Hackers turn their back on exploiting Java, to focus on Flash flaws

Hackers turn their back on exploiting Java, to focus on Flash flaws

The malicious hackers developing exploit kits, designed to help online criminals break into computers systems and spread malware, are keener on exploiting Adobe Flash than any other software.

That’s one of the findings of NTT Group’s newly-published “Global Threat Intelligence Report”, which has noted a marked switch in recent years as hackers have switched from exploiting Java vulnerabilities to targeting Adobe Flash Player instead.

According to NTT Group’s report, all of the top top 10 vulnerabilities targeted by exploit kits during 2015 were related to Adobe Flash, which has a long and troubled history of poor security.

Sign up to our free newsletter.
Security news, advice, and tips.

That compares to Flash only having one entry in 2013’s list of top 10 vulnerabilities, compared to eight for Java.

A graph, showing the technology targeted by exploit kits over the years, shows that there has been a dramatic increase in the targeting of Flash, with it being by far the most attacked by exploit kits in 2015.

Exploit kit targets

New Java exploits, meanwhile, have virtually disappeared as the platform’s security saw significant improvements (such as the blocking of unsigned applets by default) in 2014.

Many companies are waking up to the dangers that Adobe Flash can bring into the workplace, but clearly are not ready to completely get rid of the troubled software despite the largest ever number of Flash vulnerabilities being discovered in 2015, an almost 312% increase over 2014.

Adobe vulns

Despite the depressing figures, it’s clear that companies’ security worries don’t end with trying to keep bug-ridden Adobe Flash updated. According to NTT Group’s report, nearly 21% of vulnerabilities detected on networks are over three years old.

Indeed, a staggering 12% were over five years old, and more than 5% percent were more than – wait for it – 10 years old. The researchers discovered vulnerabilities (with a Common Vulnerability Scoring System (CVSS) score of 4.0 or higher) that dated back as far as 1999, making them over 16 years old.

With statistics like that it’s clear that hackers can continue to exploit vulnerabilities and security holes on corporate networks, long long after patches are made available by vendors.

This article first appeared on the HEAT Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.