Flash attack may as well have been zero-day

Flash attack may as well have been zero-day

Summary: Guest Editorial by Dino Dai ZoviIt has almost been a week since the Adobe Flash zero-day attack false alarm.

TOPICS: Security

Guest Editorial by Dino Dai Zovi

Flash attack may as well have been zero-dayIt has almost been a week since the Adobe Flash zero-day attack false alarm.  Since then, a number of people have called Symantec out as being irresponsible for crying wolf and announcing the raising the ThreatCon without fully researching the vulnerability (Full disclosure: Based on that information, I wrote here that the exploit took advantage of a zero-day vulnerability before I had tested it on a patched system — I was more interested in reversing the malware payload at the time).

We must be careful, however, to make sure that the real lesson isn’t lost while we all breathe a collective sigh of relief: the vulnerability may as well have been zero-day.

Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level [1]. I was looking through the analytics for my other, more neglected web site and noticed that less than a third of my high-technical visitors had a current version of Flash. An anonymous robot contributed statistics for a larger site that had significantly more visitors [2] and the statistics confirmed the low percentage of up-to-date Flash players.

Date % up-to-date
5/26 15.28
5/27 15.93
5/28 16.50
5/29 17.51
Remember, this is still 7 weeks after the update was released. This brings me to my main points:

  • Flash 9 has 97.2% penetration in mature markets
  • After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability
  • At CanSecWest’s PWN2OWN 2008, Shane Macaulay and Alexander Sotirov proved that with proper Feng Shui and a Java applet, a Flash vulnerability is still very much exploitable even on Vista SP1 with ASLR, hardware-enforced DEP, etc.
  • TippingPoint’s Zero Day Initiative has 7 upcoming advisories for high-risk vulnerabilities in Adobe products.  I doubt any of them are in Photoshop.

How does the average user know that they should update Flash and how to do so?  By reading the trade press?  Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as

possible.  As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn.

[1] Actually, you only get revision numbers if the user’s browser is Firefox. I believe it is safe to assume that the average Firefox user would be more Internet security savvy than the average Internet Explorer user, so we may consider these numbers an upper bound.

[2] Data is based on several hundred thousand unique visitors.

* Dino Dai Zovi is an information security professional, researcher, and author.  He is perhaps best known in the security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.  He publishes the Trail of Bits blog and can also be found on Twitter.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Flash attack may as well have been zero-day

    I just checked the Google Analytic Stats on the site I work on and it looks like I am getting Flash revision information from all the browsers, not just Firefox.

    The real sad stat is over the past 7 days 35 different versions of Flash have been recorded.
  • RE: Flash attack may as well have been zero-day

    your right, while I did have a version 9 it was not the latest. No updaye manager, FUBAR.
  • Sorry Ryan, but you're just as guilty as Symantec...

    And still are.

    I guess fear sells for Kapersky Labs and gets clicks and talkbacks but this isn't the first time you've wandered so far out into left field as to lost the ball park completely.

    In the end you do everyone a disservice with this kind of thing because people will simply stop believing it or simply give up and think that they can do nothing at all about it.

    I guess you think it's some kind of public service but after too many chicken little posts it becomes turn off time.

    If you want to perform a public service stop writing and headlining like some kind of Internet version of News of The World.


    • Total Disagreement

      While I don't harbor a complete agreement with this being "just as bad as an 0-day", I'm pretty close to it.

      The damn term 0-day is pretty nebulous and thrown around so loosely to begin with it's ridiculous, but the end result is, a huge population of people were not prepared for this, and as Dino so eloquently demonstrated, Flash sploits are a SERIOUS issue. Combined with Sotirov's Heap Fung Shui hotness and browser protection bypass like using Java, this is an exploitable issue on a LOT of systems.

      Let's be honest about things, you don't really give a crap one way or the other if you are standing at ground zero when you get pwned, you still got pwned, and it is still the fault of someone's code.

      Be honest about things, are you 100% up to date? What is reasonable with this? The patch hasn't been adapted by the populous, that is a problem. I think we can excuse symantecs (play on words for Symantec), and just say this is a serious issue and fear mongering is worthwhile if it gets people patched... regardless of if it is 100% legit.

    • Raising awareness

      If I can help raise awareness around patching (I hope you applied the update!), I'll happily take all your criticism.

      Ryan Naraine
  • Adobe forgot to activate ASLR in flash9

    Adobe forgot to activate ASLR in flash9
  • Dino Dai Zovi deserves much credit -

    not merely for his conclusion, but perhaps even more for the research which lies behind it. This is the sort of journalism we need - a journalism which goes beyond reproducing commercial press releases. How important a vulnerability is depends upon the amount and severity of the damage it can do, and the greater market penetration an application has, the greater potential its vulnerabilites have to really screw things up on a grand scale. It is easy to say that [b]Adobe[/b] bears no responsibility for the failure of its users to patch security holes, but the fact is that for obvious - and sound - business reasons, firms like [b]Adobe[/b] attempt to make the use of their applications as convenient as possible for even the least knowledgeable user. Computer users do not have to take tests to lawfully use their machines (at least one poster to the [b][i]ZDNet[/i][/b] fora has called for such a test), and since sellers of both hardware and software would be adamantly opposed to such restrictions, it seems reasonable to me to demand that they do everything in their power to help their users keep their security up to date. Here, perhaps an applet that automatically suggests an update when a superseded version of Flash is used could be installed with the programme ? These reminders can be annoying, but it must be much more annoying to have one's computer hacked. Besides, when downloading [b]Flash[/b] the user could be requested to tick off a box in order to be reminded of current updates when applicable. The option should be accompanied by a strong recommendation to activate it....

  • RE: Flash attack may as well have been zero-day

    Amen! After reading much of this, I attempted to see what version/update I have. For the common user, it was impossible. I couldn't even find it as a plug-in to Firefox to check or check for updates. Even after going to the Flash Download site, there are enough confusing links to various updates, I cannot imagine the majority of the world having success, even if they want to.

    So, yes, I vote for a setting to periodically check for updates. If it only checks when you are getting ready to view a Flash, most times the user will reject installing the update because we want to see the media... not waste a bunch of time installing an update first.

    So, bottom line, Flashplayer is not user friendly when it comes to updates and installs.
    A very COMMON user,
  • RE: Flash attack may as well have been zero-day

    Google Analytics is yet another good resource in letting us know about possible vulnerabilities we need to be aware of. In this case it is our users that need to know about their own browser plug-ins (though they have no access to our own Google Analytics information). Perhaps their own browsers need to be smarter about alerting them to updating their plug-ins.

    We recommend all of our clients go with Firefox though just as important as a safe, well... safer browser is keeping plug-ins updated as well. Fortunately Firefox is really good about alerting users to required updates.

    In terms of Symantec, if they had NOT published the information regarding the now-debunked exploit then they probably would have been called out for not being early enough in their warning. It is a tough game deciding how much due-diligence to perform prior to publishing a warning. And it is very easy to make that call the NEXT day when all of the information comes to light.

    I am not saying I agree with their decision. Rather one should put themselves in their shoes before condemning them.

    MBridge llc