Thoughts on the Flash Malware Attack

It has almost been a week since the Adobe Flash zero-day attack false alarm.  Since then, a number of people have called Symantec out as being irresponsible for crying wolf and announcing the raising the ThreatCon without fully researching the vulnerability (Full disclosure: Based on that information, I wrote here that the exploit took advantage of a zero-day vulnerability before I had tested it on a patched system — I was more interested in reversing the malware payload at the time).  We must be careful, however, to make sure that the real lesson isn’t lost while we all breathe a collective sigh of relief: the vulnerability may as well have been zero-day.

Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level1. I was looking through the analytics for my other, more neglected web site and noticed that less than a third of my high-technical visitors had a current version of Flash. An anonymous robot contributed statistics for a larger site that had significantly more visitors2 and the statistics confirmed the low percentage of up-to-date Flash players.

Date % up-to-date
5/26 15.28
5/27 15.93
5/28 16.50
5/29 17.51

Remember, this is still 7 weeks after the update was released. This brings me to my main points:

  • Flash 9 has 97.2% penetration in mature markets
  • After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability
  • At CanSecWest’s PWN2OWN 2008, Shane Macaulay and Alexander Sotirov proved that with proper Feng Shui and a Java applet, a flash vulnerability is still very much exploitable even on Vista SP1 with ASLR, Hardware-enforced DEP, etc.
  • TippingPoint’s Zero Day Initiative has 7 upcoming advisories for high-risk vulnerabilities in Adobe products.  I doubt any of them are in Photoshop.
How does the average user know that they should update flash and how to do so?  By reading the trade press?  Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as possible.  As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn.

1. Actually, you only get revision numbers if the user’s browser is FireFox. I believe it is safe to assume that the average FireFox user would be more Internet security savvy than the average Internet Explorer user, so we may consider these numbers an upper bound.

2. Data is based on several hundred thousand unique visitors.

Comments

  1. hola Dino 2.0
    Incidentally Adobe just announced that Acrobat 9 will support embedding Flash in PDF documents
    hrmm that is a very nice!!

  2. Dino Dai Zovi says:

    @ivan
    Hola Ivan y bienvenidos. Do you remember when we used to think of PDFs as being safer than Microsoft Office documents? I for one used to…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,629 other followers

%d bloggers like this: