.

  4. Give me a break

    Also, his little ‘killbit’ idea is just so smart and knowledgeable. Seriously, let’s just, you know, get rid of stuff we can’t access next. History doesn’t matter. Who needs all that terrible content, anyway? Who cares about the past? Why, we can just make all new content and replace that old stuff, and the stuff noone remakes can just die in a fire. I mean it’s just culture anyway, right? It’s not like it has any real value.

  5. I think we should retire Adobe as a whole.