Some stats from the Digital Identity Network in regards to the current Adobe Flash vulnerabilities
Posted July 14, 2015
Back in May last year, we provided Brian Krebs some data from our Global Intelligence Network in regards to how the Flash player vulnerabilities are affecting the users at home. See “The Mad, Mad Dash to Update Flash“.
The analysis back then was that the automated update process actually worked pretty well (especially on Chrome), but there was always a large amount of people vulnerable due to the significant amount of security advisories.
Back then, the usage of Flash enabled browsers remained significantly high – much to our surprise… It seems that having lots and lots of security flaws didn’t actually impact usage. Over 80% of our customer base had Flash installed (our customer base means the end users of one of our 3,500 banking/retail/online customers).
Today, calls to deprecate the Flash Player as we know it are getting more and more frequent – at the back of three (!) critical security vulnerabilities in the last few days at the back of the HackingTeam disclosure (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123).
It is important that they are actively being used by cybercriminals right now.
Alex Stamos, CISO @ Facebook reiterated the call to deprecate the Flash Player two days ago in a quite direct language.
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) on Twitter
yet another Flash Player zero day discovered in Hacking Team leak. If you haven’t done so yet, please remove or at least disable Flash
— briankrebs (@briankrebs) July 13, 2015
And many more…
So we wanted to have a fresh look into our Global Trust Intelligence Network in regards to how the Flash usage has declined since then. To our surprise, the Flash Usage is still very high between 75% and 80% – although there has been a significant drop in the last two weeks of Flash Players. The drop may be partially related to Firefox changing all Flash players to Click-to-Play by default until fixes from Adobe are available)
It will be interesting to see whether this trend will continue at the back of this publicity.
How many of these devices that has Flash enabled is vulnerable today? The answer is 100% as Adobe hasn’t yet released a fix for the latest two vulnerabilities at the time of writing.
From a security perspective, we do fully agree that you should be reinstalling Flash.