Fujitsu
Not logged in » Login
X

Please login

Please log in with your Fujitsu Partner Account.

Login


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now

Recent Discussion:

NickBown | 22.12.2018, 14:18
We have come across this issue as well, and don't seem to have found a way around it (the server is ...
NickBown | 20.12.2018, 18:40
Hi everyoneWe've got an RX2540 M1 which won't boot past the Fujitsu splash screen (which shows the i...
MarkM | 15.10.2018, 11:33
Hi there.I do not believe the Fujitsu policy on this subject has changed.So NO you can not order dri...
Mar 31 2016

F-Secure Warns Against Flash Player

For several years in a row, Adobe's Flash Player software has been a source of serious concerns for corporate and homes users alike. As a result, some software vendors even went so far as to block or blacklist the browser plug-in altogether. The latest "Threat Report" from Finnish security outfit F-Secure now provides new ammo for the anti-Flash coalition.

Roughly six years ago, the late Steve Jobs published a famous open letter entitled Thoughts on Flash. In it, he outlined the technical reasons for Apple's refusal to support Adobe's prominent video player on future generations of the company's 'iDevices' (bar Macs), citing "one of the worst security records of 2009" as one of eight key disadvantages. That letter didn't exactly sit well with larger parts of the industry and numerous experts who believed the letter was a PR stunt and that Apple only shunned Flash out of purely commercial motives. Others found that while Jobs' arguments might not be completely honest, he did have a point. After all, serious vulnerabilities – from input validation errors through clickjacking issues to a penchant to fall for cross-domain requests – had plagued the plug-in since at least 2006, and even the US-CERT had recommended blocking the software one month before Apple's co-founder issued his Philippic.

Fast forward to March 2016, and it feels like you're traveling back in time. Earlier this month, Finland's leading IT security firm F-Secure published its "Threat Report 2015", a 50-page analysis of the most outstanding and dangerous attackers and threats from the previous season. Surprisingly enough (or maybe not for some), F-Secure's analyst team found that Flash was still extraordinarily popular among cyber-crooks, offering up 13 of the 15 "top vulnerabilities" they target with exploit kits such as Angler, Magnitude or Neutrino (see table below). As one would expect, the researchers also try to answer the question why the software still attracts so much attention despite the fact that major software vendors and security firms have warned against it for almost a decade. Here's their explanation, quoted verbatim:

  • "Flash is widespread – it's used on multiple platforms and is one of the most widely distributed pieces of software in the world, so exploiting it yields a larger payoff."
  • "Flash doesn't update automatically for all users, so many users still run old versions that are vulnerable and easily exploitable."
  • "Cybercriminals find it easy to spot vulnerabilities in the code."

Image

Fig. 1: F-Secure list of 2015's top vulnerabilities

In fact, the verdict turns out even worse: to drive home their point, the researchers recount the story of the security breach that nearly brought Italian spy software firm Hacking Team to its knees in last July:

"When the firm was hacked, at least two Flash zero day vulnerabilities were among the leaked data. To say the top exploit kit makers were quick to react would be putting it mildly.

"When the first vulnerability was exposed on July 7, exploit kits Angler, Neutrino, and Nuclear all incorporated support for it the very same day. A patch was released the following day. The second vulnerability was made public on July 11. Angler adopted support the next day, closely followed by Nuclear, Rig and Neutrino the following day."

Consequently, F-Secure's analyst team now seems to have joined the fast-growing group of experts who advocate banishing Flash altogether – or if that's not possible, strictly limit its use. Given the capabilities of HTML5, that should be easy enough to do.

If only there was no YouTube...

 
SHARE

Comments on this article

No comments yet.

Please Login to leave a comment.