Security Weekly 47: Hundreds of vulnerabilities in Adobe Flash
On June 7, Adobe closed a critical vulnerability in Flash Player (news, company message). The CVE-2018-5002 vulnerability was discovered by several research teams from China at once – it’s about the remote execution of arbitrary code as a result of a buffer overflow error. This vulnerability is zero-day: at the time of detection, it has already been used in targeted attacks in the Middle East. This rather serious problem is perceived as routine news simply because of the name of the affected product: well, who can already surprise RCE in the flush?
Only this year this is the second critical vulnerability of the zero-day, the first was immediately closed in February. Adobe Flash generally became an exemplary example of unsafe software, it stable is in the top of the most frequently attacked applications, and does not leave this rating for years. It is still common among users, despite many years of trying to replace it with objectively more efficient technologies. Regardless of the attitude to technology, Flash has become an integral part of the history of the Internet. With the help of a couple of links and one graphic, let’s try to look at Flash from the security point of view and not only.
From the glorious past to the sad present
The early history of the ancestor of Adobe Flash, the drawing program SmartSketch is a useful case about how to bet on the development of promising technologies in the face of a lack of information. Imagine yourself in 1992-1993. The Internet as such is not present, the Internet is a toy for scientists and the closed club of fans of dialogue in mail and News. At the same time, promising technologies are all described: there are standards for multimedia PCs, for portable devices, there are first tablet concepts. It is unclear only that this will evolve and bring money, and most importantly – in what order, all these technologies will be fired. Developers of SmartSketch first made the wrong bet on one of the first OS for portable computers with a touch screen (PenPoint).
- The system did not live up to commercial release, and SmartSketch had to be quickly ported to Mac OS and Windows, where there were a lot of drawing programs. And here’s the second strategic decision – to redesign the project to create animations, and even provide the ability to publish on the web – it turned out to be correct. In 1996, the product, renamed FutureSplash Animator, was released. Around the same time, Microsoft realized that the future of the Internet began to pump the relevant projects with budgets for marketing and development, and create what would become really usable in only 10-15 years – any web TV and other interactive. Interactive – this includes animation, and then the creators of the software card.
In the same 1996, the project was purchased by Macromedia (and renamed to Flash). By the beginning of the new millennium, the free client plug-in became the most common extension for browsers. In 2005, Macromedia was sold to Adobe, and even then it was not only software for creating complex web objects, but rather a platform for developing software that had Flash Player as its delivery method. Somewhere in the distance, even then, you could see the glimmer of a brighter future in which computer manufacturers, operating system developers, and even browsers play the role of cable operators responsible for laying wires. These grandmothers at the same time are earned on the content that is created and delivered through the Flash platform, and it is entirely controlled by Adobe. That’s great, is not it?
- Perhaps all would be so, if not for the development of mobile devices in which there was a different interaction scenario (pen and fingers instead of the mouse) and much weaker than conventional PC hardware. Flash was present, say, in Windows Mobile, but the experience was so-so. In 2007, Apple released the first iPhone, a smartphone, in which viewing the full web became more or less convenient. The absence of Flash was often presented as one of the serious shortcomings of the device: without it, at the end of zero it was impossible to stream video and audio from a lot of resources, use some business applications, and, of course, it was impossible to play in some cheerful farm. In 2010, immediately after the release of the iPad, which also did not have Flash, Steve Jobs wrote an open letter explaining why Flash will not appear on Apple’s mobile devices ever.
We will list the main arguments of Jobs against Flash in short. Closed standard (Jobs specifies that Apple also has a lot of proprietaries, but the standards of the web should be open). As a counterexample, the WebKit engine developed by Apple and used everywhere (the letter mentions Nokia smartphones, and then it was still relevant!).
- Resources and battery: an example is given of an inefficient implementation of the H.264 codec in Flash, which does not allow full use of video decoding hardware. Hence the increased load on the processor and half an hour of battery life. Sharpness in mouse control and inability to work properly when controlling your fingers. The absence of motivation for Adobe to optimize Flash applications for the iPhone and iPad. Finally, both safety and reliability were mentioned (“the cause of the drop in Macintosh computers number one”).
Director Adobe, of course, reacted: “poppies”, they say, are falling, because the axis is a curve. About battery consumption is all lies. And, of course, “we are for multi-platform”. It seems that the dream that the program is written once and then works on anything – at least on a PC, at least on a coffee maker, was never realized. The problems of effective coding are somehow solved, just without Adobe and the Flash platform.
It has been relatively simple and convenient for a relatively long time, with the working mechanism of delivery to a huge audience. And then ceased to be such an instrument: on July 25, 2017, Adobe announces the curtailment of the development and support for Flash. As a reason, the universal application of those most open standards of the Web is given. Since then, the Flash story began as a zombie platform AKA time bombs on the computers of millions of users.
How bad is it?
The question should be divided into two parts: how bad is everything personally with you and how bad is Adobe Flash in principle from the point of view of security? The first question is easy to answer on your own: go to the Adobe site page with the Flash Player version check widget. In my case, Chrome browser first asked for permission to launch Flash, and then showed that we have the latest version, with a patched zipcode from June 7. It seems all right: the browser manufacturer (Chrome) automatically maintains the relevance of the Flash plugin. On the other hand, it’s possible to turn off this functionality altogether: the usual user’s offer to launch Flash when loading the page does not raise any special questions. And situations, when even the latest version of the plug-in is critically vulnerable – a lot.
How bad is Flash Player as a whole? A general view is given by the CVE vulnerability database. Therefore the Flash Player at the time of publication was information about 1,047 vulnerabilities, starting in 2005. The greatest number of vulnerabilities was added to the database in 2015 and 2016, even as Adobe announced a radical increase in platform security. The Adobe Reader program, which is also quite often used for cyber attacks, has 368 vulnerabilities in the same CVE database – almost three times less. 86% of the Flash Player vulnerabilities in the CVE database are assigned to the 9-10 level of security, that is, they are critical vulnerabilities. 79% are directly marked as leading to arbitrary code execution.
Price of unsafe software
We can not say that we agree with Steve Jobs’s letter about Flash. Do not forget that it was written in 2010 when watching a video on YouTube in HTML5 without dancing with a tambourine was difficult (Flash there was generally turned off only in 2015). Losing Flash is a business story about a technology that began to lose ground long before it became almost the most often attacked software.
And imagine yourself in Adobe’s place: for 13 years the technology has brought a lot of money to the company. For a number of reasons, technology is about to retire, but it will generate revenue for another three years – because of the industry’s desire to ensure compatibility. Development is stopped, investment is zero, income is, beauty! But no, some (long-accepted) technical solutions or simply a security oversight force you to spend a lot of money and resources on maintaining a product that does not deserve any more. But it is necessary: otherwise damage to reputation, and even legal costs.
It would be interesting to read somebody’s memories with analysis: how did it happen? It is advisable with advice on how to avoid this in the future. So far, we can only conclude that investing in security should be almost before the development of the product. You can, of course, think that it is already some other people who will be able to shovel the shoals originally created after the profit and bonuses have been received. But this is not a serious approach. How responsibly approach the development of system-building software in our time? Recognize in 10-15 years?