It’s been difficult to avoid news about vulnerabilities in Adobe’s Flash Player. Over the course of the past month there have been three vulnerabilities being actively used in the wild. Mark James, ESET security specialist gives us some details on Flash and zero-day attacks.
You’ve most likely seen a drive-by-download, even if you don’t recognise the name. Have you seen a pop-up telling you that your Flash Player, Java or similar program needs updating? If yes then you’ve seen a drive-by-download, if no then you know what to look out for.As reported by fellow ESET blog WeLiveSecurity, all three vulnerabilities used drive-by-download attacks. They have now all been patched: the last for Windows and Mac, the first two for Windows, Mac and Linux.
If you do stumble across one then ignore it! Be sure to go directly to the vendor’s website if you do want to update your software. In some cases, Adobe Flash Player included, you can enable automatic updates, which is recommended.
“No software is infallible…”
“Of course, no software is infallible, virtually every program, OS or application has the probability that it contains a vulnerability or exploit,” Mark explains.
“It should come as no surprise that they exist but it’s how long it takes to patch them that sets some companies apart from others.”
There has been a fair amount of hubbub recently when it comes to patching problems. Google’s bug hunting department, Project Zero, released detailspertaining to a Windows 8.1 exploit before Microsoft had it patched… and then they did it again… and again.
Adobe seems to have been Johnny-on-the-spot with its patching but as Mark points out if vulnerabilities are “actively being used for an exploit then it needs fixing right now,” there is no excuse for tardiness.
Exploits and Workarounds
When asked if the frequency of these exploits coming to light was indicative of anything Mark explains that “it would indicate that it’s a widely used application that is found on a lot of machines.
“As one exploit is found and patched another means is found to use that app to do something it was never intended for. It is the usual cat and mouse game found in all aspects of security, whether physical or software.”
The recent Flash Player exploits have been zero-day attacks. Mark explains that “a zero day attack refers to an exploit found in an application or operating system that the developers have not had time to patch or fix and in theory did not even know was there.
“It’s called zero day because as the developer or programmer were not previously aware of the flaw they have had “zero days” to fix it.
“These types of attacks cause so many problems because to qualify they have no fix so therefore can be used without restriction until there is one. This is partially the reason we see so many companies offering bug bounties to help find and fix them as soon as possible.”
Join our LinkedIn Group and stay up to date with the blog
Have you had any experience with drive-by-download pages?