Calls to kill Flash as third zero-day exploit found

Repercussions from the recent Hacking Team data leak keep on flowing. Trend Micro has discovered a third zero-day exploit in the data, and Facebook’s new security chief has suggested that the event shows it is time to kill off Flash.

Trend Micro said it has discovered proof-of-concept code of the new vulnerability but has not yet identified it in the wild.

Adobe has pushed out a patch for the exploits, but Trend Micro is still recommending that users take extra caution while using Flash.

Trend Micro also discovered a Java exploit in the Hacking Team data and noted that Flash and Java are particularly well-suited to malvertising attacks, involving spreading malware through compromised ad servers.

“Flash and Java vulnerabilities are particularly aggressive and a favourite for exploit kit writers,” Trend Micro managing director for Asia-Pacific Dhanya Thakkar commented.

“These vulnerabilities have fuelled the resurgence of malvertising attacks, as well as ransomware including Crytpolocker. It is important to be aware that these threats can be pervasive and appropriate action be taken to guard against them.”

Facebook’s new CSO, Alex Stamos, has gone further. In a series of tweets, he called for Adobe to retire Flash.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” he said. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”

He noted that nobody is taking the time to update their tools and upgrade to the potentially more secure alternative HTML5 because they expect Flash to continue to exist, suggesting that setting a timeline for killing off Flash would give them the impetus needed.

Image courtesy of jonsson under CC