21 July 2015

F-Secure Joins Calls to Kill Flash

F-Secure security researchers recommend businesses migrate away from Adobe's Flash plug-in following a recent surge in Flash-based exploits.

Helsinki, Finland - July 21, 2015: F-Secure Labs has discovered a recent surge in the number of exploits targeting Adobe's Flash plug-in. Given the consistent use of Flash vulnerabilities in crimeware, F-Secure is adding their voice to other security researchers suggesting that Adobe and other companies reconsider using the popular plug-in.

Flash vulnerabilities were thrust in the limelight after a zero-day exploit used by the Italy-based surveillance company Hacking Team was stolen in a recent attack, resulting in its proliferation in exploits kits used by criminals. According to F-Secure Labs, detections of Flash exploits from exploit kits increased by 82% in the days following the attack.* Researchers are attributing this increase to the adoption of the zero-day exploit stolen in the hack, as well as the subsequent discovery of two additional zero-day exploits.** Consequentially, security researchers are becoming more vocal in their criticism of Flash's security flaws.***

"Criminals using exploit kits typically target insecure software that's widely used, and Flash has given them an easy target for at least the past seven or eight months," said F-Secure Senior Researcher Timo Hirvonen. "Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies, and stop using Flash completely."

Businesses Need to Better Manage Flash-Based Risks

Exploit kits are sets of tools that criminals use to create crimeware campaigns, and largely attempt to infect computers with malware that exploits vulnerabilities in software. Exploit kits have historically been proficient at exploiting vulnerabilities in Java and older versions of Microsoft Windows, but exploits targeting Flash have become more prominent in 2015.

According to F-Secure Security Advisor Sean Sullivan, businesses need to pay closer attention to how employees expose themselves to online threats by carelessly browsing the web. "I characterize Flash as a low-hanging fruit because it's become such a popular target for opportunistic attacks," he said. "Businesses need to be proactive about protecting their employees from this threat. F-Secure's software is able to detect these exploits, and products like Software Updater ensure Flash and similar applications are promptly patched as soon as new vulnerabilities are discovered."

Software Updater is a feature offered on F-Secure's Business Suite and Protection Service for Business lines of corporate security products. F-Secure Booster is a consumer-oriented product that people can use to protect themselves from exploit kits by keeping their personal Windows PCs updated with the latest security patches.

*Source: F-Secure Labs detection statistics from June 25, 2015 to July 14, 2015.

**Source:https://www.f-secure.com/weblog/archives/00002819.html

**Source:http://www.scmagazineuk.com/updated-facebook-cso-calls-time-on-flash-after-hacking-team-breach/article/426224/

More information:

Software Vulnerabilities Continue to Supply Criminals with Exploits

Low Hanging Fruit: Flash Player

F-Secure - Switch on freedom

F-Secure has been defending tens of millions of people around the globe from digital threats for over 25 years. Our award-winning products protect people and companies against everything from crimeware to corporate cyberattacks, and are available from over 6000 resellers and 200 operators in more than 40 countries. We're on a mission to help people connect safely with the world around them, so join the movement and switch on freedom!

Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.

F-Secure media relations

Adam Pilkey

+ 358 40 6378859

distributed by