SOS: Adobe Gets Much-Needed Help from Security Experts Worldwide

It’s a well-known fact that Adobe Flash Player is one of the least secure web clients nowadays. Its vulnerabilities put users at risk of identity theft, ransomware and other malware infections, and many other online security hazards, and it’s one of the software that has the most zero days used in targeted attacks.

Because of this, Adobe has ramped up its efforts to patch up these vulnerabilities and provide better security to its users. A lot of people have appreciated this as it shows that Adobe is serious about improving its service and keeping Flash Player users safe (even though the product’s end of life is getting nearer).

However, it’s important to note that Adobe is not the only one who’s working on improving Flash Player — many other individuals and companies have worked hand in hand with Adobe to keep cyberattacks at bay and increase user safety. This isn’t really surprising since, despite its vulnerabilities, Adobe Flash Player is still widely popular around the globe With this large user base, a successful attack can affect thousands of people all world and wreak havoc on numerous institutions.

Who’s Helping?

If you take a look at Adobe’s Security Bulletins for its security updates, you’ll see that the company acknowledges the people and organizations who have helped spot the vulnerabilities that were patched in each update.

On the latest update (which was released on June 13, 2017), Adobe thanked Jihui Lu of Tencent KeenLab for spotting and reporting two vulnerabilities (CVE-2017-3079 and CVE-2017-3081) and Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero for identifying three vulnerabilities (CVE-2017-3076, CVE-2017-3077 and CVE-2017-3078). CloverSec Labs’ bee13oy took the spot with four vulnerabilities (CVE-2017-3075, CVE-2017-3082, CVE-2017-3083, and CVE-2017-3084).

In the previous May 9 update, Lu had identified six of the vulnerabilities that the update had resolves, while Jurczyk and Silvanovich were credited for reporting CVE-2017-3068. The pair had also spotted two vulnerabilities (CVE-2017-3061 and CVE-2017-3064) that were covered by the April 11, 2017 Adobe Flash Player Update. Many of the vulnerabilities that were fixed during this update were identified by researchers who were working with the Zero Day Initiative by Trend Micro. These include CVE-2017-3063 (reported by Keen Team), CVE-2017-3062 (reported by Yuki Chen of 360 Vulcan Team), and CVE-2017-3058 (reported by bee13oy of CloverSec Labs).

Aside from Trend Micro’s Zero Day Initiative, the Chromium Vulnerability Rewards Program has also encouraged researchers to help identify Adobe vulnerabilities. Yuki Chen of 360 Vulcan Team, for instance, spotted CVE-2017-3001, CVE-2017-3002, and CVE-2017-3003 while working with the Chromium Vulnerability Rewards Program. These three vulnerabilities were fixed by the Flash Player Update that was released on March 14, 2017. For this update, Tao Yan of Palo Alto Networks reported the existence of CVE-2017-2997, CVE-2017-2998, and CVE-2017-2999, while Wang Chenyu and Wu Hongjun of Nanyang Technological University identified CVE-2017-3000.

What Does This Mean?

While the whole world is thankful that these vulnerabilities have been spotted, reported, and fixed, the fact is that Adobe doesn’t seem to have the manpower or equipment to identify security threats on its own. This can be dangerous since the list of vulnerabilities for Flash Player is still incredibly long, and it’s only a matter of time before an enterprising hacker uses one of them to do a widespread zero-day attack.

Thankfully, several organizations are here to the rescue. Search giant Google, who’s at the forefront for better online security, has lent its Project Zero team to help uncover vulnerabilities. The Zero Day Initiative and the Chromium Vulnerability Rewards Program, which both pay a certain amount to researchers who discover key vulnerabilities, are also pushing more people to look for security issues in Adobe Flash Player.