Of the top 10 vulnerabilities found in the exploit kits, eight of them were targeted at Adobe’s Flash plugin, used on millions of computers to play multimedia content, according to Recorded Future, a cybersecurity intelligence firm based in Somerville, Massachusetts.
To arrive at its conclusions, Recorded Future looked at software vulnerabilities known to be used in popular exploit kits such as Angler, Neutrino and Nuclear Pack as well as in cybercrime forums between January and September.
Echoing the conclusion of many other security experts, Recorded Future said the findings call “into question Flash’s place in a secure operating environment.”
“While the role of Adobe Flash vulnerabilities as a regular in-road for criminals and malware should come as no surprise to information security professionals, the scale is significant,” the report said.
Adobe has been working for years to make Flash more secure through code reviews, but it has proven to be a mighty task for an application that’s nearly two decades old.
Monthly patches are almost always released by Adobe, and emergency patches come out for zero-day flaws that cybercriminals are actively using.
Apple founder Steve Jobs famously forbid the iPhone from running Flash. This year, other companies have taken steps to reduce the risk of zero-day Flash flaws.
Facebook’s CSO, Alex Stamos, wrote on Twitter in July that it’s “time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”
In September, Google stopped automatically playing some extraneous Flash content on Web pages. The move was aimed at improving performance in the Chrome browser, but it also has security benefits.
Perhaps the most humorous campaign against the application is the ”Occupy Flash” movement. The group advocates moving everything to HTML5, the latest specification of the Web’s vernacular that has a host of multimedia capabilities.
Occupy Flash’s manifesto reads in part: “It’s time has passed. It’s buggy. It crashes a lot. It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology.”