2015 is on its way to becoming the year of Adobe Flash exploits. In the first quarter of 2015, 48 different Flash vulnerabilities were discovered, a sharp increase from the 28 Flash vulnerabilities reported in the fourth quarter of 2014, setting an all-time record.
Last week alone Malwarebytes researchers discovered a third zero-day vulnerability in the Adobe Flash Player browser plugin. The vulnerability (CVE-2015-5119) was discovered after attackers dumped some 400 gigabytes of data on the Internet, which they stole from Hacking Team, a controversial security firm that sells surveillance software to governments around the world.
Within just a few days of the publication, this vulnerability has been already used by cybercriminals and was integrated into common exploit kits before there was a patch available from Adobe, as reported by Malwarebytes and others, making this one of the fastest cases of immediate weaponization in the wild, thanks to the detailed instructions left by Hacking Team.
Adobe Flash, one of the most popular platforms to deliver multimedia and rich Web content, is installed on nearly every computer connected to the Internet and is even directly integrated with Google Chrome and enabled by default on this popular browser.
Research by W3techs shows that Adobe Flash is being used by 10.6% of all web sites, but at the same time it is a platform “successfully used by cybercriminals to attack victims by exploiting the growing number of devices running old versions of Flash” according to MacAfee’s recent security report.
Is this the end of this Adobe Flash saga? Apparently not. The recent case of CVE-2015-5119 shows that there are still more zero-day vulnerabilities waiting to be publicly disclosed and are being used in the wild to infect computers with malware and other espionage software.
Frequent patching is mandatory, and according to a HP report from June this year, Keeping up with security patching could stop 85% of targeted cyber attacks. As commonly known as this is, Verizon’s 2015 Data Breach Report finds that 99.9% of exploited vulnerabilities had been compromised more than a year after the associated patch was published.
Even when a patch is available, there is still a significant window of vulnerability between the time a zero-day vulnerability becomes public and being exploited and the time all systems are fully patched.
The current situation is not encouraging. Research shows that the time until a vulnerability is fully eradicated can take up to 10 months. Security patch management activities are a major component of IT operating costs, according to a report published by global IT consulting firm Wipro. Security teams experience long nights of software patching, business disruption, and drained IT budgets associated with patch deployment, infrastructure setting, testing, helpdesk, failure resolution and threat assessment.
When considering the number of systems in an organization that need patching, companies who participated in this study spent hundreds of thousands to millions just on the patching itself which in the end is reactive in nature and will probably not stop the next round of attacks.
Gartner is also worked up about patching “in the darkest woods of IT”, describing the situation of patching 3rd party applications, server operating systems and on top of all this virtualization, “a full-blown slow-cooking disaster”.
This situation calls for proactive approaches such as web isolation that will reduce the urgency for frequent patching, reduce costs and keep systems protected at all times, even when not yet patched.