back to article Exploit kit writers turn away from Java, go all-in on Adobe Flash

Exploit kit writers are no longer fussed about Java vulnerabilities, focusing their attention almost entirely on Adobe Flash. All of the top 10 vulnerabilities targeted by exploit kits during 2015 are related to Adobe Flash, according to a new study [PDF] from NTT Group. In 2013, by contrast, the top 10 vulnerabilities …

  1. MrMur

    Why oh why....

    ... do websites insist on still making us use this outdated liability of a piece software.

    1. Gene Cash Silver badge

      Re: Why oh why....

      Because browser support for HTML5 is STILL crap?

    2. chivo243 Silver badge

      Re: Why oh why....

      @MrMur

      Maybe Adobe is on the take? Why plug a cash cow?

    3. Dan 55 Silver badge

      Re: Why oh why....

      Perhaps this website could explain why.

    4. Bob Dole (tm)

      Re: Why oh why....

      Because most web site developers are dumb as a box of rocks when it comes to security. For the vast majority of them security is the network admins job.

      Of the ones that even bother to consider security as a project requirement, most think they just need to hash passwords or turn on SSL. The ones that realize that security requires a fairly deep holistic approach are, unfortunately, few and far between and charge more than "off shore" developers.

  2. Duncan Macdonald Silver badge

    One type of malware infects another type of malware

    Remove the malware called Flash from your PCs and you are immune to the malware that uses Flash.

    1. regadpellagru

      Re: One type of malware infects another type of malware

      "Remove the malware called Flash from your PCs and you are immune to the malware that uses Flash."

      Problem is: many, far too many web sites require Flash as I'm writing this.

      Removing Flash as I've done many moons ago means you're basically out of those sites.

      That's ok, for me (IGN, man, why, fucking why ????), but could be more problematic for others ....

      Thankfully, youtube made the wise move, months ago.

      1. thames

        Re: One type of malware infects another type of malware

        @regadpellagru - "Problem is: many, far too many web sites require Flash as I'm writing this."

        None of the sites that I go to use it for anything other than ads. I haven't installed Flash in years. I used to use a dedicated video plug-in for Youtube, but stopped even using that when Youtube went to HTML5.

        The sites that require Flash these days are incredibly niche, and I can't think of a single one off the top of my head other than a few video players (I think BBC still uses it, although they are supposedly ditching it), and I don't use any of those (BBC would block me due to location anyway).

        The bottom feeding end of the ad-flinging market seems to be the main hold out for Flash, and quite frankly I can't see any reason to install Flash just for their benefit.

        A few web sites still do Flash detection to service users who have ancient PCs running Windows XP with IE 6, but they serve up HTML5 for people without Flash. If you have Flash installed you may not be able to tell if the site genuinely requires Flash, or if you're just getting the "legacy" version because it detected Flash.

  3. Anonymous Coward
    Anonymous Coward

    More of a question is why are so many new Flash vulnerabilities found? Clearly Java is a platform with ongoing development, but are Adobe really continuing to develop Flash? Or are these long-buried vulnerabilities which are only now still coming to the surface?

    1. Anonymous Coward
      Anonymous Coward

      Flash was one of the pioneers of software development outsourcing to a certain subcontinent and the results speak for themselves.

  4. gollux
    Mushroom

    It's time for a change...

    start looking for HTML5 vulnerabilities, our cash cows, Java and Flash are being taken away from us.

    Oh, and Apple's still recommending Quicktime installation despite the somewhat nebulous security warning from them about their abandonware.

    Respectfully,

    Grott E. Hacker

  5. Mage Silver badge
    Devil

    Flash and Java.

    Both disabled by default. No site is whitelisted for Flash as even BBC.com has served malware.

    Only whitelisted Javascript.

    While loads of sites use Flash and Javascript, I can't remember the last time a website wanted actual Java, so it's surprising ANY malware writers bother with it. Flash is the low hanging fruit, followed by hijacking an advertiser's domain and thus getting "reputable" web sites to distribute malware via java script because most people either don't run Noscript or enable whole page rather than whitelisting important bits. Some sites (Twitter, Google, Facebook etc) only get temporarily enabled for session. because of the evil tracking scripts in the buttons/icons people sprinkle on their sites.

    It would be better if the icon was static HTML with an argument. But that would not suit the parasites.

    If website wants me to see an advert, it's simple. Put a static jpeg + text ON YOUR OWN SERVER you moron!

    Otherwise I will block it FOREVER.

    1. Anonymous Coward
      Anonymous Coward

      Re: Flash and Java.

      " I can't remember the last time a website wanted actual Java"

      Come to Scandinavia, it is pretty much a requirement to have Java in Denmark in order to interact with a bank or the government.

      1. Anonymous Coward
        Anonymous Coward

        Re: Flash and Java.

        And in Spain. It's absolutely appallingly bad Java too. Worse it is Oracle Java only (OpenJava won't run their applets). And at times they force you to use .pdf that only Adobe can read (XFA forms). It's like dealing with IT from the dark ages, mostly because they have to make the online form like the paper one so they can print it out to file it (I kid you not!).

  6. Florida1920 Silver badge
    Holmes

    Top 10 Vulnerabilities Are Related To Flash

    Better: "Top 10 Reasons To Uninstall Flash."

  7. Nate Amsden Silver badge

    i like flash

    I would prefer more advertisers use it, since flash is click to run anyway, I hardly ever see it. Or if browsers would somehow make html5 animations and video etc click to run as well that could work too.

    The only thing I can think of that I need flash for on a semi regular basis is Bank of America ShopSafe

    https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go

    1. John Tserkezis

      Re: i like flash

      "https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go"

      From that website:

      "Please note that ShopSafe requires you to have Adobe Flash installed on your computer."

      I have to give it to them. They have the testicles to mention "Safe" and "Adobe Flash" in the same sentence...

  8. asdf Silver badge

    if you absolutely must use Flash

    Then at the very least don't install their shitty plugin but simply use Chrome browser which has it sandboxed by default in the browser. To be (somewhat) safe you will want to run that bad boy in a VM with a snapshot you revert back after asking to get wtfpwnt.

  9. joed

    now included on all new Windows boxes

    with MS playing catch up game, such a great idea to support obsolete standard

  10. Walter Bishop Silver badge
    Joke

    Top vulnerabilities related to Adobe Flash

    The only viable solution is to totally ban Adobe Flash from the Intertubes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019