Flash Player remains target of choice for exploit kits

A recent report finds that six of the top 10 vulnerabilities target Flash Player as cybercriminals take advantage of irregular and slow patching schedules

Flash Player remains target of choice for exploit kits
Yuri Samoilov (CC BY 2.0)

Clearly, reports of Flash's death are greatly exaggerated, as exploit kits continue to successfully infect victims via unpatched versions of Flash Player. Instead of sounding Flash's death knell, get to patching.

Adobe Flash Player has the dubious honor of being widely popular among exploit kits, as six of the top 10 vulnerabilities used by these crimeware kits targeted Flash vulnerabilities, according to new research from threat intelligence company Recorded Future. Vulnerabilities in Internet Explorer, various versions of the Windows operating system, and Silverlight rounded out the rest of the top 10, the researchers found after looking at 141 exploit kits over a year-long period.

Exploit kits provide cybercriminals with the tools needed to run and manage an attack campaign without need a lot of programming experience. The criminals simply need to provide the payload -- such as a spam bot, ransomware sample, or a banking Trojan -- and pay for the software. Prices vary, beginning at $50 a day, $200 a week, or $700 a month for RID, and they go as high as $1,500 a week or $4,000 a month for a Neutrino kit. When a victim goes to the web page hosting the kit, the kit identifies the victim's browser, installed plugins, and software installed on the machine, to figure out which software vulnerabilities are present and can be exploited.

All of the flaws from the top 10 list have already been patched, and updated versions of the software have been available for a while. Logically, if the majority of the systems were up to date, the exploit kits would not bother attacking those vulnerabilities.

Popular for the wrong reasons

One Flash vulnerability, an easy-to-exploit method confusion flaw (CVE-2015-7645), appeared in no less than seven different exploit kits. It was also used by Pawn Storm, a Russia-backed espionage group. The vulnerability affects Flash on Windows, Mac, and Linux systems, which may have something to do with the flaw's popularity with these kits.

The fact that this was the first vulnerability found in Flash Player after Adobe's months-long effort with Google's Project Zero team to add new attack mitigation features into Flash Player may also be a factor. Many of the exploit kits became ineffective against systems running newer, more secure versions of Flash. Exploit kits that added the exploit triggering this flaw reversed its obsolescence and were able to get back in the business of compromising systems, even those with the more secure Flash.

"While the vulnerability was patched by Adobe fairly quickly, its ease of exploitation and the breadth of operating systems affected have kept it active," the report said.

In fact, Recorded Future flagged the same Flash vulnerability, the "method confusion" bug, back in the spring as a favorite for several ransomware-spewing exploit kits. Patching three Flash Player vulnerabilities -- CVE-2015-7645, CVE-2015-8446, CVE-2015-8651 -- and a Silverlight one (CVE-2016-0034) "can significantly blunt the impact of ransomware delivered by exploit kits," Recorded Future said at the time.

Patch the flaws being exploited

Users should update Flash, IE, Silverlight, and the operating system promptly. If the software is not in use -- is Silverlight actually needed? -- then removing it would reduce the attack surface. Chrome and other major web browsers have started embedding a customized Flash Player inside the browser to make it harder to use malicious Flash files to compromise the user. The Click to Load feature, turns off Flash content when the page first loads. Since the user has to manually play the Flash file, it limits the user's exposure to malvertising and other malicious content.

Of course, it would be nice if patching was straightforward and easy, but it isn't. Enterprises have gaps between when the security updates are available and when they are applied because IT needs the time to test each software configuration to make sure there are no conflicts or issues. Individual users don't often keep up with the updates because of the hassle factor. With this reality, staying ahead of all the patches all the time is a losing endeavor. Instead, IT can reduce the number of current attacks by prioritizing the handful of vulnerabilities that are being actively exploited over other updates.

Zero-day vulnerabilities generate a lot of excitement because they refer to new bugs that no one knew about, but the more prosaic reality is that attackers succeed equally as well by targeting older vulnerabilities. Cybercriminals don't need to spend money looking for zero-days when there are plenty of systems with outdated and vulnerable versions of software, ripe for the plucking.

Recorded Future's top 10 for 2016 listed vulnerabilities discovered in 2016, with a handful of 2015 ones mixed in. Surprisingly, none of the flaws from the 2015 top 10 appeared in the 2016 list. Vulnerabilities generally have a long shelf life, as much as two to three years, due to inconsistent patching schedules. Kit maintainers regularly update their crimeware tools with new exploits and may cycle out less effective, or older, exploits. The fact that older vulnerabilities didn't make the list doesn't mean the kits aren't still carrying exploits for those flaws. It merely means that kit maintainers are focusing on newer exploits and would target an older flaw if the opportunity arises.

Update common software regularly to keep up with the security fixes. If business concerns, such as the downtime from having to update or having to reboot the system after installing the patch, make it harder to apply patches on a more frequent schedule, at least plug the holes on the more common attacks. Prioritizing the vulnerabilities currently under attack can reduce the attack surface, at least for exploit kits.

Copyright © 2016 IDG Communications, Inc.