Adobe Flash: Why is It Always Vulnerable?
by Matt James
In cybersecurity and information technology, it seems like there are daily headlines about a new exploit that takes advantage of a flaw in Adobe’s Flash products. With constant updates and seemingly endless exploits, people are curious to know what’s going on and why it’s so damn vulnerable.
It’s damn old…
Adobe Flash came out over 20 years ago. Rapid evolution requires Adobe to spit out releases faster than tested. The subcomponents, known as unmanaged code, is where bugs grow and evolve. Without getting too technical, unmanaged code is software that is not installed on your system. Instead, it exists in temporary memory, and is called when needed. Think of it as a temporary program that spawns only when needed, and for a specific purpose.
Why is it Vulnerable?
Applications have to get to market fast to remain relevant, and Adobe Flash is no different. Everything from browser-based games in Facebook to online chat use Flash to facilitate the media. This puts the onerous on Adobe to keep churning Flash out to consumers. Even with proper quality assurance (QA) testing, bugs are left in the wake. With Flash residing in memory, it has the ability to communicate with other systems of your computer. Those systems may have access to sensitive information. For instance, if your medical information is accessed by your browser, it is stored temporarily in memory. That memory may be accessible by other parts of the system–perhaps parts that Flash has access to use. If a bad-actor finds a flaw that can manipulate that memory to access other parts–parts that is temporarily storing your medical data–it could be disclosed.
The Path Forward
Every year, it seems like Adobe Flash may be killed for good. But alas, it has yet to happen. If you have the tolerance for it, the best recommendation would be to remove it completely, and resist the urge to use it. That’s easy said than done as there are many numerous major sites that require it, as well as for risk management professionals that are tasked with keeping environments safe and secure. If you want to keep using it, but in a safer manner, be sure to check for updates frequently. You can also decide which websites may use Flash, and which cannot, as well as which resources Flash has access to. For the security-conscious, explicitly choosing gives you an edge on malicious sites that may look to take advantage of your current installation.
This first appeared in The Havok Journal February 17, 2019.
Matt James (CISSP, CPT, CEH, CNDA) has more than 15 years of experience in cyber security and information technology. He has lead and performed numerous red-team activities against public and private sector entities, to include major Fortune 500 corporations and federal agencies. Medically retired from the Army after injuries sustained during combat operations, Matt resides in the Washington, D.C. area where he is the Director of Cybersecurity and Risk Management for ID.me.