The weaponisation of Adobe Flash: 0day exploit is the last straw


Adobe Flash 0day proves, yet again, why this pile of insecure crap must be put out of its misery in order to relieve ours.

Another emergency update for the Adobe Flash media player hardly qualifies as news these days. That it contains patches for no less than 18 vulnerabilities, all of them capable of remote code execution outcomes, doesn’t change that. The weaponisation of Adobe Flash has been an ongoing threat for far longer than we care to recall here at IT Security Thing; it’s just far too depressing when you consider that the damn thing is still alive.

However, we do feel honour bound to inform our readers that one of the vulnerabilities is weaponised and being actively exploited in the wild.

Like Ming the Merciless, organisations are failing to kill Flash

According to the Adobe Product Security Incident Response Team (PSIRT) Adobe is “aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.”

That ‘CVE’ designation is a generic one, and simply refers to an integer overflow vulnerability, so no change there then. All we actually know about it is that it’s an Adobe Flash 0day exploit and it was discovered by Anton Ivanov of Kaspersky Lab.

While Adobe recommends that users update their product installations to the latest versions using the instructions referenced in security bulletin APSB16-08, here at IT Security Thing we recommend you simply nuke it and uninstall Adobe Flash as a priority.

Gavin Millard, Technical Director at Tenable Network Security agrees, telling us that unfortunately “like Ming the Merciless, organisations are failing to kill Flash no matter how hard they try. Flash needs to be treated as a high security risk application, removing it from endpoints where not required and adding compensating controls where it is.”

Truth be told, until you kill it on your systems you probably won’t realise that you never used it anyway. The same goes for Java and Silverlight… Bomb them all back to whatever insecure hell they came from. What you will do is decrease the attack surface for remote code execution attacks, and that is a cast-iron guarantee from us.