Make no mistake about it. Adobe is an excellent company, and they’re very good about releasing patches, especially when security is at risk. Unfortunately, they’ve had to be. Adobe’s Flash technology has been the way in for a number of high profile hacking attacks that have revealed gaping holes in security and raised questions as to the long-term, continued viability of the product.
What Happened
This most recent hacking attack was dubbed CVE-2015-0313, and full details can be found here. The reason that Flash is such a tempting target is that it’s universal. It doesn’t matter what operating system you use, Flash works on it. That allows would-be hackers to target Android devices, PCs and Apple gear, all from a single point of entry. Simply put, it’s irresistible.
The way this most recent attack manifested was that “malvertising” was placed on a number of high profile sites, including dailymotion, theblaze, my.juno.com, earthlink, nydailynews, and others. The advertising wound up on those sites in the same way that much advertising does.
The hackers placed bids on certain keywords, and when they got the high bid for the keyword in question, the ad got served to them. Anyone who clicked the ad in question got infected, and a successful infection could crash their device and allow the hackers to control it once it was rebooted. A post-attack analysis revealed that the hackers paid an average of $0.93 per click to infect machines.
Not the First
Adobe set a new record where releasing the latest security patch was concerned, and had a fix available just thirty-six hours after the bug was reported. Unfortunately, this has been the third major breach of the application this year alone. With each successive breach, no matter how quickly the company responds, it raises more questions. Given that this is the source of so many attacks that can affect every system on the ‘net, perhaps it’s time to give up on it in preference for some other solution?
The problem, of course, is that Flash is ubiquitous. You almost can’t surf the web without running into a site that makes use of it. If the decision were made to abandon it, it would mean no more support, so no more patches for the security breaches in the future, and virtually every company with a presence on the web would be forced to scramble to retool their sites.
Given all of this, have you looked at your company’s site lately? How reliant are you on Flash? How quickly could you migrate to some other solution and retool your website if it came down to it? These are not trivial questions, as they would impose additional costs on your business, and depending on how you answered the questions above, potentially steep ones.
On the other hand, if the breaches continue at their present pace, how long will it be before your business or your customers are impacted, and can you afford to wait? Whatever you ultimately decide to do, action is in order. Either prepare for the eventual breach that impacts you, or prepare to migrate. These attacks don’t appear to be going away.