- July 29, 2015
- Info notes
What is Flash?
Flash is a multimedia platform developed by Adobe and generally used in web pages. It was introduced in 1996 and quickly became the standard for web video and later video streaming. As an example, YouTube relied on Flash for 10 years, starting in 2005.
Hacking team Flash exploits
Among the files leaked in July 2015 from the surveillance software firm Hacking Team, security researchers found at least three Flash 0-Day exploits working on Windows, Mac OS X and Linux. According to Microsoft, one of these exploits – dubbed critical by both Microsoft and Adobe, allowed an attacker to view, modify and delete data, as well as create new privileged user accounts. Within just a few days, hackers began using these exploits; Adobe has since provided patches.
Problems with Flash
The popularity of Flash was mostly due to its ability to run complex scripts on web browsers; this is also one of the main reasons why Flash became a primary attack target. As a result, Flash has long been one of the biggest attack vectors. It featured in several threat reports as one of the top plugin threats. Between January 2014 and August 2015 alone, Flash has launched 7 major releases (versions 18.104.22.168 to 22.214.171.124) through over a dozen updates following the discovery of security vulnerabilities. One particular release contained fixes for 11 vulnerabilities rated critical.
The future of Flash
For many years Flash has been the key software to develop media content online, so that the absence of Flash player would prevent a browser from displaying the latter. Nevertheless, because of the recurrence of the security issues abovementioned, Apple decided in 2010 to drop Flash support on its mobile operating system. Due to its large user base (circa 17.5 million iPhone users in 2010 in the US alone), web and software developers had no other option than to start using other technologies to deliver media content online. As an example, YouTube switched to HTML5 as its default video setting in early 2015.
Following the release of the 3 Flash 0-Day exploits from Hacking Team, Mozilla and Google decided to block earlier versions of Flash on their browsers, Firefox and Chrome respectively.
Lastly, the chief security officer of Facebook publicly asked Adobe to set an end-of-life date for Flash and encouraged browser developers to completely disable Flash support in future releases.
As for any other software, the only way to be 100% safe from exploits is to remove the software completely, in this case Flash player. If this is not possible then a limited use of Flash must be enforced by strict policy settings. In particular:
- Only allow the latest version of Flash;
- Request user permission before running a Flash script.
Developers should prepare for the phasing out of Flash, as better integrated environments like HTML5 are supported by most web browsers. HTML5 includes features for playing audio and video within web pages, as well as integrated vector graphics. Moreover, HTML5 does not require any additional software other than the web browser, hence limiting the attack surface.
Nevertheless, as developers shift towards alternative technologies, so does the offensive cybersecurity community. In this regard, developers should always be careful when choosing and implementing these technologies. For a secure implementation of HTML5, one can refer to the HTML5 Security Cheat Sheet.
About "Info Notes" from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).