Flash attack may as well have been zero-day

Guest Editorial by Dino Dai Zovi

It has almost been a week since the Adobe Flash zero-day attack false alarm.  Since then, a number of people have called Symantec out as being irresponsible for crying wolf and announcing the raising the ThreatCon without fully researching the vulnerability (Full disclosure: Based on that information, I wrote here that the exploit took advantage of a zero-day vulnerability before I had tested it on a patched system — I was more interested in reversing the malware payload at the time).

We must be careful, however, to make sure that the real lesson isn’t lost while we all breathe a collective sigh of relief: the vulnerability may as well have been zero-day.

Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level ^[1]. I was looking through the analytics for my other, more neglected web site and noticed that less than a third of my high-technical visitors had a current version of Flash. An anonymous robot contributed statistics for a larger site that had significantly more visitors [2] and the statistics confirmed the low percentage of up-to-date Flash players.

Date	% up-to-date
5/26	15.28
5/27	15.93
5/28	16.50
5/29	17.51

Remember, this is still 7 weeks after the update was released. This brings me to my main points:

• Flash 9 has 97.2% penetration in mature markets
• After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability
• At CanSecWest’s PWN2OWN 2008, Shane Macaulay and Alexander Sotirov proved that with proper Feng Shui and a Java applet, a Flash vulnerability is still very much exploitable even on Vista SP1 with ASLR, hardware-enforced DEP, etc.
• TippingPoint’s Zero Day Initiative has 7 upcoming advisories for high-risk vulnerabilities in Adobe products.  I doubt any of them are in Photoshop.

How does the average user know that they should update Flash and how to do so?  By reading the trade press?  Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as

possible.  As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn.

[1] Actually, you only get revision numbers if the user’s browser is Firefox. I believe it is safe to assume that the average Firefox user would be more Internet security savvy than the average Internet Explorer user, so we may consider these numbers an upper bound.

[2] Data is based on several hundred thousand unique visitors.

* Dino Dai Zovi is an information security professional, researcher, and author.  He is perhaps best known in the security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.  He publishes the Trail of Bits blog and can also be found on Twitter.