It has almost been a week since the Adobe Flash zero-day attack false alarm. Since then, a number of people have called Symantec out as being irresponsible for crying wolf and announcing the raising the ThreatCon without fully researching the vulnerability (Full disclosure: Based on that information, I wrote here that the exploit took advantage of a zero-day vulnerability before I had tested it on a patched system — I was more interested in reversing the malware payload at the time). We must be careful, however, to make sure that the real lesson isn’t lost while we all breathe a collective sigh of relief: the vulnerability may as well have been zero-day.
Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level1. I was looking through the analytics for my other, more neglected web site and noticed that less than a third of my high-technical visitors had a current version of Flash. An anonymous robot contributed statistics for a larger site that had significantly more visitors2 and the statistics confirmed the low percentage of up-to-date Flash players.
Remember, this is still 7 weeks after the update was released. This brings me to my main points:
- Flash 9 has 97.2% penetration in mature markets
- After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability
- At CanSecWest’s PWN2OWN 2008, Shane Macaulay and Alexander Sotirov proved that with proper Feng Shui and a Java applet, a flash vulnerability is still very much exploitable even on Vista SP1 with ASLR, Hardware-enforced DEP, etc.
- TippingPoint’s Zero Day Initiative has 7 upcoming advisories for high-risk vulnerabilities in Adobe products. I doubt any of them are in Photoshop.
1. Actually, you only get revision numbers if the user’s browser is FireFox. I believe it is safe to assume that the average FireFox user would be more Internet security savvy than the average Internet Explorer user, so we may consider these numbers an upper bound.
2. Data is based on several hundred thousand unique visitors.