Five years ago there was a heated battle between Steve Jobs and Adobe. Jobs refused to allow support for Adobe Flash in iOS–and wrote a 1700-word open letter explaining exactly why. Adobe Flash is still not on iOS but it is still around and now it’s in hot water again. Data leaked from the Hacking Team hack revealed multiple zero-day vulnerabilities in Adobe Flash being exploited.
It seems like Steve Jobs was right all along. Perhaps it’s time for Adobe Flash to fade away:
The hack of Hacking Team has been enlightening on a number of levels. It appears to show that Hacking Team has been dishonest about the nations on its client list and at the same time it was a wakeup call that Hacking Team is not unique in providing subversive tools and zero day exploits to customers—including government agencies. One thing we’ve learned from the Hacking Team hack is that Adobe Flash has serious issues and hackers know how to exploit those issues to execute malicious code.
The hackers who compromised Hacking Team leaked 400GB of sensitive data, including source code for Hacking Team’s software, like Galileo. Galileo is a remote control software console developed for government customers. Galileo monitors target systems by installing an agent and security researchers have scoured the leaked Galileo source code to figure out how Galileo manages to install the agent.
What they’ve found so far is that Galileo relies on a variety of zero-day exploits to circumvent detection and plant the agent software. Three of the four zero-day vulnerabilities that have been discovered so far are in Adobe Flash.
We don’t know whether or not malicious hackers were already aware of these flaws or not, but now that the Hacking Team source code has been leaked to the public those Adobe Flash zero-day exploits are public knowledge. “Cybercriminals have been doing their own research and have been able to integrate all three zero-day vulnerabilities into the major Exploit Kits exposing the general public to these previously unknown attacks,” explained Wolfgang Kandek, CTO of Qualys, explained in a blog post. “Since no patches had been available before today, our advice so far has been to either uninstall Flash to completely neutralize the attack, use EMET on Windows to provide additional hardening for your browser or use Google Chrome as your browser as it was not affected by at least the first Flash zero-day.”
Russ Ernst, director of product management for HEAT Software (formerly Lumension) offered advice about Adobe Flash as well. “Together, the three exploits impact Flash versions 9.0 through 126.96.36.199 in Windows, Mac and Linux and brings Flash to its 11th update overall in 2015 alone. If you must use Flash, be sure you have the current version, which you can download here. The safer bet however is to uninstall the long-risky media player once and for all.”
Read the full story on Forbes: Adobe Flash Woes Prove Steve Jobs Was Right.