8 of the 10 Top Security Flaws Used By Cyber-Criminals This Year Were Flash Bugs

An anonymous reader writes: Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015. Angler is currently the most popular exploit kit, regularly tied to malware including Cryptolocker. Vulnerabilities in Microsoft's Internet Explorer and Silverlight are also major targets. All of these are the conclusions of a Recorded Future report.

Newgrounds

[tepples]

Any sites that require [the Flash Player plug-in] tend to be either Eastern European (dodgy porn) or very old.

I'm not sure what you mean by "very old". Do you mean "established long ago" or specifically "not updated in years"? In which sense are Newgrounds, Albino Blacksheep, Dagobah, and Weebl's Stuff "very old"?

Re:

[ArsenneLupin]

I'm not sure what you mean by "very old". Do you mean "established long ago" or specifically "not updated in years"? In which sense are Newgrounds, Albino Blacksheep, Dagobah, and Weebl's Stuff "very old"?

What are Newgrounds, Albino Blacksheep, Dagobah, and Weebl's Stuff? Do we have to know them?

Re:

[tepples]

Archives of classic vector animations created before HTML5 had support for <canvas> and <audio>.

Re:Can windows PC runs without Adobe Flash?

[hcs_$reboot]

Likely difficult. Windows 10 seems to be written in Flash

Re:

[deviated_prevert]

Likely difficult. Windows 10 seems to be written in Flash

No this [youtube.com] is the first good version of windows that was written in flash. Now it only runs on HTML5 and is as good as ever.

Re:Can windows PC runs without Adobe Flash?

[JaredOfEuropa]

When I last replaced my PC, it was a good while before I felt compelled to install Flash on it again. These days, very few sites require it, even the dodgy Eastern European porn sites and equally dodgy advertising rings seem to have shied away from it. I have Flash installed but the browser is set to block it unless specifically allowed. The last time I activated Flash was to watch a news program on some local TV channel's site.

Browser break, escalation, and VM escape?

[tepples]

In order to spoil such a research project, a site would have to find an exploit that busts out of not only the browser but also the user account and VirtualBox.

Re:

[Megane]

See if you can set your browser to require click-to-start for Flash. This ought to get you past most of this Flash malware shit, plus all the annoying Flash ads, while still letting you run the rare thing that still needs it. Now that Youtube can be used without Flash, there's no real need to let it run automatically.

Re:

[Joce640k]

Has anyone tried running a PC without Adobe Flash?

Can that PC be used to surf the Net?

Any suggestion would be very much appreciated !

Assuming you have a proper web browser: You can get plugins that stop flash from running automatically. That's almost the same thing as "no flash".

And the rest we're probably Jave, Acrobat, and OS

[msimm]

I uninstalled Flash about 4 months ago. Guess what...the web still works. Even the questionable video sites I use work (or at least > 50%, which is enough). Sites that insist on requiring flash in 2015 probably haven't been relevant since 2010. Sites that require wonky plugins had better be for work and get relegated to a Microsoft browser product I don't use for anything else.

Re:

[msimm]

Also, were/we're. Sue me. It's the vodka.

Re:And the rest we're probably Jave, Acrobat, and

[GNious]

In a world where Flash is not required for any functionality, and where it has been a known security risk for a long while, websites that require it are either painfully incompetent, or malicious - feel free to remind hostmasters of this.

Re: And the rest we're probably Java, Acrobat, and

[msimm]

Either abstract it, contain it, or visualize it. Using a poorly maintained platform for the games doesn't mean you have to use it for everything.

Re:

[tepples]

Is there a reason you can't play tower defense in Flash Player in Firefox in Xubuntu in VirtualBox?

Re:

[GNious]

Eating my own dog-chow: https://twitter.com/GNious/sta... [twitter.com]

Feel free to retwat it at people who need to stop using Flash :)

Re:

[drinkypoo]

Feel free to retwat it at people who need to stop using Flash :)

I only retweet when someone is saying something clever, and preferably when someone knows who they are. Suggesting that something you said is quotable proves that it isn't, because who would want to quote someone like that?

Re:

[Zero__Kelvin]

"Suggesting that something you said is quotable proves that it isn't"

That has to be one of the most absurd assertions I have seen in quite some time.

Re:

[antdude]

My former and current employers still use Flash, Java, Silverlight, etc. :/

Re:

[gweihir]

Same here. Using flash these days is gross negligence.

Re:

[antdude]

What about those Flash games, interactive http://homestarrunner.com/ [homestarrunner.com] etc.? :P

VMWare - when are you getting rid of it?

[shocking]

Crying shame that you need it for consoles and the like.

Re:

[_defiant_]

If you've ever used VMware Server 2 you wouldn't be eager for their pure HTML interface. At least the flash one works...

Re:

[shocking]

I suspect that you are right - I just want to be able to administer stuff from a HTML5 browser running anywhere.

Your money needs an Ally

[tepples]

Have you tried switching from your Flash bank to an HTML5 bank such as Ally or Schwab?

Why is online banking dumb?

[tepples]

Seems like a dumb idea to use a bank that isn't physically located near me.

Are you referring to getting money into a bank not physically located near you, to getting money out of a bank not physically located near you, or to some other use case I haven't thought of?

As for getting money into a bank not physically located near you, you can have direct deposit of your paycheck or other ACH transfers sent to any bank. Personal checks can be mailed or in many cases deposited using an iOS or Android device with a rear-facing camera [ally.com]. Cash can be spent locally; I'll often dump cash into

Re:

[tepples]

So you recommend using two banks?

Only for about a month while you are switching to only an online bank.

many banks reimburse for ATM fees. Or you can get cash back with a purchase at any retailer that takes EFTPOS cards.

My bank charges me extra for ATM fees.

Dump it and switch to an online bank that charges no out-of-network fees and reimburses ATM operators' fees, like Ally or Schwab. Or get cash back at Walmart or wherever.

We can go without

[BlackDesign]

There are multiple platforms not using Flash. Look at Apple's Ipad. By default no Flash on this device and still you can visit 99% of the websites (even video content). Its just the developers that need to turn their heads on it, and start using alternatives.

Re:

[azav]

It's* just the developers

        it's = it is

Learn this.

Re:

[tepples]

In your theory, once PC desktop is killed off, with what tools will people develop HTML5 apps?

Flash Bugs running on Microsoft Windows ..

[nickweller]

"8 of the 10 Top Security Flaws Used By Cyber-Criminals This Year Were Flash Bugs"

Bugs in an application can only be exploited by defects in the underlying Operating System

Re:

[Anonymous Coward]

That's the most ridiculous and unqualified statement on bugs I've ever read.

What happens if an application allows for arbitrary code injection and execution due to a buffer overflow bug? Injected code could easily wipe all your user space files by using standard file io operations without ever doing anything that can be construed as exploiting defects in an underlying OS.

Name one OS that can't be "exploited" in this fashion.

Lack of thorough support for jails

[tepples]

What happens if an application allows for arbitrary code injection and execution due to a buffer overflow bug? Injected code could easily wipe all your user space files by using standard file io operations without ever doing anything that can be construed as exploiting defects in an underlying OS.

Not if the application is running under a separate user account, a jail, or some other containment facility of the operating system. Lack of such a facility is the defect. An application shouldn't be able to access a resource unless both the user has access to it and the user has delegated access to it to the particular application.

Name one OS that can't be "exploited" in this fashion.

Any GNU/Linux distribution with an AppArmor policy in effect. Or iOS on Apple devices. Or IOS on Nintendo Wii for that matter. Or Android, provided the APK doesn't have the SD fu

Re:

[tepples]

Windows has the capability to run programs under different accounts.

That's a start. Bundling a GUI to create accounts for individual desktop applications would be even better.

Re:

[fustakrakich]

Name one OS that can't be "exploited" in this fashion.

That is the point. All OSs suck. This simply should not happen. I am becoming more convinced it is intentional.

Re:

[nickweller]

Operating System Security and Secure Operating systems [giac.org]

The foundations of a provably secure operating system (PSOS) [sri.com]

Re:

[Zero__Kelvin]

You are an idiot

Not supported on most platforms anymore

[Big Hairy Ian]

Flash isn't supported on IOS or Android anymore. It's only supported on Windows & Linux because they are not walled gardens. Can't speak for the Apple Mac but assume it's not supported or at least discouraged.

Re:

[U2xhc2hkb3QgU3Vja3M]

Flash was never supported on iOS and Adobe Flash has not been installed by default on OS X for years now.

Fight for your bitcoins! [coinbrawl.com]

As an old Shockwave Director user

[azav]

And engineering team member, Flash just can't die soon enough.

Re:

[Zero__Kelvin]

So you are saying Flash is like people who use the subject line as the start of their post?

Re:

[azav]

Awwwwww, you need a hug.