Hackers turn their back on exploiting Java, to focus on Flash flaws

The malicious hackers developing exploit kits, designed to help online criminals break into computers systems and spread malware, are keener on exploiting Adobe Flash than any other software.

That’s one of the findings of NTT Group’s newly-published “Global Threat Intelligence Report”, which has noted a marked switch in recent years as hackers have switched from exploiting Java vulnerabilities to targeting Adobe Flash Player instead.

According to NTT Group’s report, all of the top top 10 vulnerabilities targeted by exploit kits during 2015 were related to Adobe Flash, which has a long and troubled history of poor security.

Sign up to our newsletter
Security news, advice, and tips.

That compares to Flash only having one entry in 2013’s list of top 10 vulnerabilities, compared to eight for Java.

A graph, showing the technology targeted by exploit kits over the years, shows that there has been a dramatic increase in the targeting of Flash, with it being by far the most attacked by exploit kits in 2015.

New Java exploits, meanwhile, have virtually disappeared as the platform’s security saw significant improvements (such as the blocking of unsigned applets by default) in 2014.

Many companies are waking up to the dangers that Adobe Flash can bring into the workplace, but clearly are not ready to completely get rid of the troubled software despite the largest ever number of Flash vulnerabilities being discovered in 2015, an almost 312% increase over 2014.

Despite the depressing figures, it’s clear that companies’ security worries don’t end with trying to keep bug-ridden Adobe Flash updated. According to NTT Group’s report, nearly 21% of vulnerabilities detected on networks are over three years old.

Indeed, a staggering 12% were over five years old, and more than 5% percent were more than – wait for it – 10 years old. The researchers discovered vulnerabilities (with a Common Vulnerability Scoring System (CVSS) score of 4.0 or higher) that dated back as far as 1999, making them over 16 years old.

With statistics like that it’s clear that hackers can continue to exploit vulnerabilities and security holes on corporate networks, long long after patches are made available by vendors.

This article first appeared on the HEAT Security blog.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.