Tag Archives: Exploits

Adobe Flash Player 2019 Update Tracker

In a similar manner to previous years this post will track the number of vulnerabilities patched within Adobe Flash for 2019. This will be the penultimate year of tracking these numbers since Flash Player is due to be decommissioned in 2020.

As always this post will be updated throughout the year with the details of vulnerabilities being patched and if they are being exploited in the wild. Apologies for not making this 2019 tracker available sooner.

Thank you.

=======================

=======================
8th  January 2019: Adobe releases Flash Player v32.0.0.114 This update is a non-security update addressing only feature and performance bugs.

12th February: Adobe releases Flash Player v32.0.0.142 resolving 1x priority 2 CVE.

12th March: Adobe have not released any Flash Player updates this month.

12th March 2019: Adobe makes available Flash Player v32.0.0.156 to resolve non-security bugs only.

9th April 2019: Adobe releases Flash Player v32.0.0.171  resolving 2x priority 2 vulnerabilities (CVEs) (1x Critical and 1x Important severity).

14th May 2019: Adobe releases  Flash Player v32.0.0.192 to resolve a single critical CVE.

11th June 2019: Adobe releases Flash Player v32.0.0.207 just like last month to resolve a single critical CVE.

9th July 2019: Adobe has not released any Flash Player updates this month.

13th August 2019: Just like last month; Adobe has not released any Flash Player updates this month.

10th September 2019: Adobe has released Flash Player v32.0.0.255 to resolve 2x critical vulnerabilities.

=======================
Update: 19th February 2019: The timeline was created to include the Adobe Flash Player updates for January and February 2019. At the time of writing no exploits for the issue fixed by the February update are known to be taking place.

Update 12th March 2019: The timeline was updated to reflect that Adobe did not issue Flash Player updates this month.

Update: 21st March 2019: The timeline was updated to reflect that Adobe did publish a Flash Player update for March 2019 but it is a non-security update.

Update: 10th April 2019: The timeline was updated to include the Adobe Flash Player updates for April 2019. At the time of writing no exploits for the issues resolved fixed by the April update are known to be taking place.

Update: 12th June 2019: The timeline was updated to include the Adobe Flash Player updates for May and June 2019. At this time no exploits for the issues resolved in either month are known to be currently taking place.

Update: 9th July 2019: The timeline was updated to state Adobe did not release Flash Player update for July 2019.

Update: 13th August 2019: The timeline was updated to state Adobe did not release Flash Player update for August 2019.

Update: 10th September 2019: The timeline was updated to add a Flash Player update for September 2019. At the time of writing, the two vulnerabilities it resolves are not known to being exploited in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives).
=======================

Adobe Flash Player 2018 Update Tracker

Just like the 2015 and 2016 tracker  and 2017 trackers that are incredibly popular on this blog; I am providing the same information below for the year 2018.

I have created a new post to make the timeline easier to follow. As before it will be updated throughout the year with any details of the Flash vulnerabilities being exploited.

Thank you.

=======================

=======================
9th January: Adobe releases Flash Player v28.0.0.137 resolving 1x priority 2 CVE (defined).

6th February: Adobe releases Flash Player v28.0.0.161 resolving 2x priority 1 CVEs. Please see the timeline update for the 13th of April (below) for more information on how one of these vulnerabilities is now being exploited.

13th March: Adobe releases Flash Player v29.0.0.113 resolving 2x priority 2 CVEs.

10th April: Adobe releases Flash Player v29.0.0.140 resolving 6x priority 2 CVEs.

8th May 2018: Adobe releases Flash Player v29.0.0.171 resolving 1x priority 2 CVE.

7th June 2018: Adobe releases Flash Player v30.0.0.113 resolving 4x CVEs with an overall priority of 1.

10th July 2018: Adobe releases Flash Player v30.0.0.134 resolving 2x CVEs with an overall priority of 2.

14th August 2018: Adobe releases Flash Player v30.0.0.154 addressing 5x CVEs with an overall priority of 2.

11th September 2018: Adobe releases Flash Player v31.0.0.108 addressing 1x CVE with an overall priority of 2.

14th November 2018: Adobe releases Flash Player v31.0.0.148 addressing 1x priority 2 CVE.

5th December 2018: Adobe releases Flash Player v32.0.0.101 addressing 2x priority 1 CVEs. CVE-2018-15982 was being exploited by an APT group.
=======================

Update: 10th January 2018: The timeline was updated to add the Adobe Flash Player update for January 2018. At the time of writing no exploits for the issue fixed by this update are known to be taking place.

Update: 13th February 2018: The timeline was updated to add the Adobe Flash Player update for February. One of these vulnerabilities CVE-2018-2878 is a zero day (defined) vulnerability being exploited in targeted attacks.

Update: 13th March 2018: The timeline was updated to add the Adobe Flash Player update for March. At the time of writing neither of the 2 vulnerabilities fixed are being exploited.

Update 1st April 2018: No further vulnerabilities within Flash Player were disclosed during the Pwn2Own 2018 competition.

Update 13th April 2018: The timeline was updated to add the Adobe Flash Player update for April. At the time of writing none of the 6 vulnerabilities fixed are being exploited.

Update 8th May 2018: The timeline was updated to add the Adobe Flash Player update for May. Similar to April; at the time of writing the resolved vulnerability is not being exploited.

CVE-2018-4878; the use after free (defined) vulnerability resolved by Adobe in February is now being used by the ThreadKit exploit key (defined) to send Microsoft Office documents exploiting this flaw. Please update Adobe Flash Player if you have it installed and do not open any document attached to an email you weren’t expecting. Further details are available in this news article.

Update: 12th June 2018: The timeline was updated to add the Adobe Flash Player update for June. This was released ahead of schedule on the 7th of June. This update resolved a zero day vulnerability (defined) CVE-2018-5002 which required little to no user interaction to trigger. Further details are available in my separate blog post.

Update: 27th July 2018: A US Senator has asked for 3 government agencies to cease using Adobe Flash by August 2019 in advance of the deadline set by Adobe for of the end of year 2020. The timeline was also updated to include the Adobe Flash Player update for July.

Update 23rd August 2018: The timeline was updated to add the Adobe Flash Player update for August. At the time of writing none of the 5 addressed vulnerabilities are being exploited.

Update 9th October 2018: The timeline was updated to add the Adobe Flash Player update for September (sorry for the delay). At the time of writing the addressed vulnerability is not being exploited. No updates for October 2018 have been issued.

Update 14th November 2018: The timeline was updated to add the Adobe Flash Player update for November. At the time of writing the addressed vulnerability is not being exploited. No updates for October 2018 were issued.

Update: 11th December 2018: The timeline was updated to add the Adobe Flash Player update for December. Further details of how the patched vulnerability CVE-2018-15982 were used in an APT attack is linked to above. Thank you.

=======================

Adobe Flash Player 2017 Update Tracker

In a similar manner to the 2015 and 2016 tracker that was incredibly popular on this blog; I am providing the same information below for the year 2017.

I have created a new post to make the timeline easier to follow. It will be updated throughout the year with any details of the Flash vulnerabilities being exploited.

Thank you.

=======================
10th January: Adobe releases Flash Player v24.0.0.194 resolving 13 CVEs.

14th February: Adobe releases Flash Player v24.0.0.221 again resolving 12 CVEs.

14th March: Adobe releases Flash Player v25.0.0.127 resolving 8 CVEs.

11th April: Adobe releases v25.0.0.148 resolving 7 CVEs (including some from Pwn2Own 2017).

9th May: Adobe releases Flash Player v25.0.0.171 resolving 7 CVEs.

13th June: Adobe releases Flash Player v26.0.0.126 resolving 9 CVEs.

11th July: Adobe releases Flash Player v26.0.0.137 resolving 3 CVEs. It’s refreshing to see such a small number of CVEs being patched. However it will be interesting to see if this trend continues next month.

8th August: Adobe releases Flash Player v26.0.0.151 resolving 2 CVEs. Similar to last month the number of vulnerabilities is low. It’s not yet clear if this is due to Adobe’s recent announcement to de-commission Flash Player in 2020.

12th September 2017: Adobe have released Flash Player v27.0.0.130 to resolve 2 critical CVEs. Similar to recent months the number of vulnerabilities being addressed remains low.

16th October 2017:  Adobe released Flash Player v27.0.0.170 to resolve 1 critical CVE being exploited by the BlackOasis APT group.

14th November 2017 Adobe releases Flash Player v27.0.0.187 to resolve 5 critical CVEs. No known exploits for these issues were observed at the time of release or following the release.

12th December 2017 Adobe releases Flash Player v28.0.0.126 to fix 1 moderate CVE. As for November; no known exploits were used to target this vulnerability.

=======================

Update: 10th January 2017: The timeline was updated to add the Adobe Flash Player update for January 2017. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 14th February 2017: The timeline was updated to add the Adobe Flash Player update for February 2017. At this time no exploits for the issues fixed by this update are known to be taking place.

Update: 14th March 2017: The timeline was updated to add the Adobe Flash Player update for March 2017. At this time no exploits for the issues fixed by this update are known to be taking place. With Pwn2Own 2017 due to take this place this month expect more updates soon.

Update: 11th April 2017: The timeline was updated to add the Adobe Flash Player update for April 2017. As before, at the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 8th May 2017: I have corrected the number of vulnerabilities addressed in the February and March updates mentioned adove. While the numbers I originally listed were correct at the time of writing, Adobe subsequently revised them. The end of the February and March bulletins highlight the revisions made by Adobe. I will endeavor to updates these entries sooner in future.

Update: 9th May 2017: The timeline was updated to add the Adobe Flash Player update for May 2017. At this time, no exploits for the issues fixed by this update are known to be taking place.

Update: 14th June 2017: The timeline was updated to add the Adobe Flash Player update for June 2017. At the time of writing; no exploits for the issues fixed by this update are known to be taking place.

Update: 11th July 2017: The timeline was updated to add the Adobe Flash Player update for July 2017. Just like for June 2017; no exploits for the issues fixed by this update are known to be taking place.

Update: 8th August 2017: The timeline was updated to add the Adobe Flash Player update for August 2017. As before; no exploits for the issues fixed by this update are known to be taking place.

Update: 12th September 2017: The timeline was updated to include the Adobe Flash Player updates for September 2017. Similar to last month, no exploits for the issues fixed by this update are known to be taking place at this time.

Update: 18th October 2017: The timeline was updated to include the Adobe Flash Player updates for October 2017. It addresses a zero day vulnerability known to be under exploit.

Update: 26th December 2017: The timeline was updated to include the Adobe Flash Player updates for November and December 2017. Sorry for the delay in updating this.

Sophos Report on Angler Exploit Kit

Update: 7th September 2015:
A recent report from Cisco discussed further in this article describes the increasing prevalence and success of the Angler exploit kit due to it quickly integrating newly disclosed security vulnerabilities, it’s use of domain shadowing and a delay in Adobe Flash users installing security updates.
=======================
Original Post:

With the recent disclosure of several Adobe Flash zero day (zero day, defined) security vulnerabilities which were quickly taken advantage of by attackers using malware exploit kits, it is becoming more important to know how to defend against these attacks.

This Sophos report provides a detailed analysis of how the exploit kits operate with a specific emphasis on the most prevalent exploit kit, the Angler exploit kit. At the end of the report, in the comments section Sophos describes the recommended actions to take to prevent such attacks occurring either by your website becoming compromised or the exploit kit attacking one of your computing devices. I have also highlighted these recommendations below (my thanks to Sophos for providing them):

  • Uninstall browser plugins such as Adobe Flash and/or Microsoft Silverlight if you don’t use them. However if you do make use of them, consider having more control over their usage (e.g. Click to Play, supported by all browsers except Internet Explorer).
  • Keep your operating system e.g. Linux, Apple Mac OS X or Windows and your most used programs up to date and install all security updates made available for them. I discuss updating/patching within the “Protecting Your PC” page.
  • Install anti-malware software. Both paid for and free versions are available (e.g. Malwarebytes, Avast, Microsoft Security Essentials etc.). Apple Mac OS X and Linux versions are also available (the provided links are examples of the many products available). Please choose a package that meets your needs in terms of functionality and price. Products which include heuristics (heuristics, defined) should have more success in preventing these attacks from infecting your devices.

Since the exploits delivered by these exploit kits seek to evade detection using obfuscation (further information on obfuscation techniques) and building unique exploits for each request received to access the exploit website makes the detection of these threats using anti-malware increasingly difficult. Anti-sandbox techniques (e.g. detecting virtual machines and tools such as Fiddler) are also used to make analysis of the exploit samples more difficult by malware researchers seeking to build detections against them.

In addition to the recommendation of using anti-malware software; for corporate environments the use of next-generation IPS (NGIPS) (Intrusion Prevention Systems, defined) can be used to detect these exploits as they attempt to attack your devices.

Within the Sophos report a technique is mentioned that was employed by the attackers using exploit kits to bring traffic to websites of their choice, this technique is known as DNS shadowing. This is a technique where a legitimate websites domain name (www-example.com) is used to create subdomains (e.g. random.malware.example.com or malware.example.com) that can then be used by the attackers. These subdomains have a very short life time (e.g. a matter of minutes) which makes them difficult to predict and block using blacklists (a list of IP addresses or domain names e.g. www-example.com that are blocked due to those addresses or domain sending spam or hosting malware (that is delivered to the visitors to such websites).

These subdomains can be created since the login credentials for the domain registration e.g. from companies such as GoDaddy have been compromised by the attackers. Since many website owners infrequently check these accounts it makes them more susceptible to being compromised without being noticed. These accounts initially become compromised by a phishing attack. As well as using the advice within the phishing article linked to above, as per Sophos’ advice the following would be recommendations to detect and prevent such occurrences of your domain registration account becoming compromised:

  1. Send email notifications after DNS changes: This will allow to take action to re-secure your account e.g. changing your password and/or enabling two-factor authentication.
  2. Implement two-factor authentication: This article explains how to enable this feature for GoDaddy accounts.

The above 3 suggestions from Sophos (in addition to the use of NGIPS for corporate environments) along with the advice concerning the protection of your domain registration accounts should you keep safe from this prevalent and sophisticated exploit kit.

Thank you.

Time From Patch To Exploit Narrowing For Adobe Flash

====================
Update: 10th January 2017:
For the 2017 Adobe Flash update timeline, please see this blog post. Thank you.

====================

2015 has been a busy year so far for Adobe with regard to the number and severity of Flash Player security vulnerabilities (flaws). This is demonstrated in the timeline below:

=======================
Aside:
What is a Common Vulnerabilities and Exposure (CVE) number?
Throughout this post I mention Common Vulnerabilities and Exposures (CVE) identifiers. These numbers serve as a standardized means of naming/identifying security vulnerabilities. Please note that one CVE does not always correspond to a single flaw. More information on CVE identifiers is available from here.
=======================
2015:
13th January: Adobe releases Flash Player v16.0.0.257 resolving 9 CVEs.

21st January: A zero day flaw (i.e. a flaw that has no update to resolve it and was previously unknown) CVE-2015-0310 was discovered by a well-known French malware researcher known as “Kafeine”.

22nd January: Adobe releases Flash Player v16.0.0.287 to resolve the above flaw.

22nd January: A new zero day flaw CVE-2015-0311 was then being exploited by the same Angler exploit kit.

24th January: Adobe releases Flash Player v16.0.0.296 to resolve CVE-2015-0311.

27th January: Flash Player v16.0.0.296 made available to Google Chrome and Internet Explorer users of Windows 8.0 and 8.1.

2nd February: Another zero day flaw CVE-2015-0313 was discovered being used by the Angler exploit kit.

4th February: Adobe releases Flash Player v16.0.0.305 to resolve CVE-2015-0313 as well as 18 other CVEs.

5th February: Flash Player v16.0.0.305 made available to Google Chrome and Internet Explorer users of Windows 8.0 and 8.1.

12th March: Adobe releases Flash Player v17.0.0.134 resolving 11 CVEs.

19th March: The Nuclear Exploit kit incorporated an exploit for CVE-2015-0336. A day later the Angler Exploit kit did the same.

14th April: Adobe releases Flash Player v17.0.0.169 resolving 22 CVEs. It appears that all 3 flaws discovered in Flash at the Pwn2Own 2015 competition were patched by Adobe in this update.

17th April: The Angler Exploit kit incorporated an exploit for CVE-2015-0359.

12th May: Adobe releases Flash Player v17.0.0.188 resolving 18 CVEs.

26th May: FireEye detects the Angler Exploit kit beginning to exploit CVE-2015-3090.

9th June: Adobe releases Flash Player v18.0.0.160 resolving 14 CVEs.

23rd June: Adobe releases Flash Player v18.0.0.194 resolving 1 CVE already being exploited by an APT group as reported by FireEye.

28th June: The Magnitude Exploit Kit begins to use the recently patched Adobe zero day flaw to install Cryptowall ransomware.

8th July: Adobe releases Flash Player v18.0.0.203 resolving 37 CVEs including an issue already being exploited in the wild by 3 exploit kits.

14th July: Adobe releases Flash Player v18.0.0.209 resolving 2 CVEs. Exploit kits were exploiting these flaws from the 11th of July onwards. In addition, an APT gang known as Darkhotel exploited a Hacking Team zero day flaw that was patched by Adobe in July.

11th August: Adobe releases Flash Player v18.0.0.232 resolving 35 CVEs.

21st September: Adobe releases Flash Player v19.0.0.185 resolving 23 CVEs.

13th October: Adobe releases Flash Player v19.0.0.207 resolving 21 CVEs.

16th October: Adobe releases Flash Player v19.0.0.226 resolving 3 CVEs. One of which, CVE-2015-7645 a zero day vulnerability was being exploited by malicious hackers known as Pawn Storm in targeted attacks.

10th November:
Adobe releases Flash Player v19.0.0.245 resolving 17 CVEs.

8th December: Adobe releases Flash Player v20.0.0.228 resolving 79 CVEs.

28th December: Adobe releases Flash Player v20.0.0.267 resolving 19 CVEs.

=======================
2016:
9th February 2016: Adobe releases Flash Player v20.0.0.306 resolving 22 CVEs.

10th March 2016: Adobe releases Flash Player v21.0.0.182 resolving 23 CVEs.

7th April 2016: Adobe releases Flash Player v21.0.0.213 addressing 24 CVEs.

12th May 2016: Adobe releases Flash Player v21.0.0.242 addressing 25 CVEs.

16th June 2016:
Adobe releases Flash Player v22.0.0.192 addressing 36 CVEs.

12th July 2016: Adobe releases Flash Player v22.0.0.209 addressing 52 CVEs.

13th September 2016: Adobe releases Flash Player v23.0.0.162 addressing 29 CVEs. No Flash Player update was made available in August 2016.

11th October 2016: Adobe releases Flash Player v23.0.0.185 addressing 12 CVEs. At this time none of these vulnerabilities are being exploited.

26th October 2016: Adobe releases Flash Player v23.0.0.205 addressing 1 CVE. This was an unscheduled update to patch a zero day (defined) vulnerability that was under attack in the wild.

8th November 2016: Adobe releases Flash Player v23.0.0.207 addressing 9 CVEs. None of these vulnerabilities at this time are being used in attacks.

13th December 2016: Adobe releases Flash Player v24.0.0.186 addressing 17 CVEs. One of this issues is a zero day (defined) that is already under attack against Internet Explorer (32 bit) users.

=======================
Update: 2nd June 2015: The above timeline has been updated to include Adobe’s May Flash player update and the Angler Exploit kit’s response to that patch.

Update: 24th June 2015: The above timeline has been updated to include Adobe’s scheduled June security patch and their out of band Flash player update issued on the 23rd of June due to a zero day flaw.

Update: 29th June 2015: Well-known malware researcher Kafeine has discovered the flaw patched by Adobe only 4 days ago is being exploited by the Magnitude Exploit Kit.

Update: 8th July 2015: The above timeline has been updated to include Adobe’s out of band Flash Player update issued today. It includes fixes for a zero day vulnerability as well as 36 other security vulnerabilities.

Update: 20th July 2015: The above timeline now includes Flash Player updates addressing all 3 of the Hacking Team zero day vulnerabilities.

Update: 12th August 2015: The timeline was updated to add the Adobe Flash Player August security update. The Darkhotel APT gang was added to the final July entry.

Update: 22nd September 2015: The timeline was updated to add the Adobe Flash Player September security update. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 18th October 2015: The timeline was updated to add the Adobe Flash Player updates for October 2015.

Update: 10th November 2015: The timeline was updated to add the Adobe Flash Player updates for November 2015. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 8th December 2015: The timeline was updated to add the Adobe Flash Player updates for December 2015. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 29th December 2015: The timeline was updated to add further Adobe Flash Player updates for December 2015 (originally scheduled for January 2016). At the time of writing limited targeted attacks are exploiting a zero day (defined) vulnerability that these updates address. Please see this more recent blog post for further details.

Update: 13th February 2016:
The timeline was updated to add the Adobe Flash Player updates for February 2016. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 13th March 2016:
The timeline was updated to add the Adobe Flash Player updates for March 2016. The update was delayed from the 8th of March in order to include CVE-2016-1010 which is a zero day (defined) vulnerability already under attack. Further details are available in this Qualys blog post.

The April update addressed a vulnerability that was being leveraged by the Magnitude Exploit kit (defined(defined within this post you are reading) in order to infect devices/systems with ransomware (defined) specifically the Cerber and Locky variants.

The May update addressed 25 CVEs including a zero-day vulnerability (defined) that was being exploited in the wild. Finally, the June 2016 addressed 36 CVEs including another zero-day vulnerability this time being used an APT (Advanced Persistent Threat) (defined) group to attack systems belonging high profile targets.

Update: 17th June 2016:
The timeline was updated to add the Adobe Flash Player updates for April, May and June 2016. Sorry for not updating this sooner.

Update: 15th September 2016:
The timeline was updated to add the Adobe Flash Player updates for July and September 2016.

Update: 12th October 2016:
The timeline was updated to add the Adobe Flash Player updates for October 2016.

Update: 2nd November 2016:
The timeline was updated to add an emergency Adobe Flash Player update for October 2016. The vulnerability it addresses is now being used in attacks in combination with a local elevation of privilege vulnerability within Windows that is scheduled to be patched on the 8th of November. Further details are available in a more recent post.

Update: 9th November 2016:
The timeline was updated to add the Adobe Flash Player updates for November 2016.

Update: 13th December 2016:
The timeline was updated to add the Adobe Flash Player updates for December 2016.

=======================

Aside 2:
What is an exploit kit?
I have also mentioned the term exploit kits extensively in this post. Exploit kits are packs/kits/sets of exploits that can be purchased on the black/underground market of the internet to be used for delivering malware or any payload of your choice to users with computers/devices that have vulnerable software installed. These exploits usually happen as drive by downloads within your web browser but some exploits may require some user interaction/assistance to compromise your device.

For more information on exploit kits I would recommend viewing this still relevant video from 2011 and this article from Kaspersky.
=======================

While it was good news to learn that Flash Player v16.0.0.287 when used with Windows 8.1 incorporated a new security mitigation Control Flow Guard (CFG) built into Windows 8.1 Update (the mitigation was added in November 2014)(and also included with EMET 5.2 and Windows 10 Technical Preview) it was quickly bypassed following the publishing of an example bypass by Core Security. This bypass was not intended to be used maliciously, it was provided as a proof of concept but exploit kits now use this technique to their advantage. This in addition to common evasion techniques such as obfuscation e.g. encrypting the malware payload with a different key, compressing the malware or simply changing a byte of the exploits file header can make these exploits harder to detect and prevent.

From the above information I would recommend that Adobe Flash Player updates are applied as soon as possible after their availability (usually the same day as Microsoft’s security updates on the second Tuesday of each month, 12th May for this month).

I have not encountered a Flash update causing issues with any Flash files but if you rely on Flash for critical business functions update a test system to check if it causing any issues before more widely deploying the Flash updates. Given that exploits are available as quick as 3 days after the update it does not leave much time for such testing to take place.

In addition, I would also recommend the following to specifically protect from Flash Player exploits:

  1. Keep your web browser up to date.
  2. Consider using an exploit mitigation tool such as HitmanPro.Alert (paid for product), Microsoft EMET (free) or Malwarebytes Anti-Exploit (free or paid for versions).
  3. Try to choose anti-malware software that includes a firewall with Intrusion Prevention (in a corporate environment a web application firewall is preferable).

=======================
Update: 31st January 2016:
Further reference material in relation to the large number of Flash Player vulnerabilities being patched are as follows:

Stop the Flash madness – 5 bugs a week by Michael Horowitz (Computerworld)

When it comes to bugs, the Adobe Flash Players cup runneth over by Michael Horowitz (Computerworld)

Flash has been updated again. Seriously. Really. No joke. by Michael Horowitz (Computerworld)

Moreover, a more recent blog post discusses Adobe’s gradual transition away from Flash Player.
=======================

Thank you.