Facebook chief security officer (CSO) Alex Stamos has called for Adobe Flash to be killed off after a string of recent cyber-attacks have exploited three new 0-day flaws in the package - including hacks by Chinese cyber-espionage groups on at least 23 companies in the aerospace and defence, high-tech and other industries.
The phishing attacks by China's APT3 and APT18 hacker groups were revealed yesterday by security firm FireEye. The two groups separately used Flash 0-day vulnerability CVE-2015-5119 - which was leaked last week when surveillance software firm Hacking Team was itself hacked – to plant backdoors SHOTPUT (APT3) and GHOST RAT (APT 18), which can take over any computers targeted.
FireEye said the victims also include organisations in the construction and engineering, energy, non-profit, telecoms, transport, education and health and biotechnology sectors.
Meanwhile, F-Secure yesterday said that the same 0-day has been built into in a series of cyber-crime exploit kits, including Angler, Magnitude, Nuclear, Neutrino, Rig and HanJuan.
And on Sunday, French 'white hat' hacker Kafeine confirmed that another of the trio of Hacking Team 0-days (CVE 2015-5122) has been added to the Angler toolkit.
Adobe rushed out a fix for the first 0-day last Wednesday, but not before the Chinese cyber-criminals sprang into action. And the company has promised it will patch the final flaws CVE-2015-5122 and 5123, some time this week. But in the meantime Flash users remain vulnerable – leading to calls for the software to be canned.
Facebook's Alex Stamos tweeted on Sunday: “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”
His view has won support elsewhere. Timo Hirvonen, senior researcher at F-Secure, told SCMagazineUK.com via email: “It's time to get rid of Flash. If all the iPhone and iPad users in the world can live without Flash so can you. All Flash does is make your computer vulnerable.”
Gavin Millard, technical director of Tenable Network Security, agreed: "With Flash continuing to be a favoured attack vector for exploit kit and malware authors, maybe it's time that it was put out to pasture, only being used by parts of the business that requires it and continually monitoring for users that don't,” he told SCMagazineUK.com via email.
Millard said the “rapid disclosure and weaponisation of these types of vulnerabilities” is outpacing the vendor's ability to fix the flaws and IT staff to identify and patch.
“With most employees nowadays using corporate systems at home, if IT staff don't have an effecying how vulnerable laptops are and to rapidly push updates to fix them, threats could be walking through the door every day.”
In its blog, FireEye highlighted the speed of cyber-criminals in exploiting the new Flash bugs: “APT3 and APT18 quickly employed Hacking Team's leaked 0-day before the vulnerability was patched. Both groups likely monitor information from security research to learn what exploits are available and how network defenders are reacting to them.”
F-Secure's report on the exploits added: “Since the information about the first 0-day was made freely available, we knew attackers would swiftly move into using it. As expected, the Flash exploit was integrated into exploit kits.”
F-Secure said there has been a further spike in attacks using the Angler kit in the last few days using the still-unpatched flaw CVE-2015-5122.
We asked Adobe for its response to the criticism of Flash but it had not replied at time of writing.
However, an Adobe spokesperson reportedly told The Register: "There are extensive efforts underway internally, in addition to our work with the security community and our counterparts in other organisations, to help keep our products and our users safe.
"Aside from generally hardening the code, and finding and addressing vulnerabilities internally, a key focus area has been the development of mitigation techniques that prevent entire classes of vulnerabilities from being exploited. The introduction of some of these mitigation techniques has been on the roadmap but is moving forward more quickly as a result of recent developments."
Gavin Reid, VP of threat intelligence at Lancope, also defended Adobe, telling SCMagazineUK.com via email: “Flash has been the vulnerability cow the hackers have been milking for years. However, software doesn't hack people – people do. If Flash is killed off the people will move to the next widely installed and easiest to hack tool (Silverlight, Java, etc).”
Hacking Team's secrets - all 400 gigabytes of them, including details of its governmental clients – were originally leaked online eight days ago, as reported by SC UK.
In a statement issued yesterday, the company has promised to bounce back from the “reckless and vicious crime” and says it is building “a totally new infrastructure for its lawful surveillance system”.
In related news, Trend Micro senior engineer Philippe Lin yesterday revealed another technique developed by Hacking Team – it has created a UEFI BIOS rootkit that keeps its surveillance software active in the target's system, even if the user formats or replaces their hard disk or re-installs their OS.
Adobe confirmed that “critical” vulnerabilities CVE-2015-5122 and CVE-2015-5123 currently remain in Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux.
It said: Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12.”
Also see: Mozilla reaction with Flash ban.
Plus - see update: Adobe patches Flash Player bugs.