Krishna Bahirwani speaks with F-Secure's country manager (India & SAARC) Amit Nath and Symantec's India technology sales director Tarun Kaura to understand the ramifications of the disclosures
Krishna Bahirwani speaks with F-Secure's country manager (India & SAARC) Amit Nath and Symantec's India technology sales director Tarun Kaura to understand the ramifications of the disclosures
What is the significance of this leak in terms of the overall security landscape ?
Amit: Adobe Flash is a popular plug-in that many websites use to host video content. It became quite popular in the early 2000s as a way of playing videos or streaming them online, but now say that it's become more of a security liability, which has led to calls for Adobe to kill Flash. Flash vulnerabilities were recently thrust in the limelight after a zero-day exploit used by the Italy-based surveillance company Hacking Team was stolen in a recent attack, resulting in its proliferation in exploits kits used by criminals. Criminals using exploit kits typically target insecure software that's widely used, and Flash has given them an easy target for at least the past seven or eight months.
Tarun: The leaked Flash zero-day was confirmed by Symantec. This new zero-day vulnerability in Adobe Flash Player could allow attackers to remotely execute code on a targeted computer. Analysis by Symantec had confirmed the existence of this vulnerability by replicating the proof-of-concept exploit on the most recent, fully patched version of Adobe Flash Player (18.0.0.194) with Internet Explorer. The large user base of Adobe's flash player has raised serious cause of concern, especially because successful exploitation of this vulnerability could cause a crash and potentially allow an attacker to take control of the affected computer.
According to the recent Internet Security Threat Report by Symantec, advanced attackers continue to favor zero-day vulnerabilities to silently sneak onto victims' computers, and 2014 had an all-time high of 24 discovered zero-day vulnerabilities. In a record-setting year for zero-day vulnerabilities, it took 204 days, 22 days, and 53 days, for vendors to provide a patch for the top three most exploited zero-day vulnerabilities in 2014. By comparison, the average time for a patch to be issued in 2013 was only four days. The most frightening part, however, is that the top five zero-days of 2014 were actively used by attackers for a combined 295 days before patches were available. Indicating that attackers are moving faster than the company defences.
How easy is it for attackers to integrate these flash exploits into exploit kits ?
Amit: The flaw was recently revealed when a cyberattack on government-sponsored group Hacking Team leaked a series of documents that showed the Italian group using at least three unpatched Flash exploits to reportedly hack into people's account and take over their computers.
Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies, and stop using Flash completely. Things got worse when the details of the flaws were made public as it left the software open to other hacking groups as well as cybercriminals that could potentially take advantage of them. Attackers could install malware on people's computers, steal their personal details, and even monitor their keystrokes to steal passwords and more.
Tarun: Once the exploit is publicly known, it does not take long for attackers to incorporate them into their exploit kits. In the case of the recently disclosed flash exploits from the Hacking Team breach, several exploit kits including Magnitude, Angler, Rig, Nuclear and Neutrino had easily incorporated these exploits into their exploit arsenal within a few days.
Is there a pattern found in the exploits present in the Hacking Team cache?
Tarun: There were no clear patterns that were spotted. However, it is evident that the Hacking Team were using exploits for commonly found software in an effort to maximize possible penetration of targets.
Amit: The revelations are likely to fuel the debate about the zero-day exploit market and whether it's ethical for government agencies to contribute to Internet insecurity by creating the incentive for private companies and security researchers to stockpile critical flaws for profit instead of reporting them to affected vendors.
Is there any understanding of how long have users been vulnerable to these Adobe exploits?
Amit: Apparently these exploits have been live for at least four years. While previous exploit kits have focused on vulnerabilities in Java and older versions of Microsoft Windows, the past 6 months have seen a surge in exploits kits targeting Adobe's popular Flash plug-in.
Tarun: The vulnerability proof of concept for the Adobe exploits were discovered within the Hacking Teams leaked data and were shared on Twitter. Though it may be possible that this vulnerability has previously been exploited in the wild in limited attacks, because the details of the vulnerability were made public, there is a likelihood of attackers incorporating the exploit into the exploit kits.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
 "Hacking Team")
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}