Adobe’s Flash technology may end up being the highest profile victim of the attack on software arms dealers the Hacking Team, as news of that group’s reliance on Flash vulnerabilities prompts calls for Adobe to permanently retire the (vulnerability-prone) web-enhancing technology.
On Sunday, Alex Stamos, the Chief Security Officer at Facebook, became the most prominent figure to call on Adobe to set an “end of life” date for Flash – a move that would almost certainly hasten an already fast and widespread migration away from the bug-prone technology.
“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Stamos said via his Twitter account (@alexstamos) on Sunday. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.” A killbit is a feature of modern web browsers that allow browser makers to instruct the software not to use a specific piece of software.
Stamos’s comments follow revelations stemming from the “doxing” of the firm The Hacking Team, including the release of hundreds of gigabytes of e-mail correspondence and source code for the firm’s software tools.
The leaks revealed the proprietary exploits that Hacking Team built into their software tools to allow them to exploit fully patched systems. Among other things, the hacking toolkits sold by the firm The Hacking Team included exploits for a number of previously unknown vulnerabilities in Flash.
They include CVE-2015-5119, which affects Windows, Linux, and Apple products. Successful exploitation can result in a crash and remote access to the infected machine Adobe has said it is working on an emergency patch, which could come as early as today. Another Flash Player vulnerability disclosed in the Hacking Team breach, CVE-2015-0349, had already been patched.
Security firms, including Trend Micro, subsequently built on the revelations from the Hacking Team leak to discover other, related vulnerabilities in platforms like Adobe Flash. As reported by Trend Monday, a third remotely exploitable hole CVE-2015-5123 was discovered based on intelligence gleaned from the Hacking Team leak.
Adobe Flash is a frequent source of exploitable vulnerabilities because it is widely deployed on the Internet, powering sophisticated user interface features on web sites. Prior to the hack of Hacking Team, Adobe issued critical patches for Flash in January, February and June of 2015. According to one recent survey, Flash is used by just over 10% of all web sites – a figure that has declined from close to 15 percent in the last year.
Apple was among the first to move away from the technology in 2010, when then CEO Steve Jobs indicated that newer versions of iOS, its operating system, would not support Flash because of poor security and excessive power consumption.