Flash-based exploits will go away, but until then, patch!

As Flash becomes marginalized by browser makers, advertisers, and developers, exploit kit makers will have to come up with new methods to deliver malware

Flash-based exploits will go away, but until then, patch!

In the latest Flash Player update, Adobe noted that one of the patched vulnerabilities was being exploited in targeted attacks. While keeping the browser technology up-to-date may feel like a thankless task, the cycle of Flash-based attacks and patches may soon be over. Security researchers predict that by early 2017, exploit kits will no longer be able to rely on outdated versions of Flash Player to infect users.

Exploit kits take advantage of outdated software vulnerabilities in popular applications such as Microsoft Word, Java, and Flash Player to take control of systems. Flash vulnerabilities are the "lowest-hanging fruit" for prominent exploit kits such as Angler and Nuclear to target to get the initial foothold on user systems, Sean Sullivan, a security adviser with F-Secure Labs, said in the F-Secure Threat Report 2015. Once they are on the system, the kits download additional malware and execute commands to carry out the attack. Flash may be the "last 'best' plug-in" for exploits to target, but as Flash usage continues to decline, exploit kits will find it harder to find unpatched versions to target.

"It's at this point that I'll make the following prediction for early 2017 -- once it no longer needs to support Flash-based ads -- the Google Chrome browser will start aggressively forcing users to whitelist sites that require any sort of Flash," Sullivan said. "Mozilla's Firefox and Microsoft Edge will do the same, and by spring of 2017… Flash will be effectively decapitated as far as exploit kits are concerned."

Amazon switched off Flash ads and Google turned off autoplay for Flash-based content in Chrome. Many Web developers have started to use HTML5 instead, especially since most mobile devices cannot play Flash. Even Adobe has acknowledged that Flash is no longer the dominant Web technology and recently encouraged developers to use HTML5.

Starting June 30, display ads built in Flash will no longer be uploaded into AdWords and DoubleClick Digital Marketing, and starting Jan. 2, 2017, display ads in Flash format will not run on Google Display Network or DoubleClick. With those dates in mind, Sullivan's prediction doesn't sound far-fetched after all.

"Everywhere you look, it's [Flash is] being deprecated," Sullivan said in the report.

Even if Flash lingers, the fact that modern browsers are integrated Flash Player updates into their own automatic updates mean more and more users don't have to do anything to keep their software current. Google already handles Flash Player updates for Chrome, as does Microsoft for its Edge browser.

Once this particular low-hanging fruit becomes less valuable, exploit kit makers will have to come up with alternative infection channels. Microsoft software is much more secure than it used to be, Adobe is shifting to cloud-based software, and major browsers force Java into a restricted space with limited privileges, Sullivan said. One potential area for growth is malicious email attachments, especially since macro malware is having a resurgence in popularity.

"Or they may focus on browsers, but then they'll need to find zero-day vulnerabilities," Sullivan said.

Until that wonderful day comes, stay on top of security vulnerabilities by updating Flash Player and other software as soon as possible. In the case of Flash Player, if it's not being used regularly, go ahead and uninstall the plug-in altogether or at least disable the plug-in within the browser.

"Hopefully, [exploit kits] die," Sullivan said. "Wouldn't be the first time that a business model collapsed in the malware scene."

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform