As one of the foremost scripting languages of the World Wide Web, Adobe's ActionScript Flash platform now powers multimedia features for a significant percentage of all web sites. However, its popularity and complexity have also made it an attractive vehicle for myriad malware attacks over the past six years. Despite the perniciousness and severity of these threats, ActionScript has been significantly less studied in the scholarly security literature than the other major web scripting language - JavaScript. To fill this void and stimulate future research, this paper presents a systematic study of Flash security threats and trends, including a finer-grained taxonomy of Flash software vulnerability classes, a detailed investigation of over 700 Common Vulnerability and Exposure (CVE) articles reported between 2008–2016, and an examination of the fundamental research challenges that distinguish Flash security from other web technologies. The results of these analyses provide researchers, web developers, and security analysts a better sense of this important attack space, and identify the need for stronger security practices and defenses for protecting users of these technologies.

Acar, G. E. (2014). The web never forgets: Persistent tracking mechanisms in the wild, 21st ACM Conf. Computer and Communications Security (CCS), (pp. 674 - 689).

Acar, G. J. (2013). FPDetective: Dusting the web for fingerprinters. 20th ACM Conf. Computer and Communications Security (CCS), (pp. 1129-1140).

Adobe. (2016). Adobe security bulletin: Security updates available for Adobe Flash Player. Retrieved from https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

Adobe Systems. (2016). ActionScript technology center. Retrieved from http://www.adobe.com/devnet/actionscript.html

Adobe Systems. (2007). ActionScript Virtual Machine 2 Overview. Retrieved from http://www.adobe.com/content/dam/Adobe/en/devnet/actionscript/articles/avm2overview.pdf

Adobe Systems. (2016 b). Adobe Flash runtimes statistics. Retrieved from http://www.adobe.com/products/flashruntimes/statistics.edu.html

Adobe Systems. (2012). SWF File Format Specification, Version 19. Retrieved from http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/swf/pdf/swf-file-format-spec.pdf

Alcorn, W. (2011). BeEF: The browser exploitation framework project. Retrieved from http://beefproject.com

Amit, Y. (2010). Cross-site scripting through Flash in Gmail based services. IBM Application Security Insider. Retrieved from http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html

Anthony, S. (2011). Security firm RSA attacked using Excel-Flash one-two sucker punch. Retrieved from Huffpost Tech: http://averagetraditio.typepad.com/blog/2014/04/security-firm-rsa-attacked-using-excel-flash-one-two-sucker-punch-1.html

Baker, Y. S. (2013). Analyzing security threats as reported by the United States Computer Emergency Readiness Team (US-CERT). 11th IEEE Intelligence and Security Informatics Conf. (ISI), (pp. 10-12).

Bau, J. B. (2010). State of the art: Automated black-box web application vulnerability testing. 31st IEEE Sym. Security & Privacy (S&P), (pp. 332-345).

Blazakis, D. (2010). BHDC2010 - JITSpray demo #1. Presented at BlackHat Technical Conf. USA. Retrieved from http://www.youtube.com/watch?v=HJuBpciJ3Ao

Blazakis, D. (2010). Interpreter exploitation, In Proc. 4th USENIX Conf. Offensive Technologies (WOOT).

Chatterji, S. (2008). Flash security and advanced CSRF. Presented at the OWASP Delhi Chapter Meet.

Chen, S. W. (2010). Side-channel leaks in web applications: A reality today, a challenge tomorrow. 31st IEEE Sym. Security & Privacy (S&P), (pp. 191-206).

Cisco. (2015). Cisco annual security report.

Clark, J. (2011). RSA hack targeted Flash vulnerability. Retrieved from ZDNet: http://www.zdnet.com/rsa-hack-targeted-flash-vulnerability-4010022143

Constantin, L. (2012). Iranian nuclear program used as lure in Flash-based targeted attacks. CSO. Retrieved from http://www.csoonline.com/article/2131209/malware-cybercrime/iranian-nuclear-program-used-as-lure-in-flash-based-targeted-attacks.html

Davydov, V. I. (2015). How exploit packs are concealed in a Flash object.SecureList. Retrieved from https://securelist.com/analysis/publications/69727/how-exploit-packs-are-concealed-in-a-flash-object

Dowd, M. (2008). Application-specific attacks: Leveraging the ActionScript virtual machine. Technical report, IBM. Retrieved from http://www.inf.fu-berlin.de/groups/ag-si/compsec_assign/Dowd2008.pdf

Dowd, M. S. (2009). Attacking interoperability. Retrieved from http://www.hustlelabs.com/stuff/bh2009_dowd_smith_dewey.pdf

Elrom, E. (2010). Top security threats to Flash/Flex applications and how to avoid them. Retrieved from https://www.slideshare.net/eladnyc/top-security-threats-to-flashflex-applications-and-how-to-avoid-them-4873308

Ford, S. C. (2009). Analyzing and detecting malicious Flash advertisements. 25th Annual Computer Security Applications Conf. (ACSAC), (pp. 363-372).

F-Secure. (2012). Backdoor:W32/PoisonIvy. Retrieved from https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml,%20F-Secure

Fukami. (2007). Testing and exploiting. Presented at Chaos Communication Camp. Retrieved from http://events.ccc.de/camp/2007/Fahrplan/events/1994.en.html

Garnaeva, M. v. (2015). Kaspersky security bulletin 2015: Overall statistics for 2015. . Retrieved from Technical report, Kaspersky Labs: https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015

Guya. (2008). Encapsulating CSRF attacks inside massively distributed Flash movies - real world example. Retrieved from https://blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-massively-distributed-flash-movies-real-world-example/

Hay, R. (2009). Exploitation of CVE-2009-1869. Retrieved from http://roeehay.blogspot.com/2009/08/exploitation-of-cve-2009-1869.html

Hayak, B. a. (2014). Deep analysis of CVE-2014-0502 - a double free story. Retrieved from http://blog.spiderlabs.com/2014/03/deep-analysis-of-cve-2014-0502-a-double-free-story.html

Heiderich, M. F. (2011). Crouching tiger - hidden payload: Security risks of scalable vectors graphics. In Proc. 18th ACM Conf. Computer and Communications Security (CCS), (pp. 239-250).

Howard, F. (2012). Exploring the blackhole exploit kit. Technical report, Sophos. Retrieved from http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit

Huang, L.-S. M. (2012). Clickjacking: Attacks and defenses. 21st USENIX Security Sym., (pp. 413-428).

Hypponen, M. (2011). How we found the file that was used to hack RSA. Retrieved from http://www.f-secure.com/weblog/archives/00002226.html

Invernizzi, L. a. (2012). EvilSeed: A guided approach to finding malicious web pages. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 428-442).

Jackson, C. B. (2009). Protecting browsers from DNS rebinding attacks. ACM Trans. Web (TWEB), 3(1).

Jang, D. V. (2011). Analyzing the cross-domain policies of Flash applications. 5th Work. Web 2.0 Security and Privacy (W2SP).

Johns, M. a. (2011). Biting the hand that serves you: A closer look at client-side Flash proxies for cross-domain requests. Int. Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), (pp. 85-103).

Johns, M. L. (2013). Eradicating DNS rebinding with the extended same-origin poli. 22nd USENIX Security Sym., (pp. 621-636).

Jung, W. K. (2015). Poster: Deep learning for zero-day Flash malware detection. Retrieved from 36th IEEE Sym. Security & Privacy (S&P): http://www.ieee-security.org/TC/SP2015/posters/paper_34.pdf

Kalra, G. S. (2013). Exploiting insecure crossdomain.xml to bypass same origin policy (ActionScript PoC). Retrieved from http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with-flash.html

Karamchandani, D. V. (2013). Surveying the landscape of ActionScript security trends and threats. Master's thesis, The University of Texas at Dallas, Richardson. Texas.

Keizer, G. (2011). RSA hackers exploited Flash zero-day bug. Computer World. Retrieved from http://www.computerworld.com/s/article/9215444/RSA_hackers_exploited_Flash_zero_day_bug

Kogan, I. (2005). Flare: ActionScript decompiler. Retrieved from http://www.nowrap.de/

Kogan, I. (2007). Flasm: Command line assembler/disassembler of ActionScript bytecode. Retrieved from http://www.nowrap.de/flasm.html

Kolbitsch, C. L. (2012). ROZZLEL: De-cloaking internet malware. In Proc. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 443-457).

Kovac, P. (2011). Breaking through Flash obfuscation. Avast! Blog. Retrieved from https://blog.avast.com/2011/09/09/breaking-through-flash-obfuscation

Kovac, P. (2011). Flash malware that could fit a Twitter message. Avast! Blog. Retrieved from http://blog.avast.com/2011/06/28/flash-malware-that-could-fit-a-twitter-message

Kranch, M. a. (2015). Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. 22nd Annual Network & Distributed System Security Sym. (NDSS).

Lance, B. (2009). Connecting JavaScript and Flash. Presented at Flash Camp Philadelphia. Retrieved from http://www.slideshare.net/BeautifulInterfaces/connecting-flash-and-javascript-using-externalinterface-2452543

Lekies, S. S. (2015). The unexpected dangers of dynamic JavaScript. 24th USENIX Security Sym., (pp. 723-735).

Levchenko, K. P. (2011). Click trajectories: End-to-end analysis of the spam value chain. 32nd IEEE Sym. Security & Privacy (S&P), (pp. 431-446).

Li, Z. Z. (2012). Knowing your enemy: Understanding and detecting malicious web advertising. 19th ACM Conf. Computer and Communications Security (CCS), (pp. 674-686).

Magazinius, J. R. (2013). Polyglots: Crossing origins by crossing formats. In Proc. 20th ACM Conf. Computer and Communications Security (CCS), (pp. 753-764).

Mayer, J. R. (2012). Third-party web tracking: Policy and technology. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 413-427).

Mcafee Labs. (2015). McAfee Labs threats report. Retrieved from Technical report, Intel Security.: http://www.mcafee.com/in/security-awareness/articles/mcafee-labs-threats-report-may-2015.aspx

Mills, E. (2011). Attack on RSA used zero-day Flash exploit in Excel. . Retrieved from CNET: http://news.cnet.com/8301-27080_3-20051071-245.html

Mitre Corporation. (2016). Common vulnerabilities and exposures. Retrieved from http://cve.mitre.org/

Nambiar, S. N. (2009). Flash phishing. Symantec Security Blog. Retrieved from http://www.symantec.com/connect/blogs/flash-phishing

Naraine, R. (2011). Did Adobe hide 400 vulnerability fixes in latest Flash player patch? ZDNet. Retrieved from http://www.zdnet.com/blog/security/did-adobe-hide-400-vulnerability-fixes-in-latest-flash-player-patch/9249

National Institute of Standards and Technology. (2016). CWE - common weakness enumeration. Retrieved from http://nvd.nist.gov/cwe.cfm

Nelms, T. P. (2015). WebWitness: Investigating, categorizing and mitigating malware download paths. 24th USENIX Security Sym., (pp. 1025-1040).

Nikiforakis, N. K. (2013). Cookieless Monster: Exploring the ecosystem of web-based device fingerprinting. 34th IEEE Sym. Security & Privacy (S & P), (pp. 541-555).

Overveldt, T. V. (2012). FlashDetect: ActionScript 3 malware detection. 15th Int. Sym. Recent Advances in Intrusion Detection (RAID), (pp. 274-293).

Pan, X. C. (2015). I do not know what you visited last summer: Protecting users from third-party web tracking with TrackingFree browser. 22nd Annual Network & Distributed System Security Sym. (NDSS).

Paola, S. D. (2007). Testing Flash applications. Presented at the 6th OWASP AppSec Conf.

Parkour, M. (2012). CVE-2012-0779 World Uyghur Congress Invitation.doc. Contagio. Retrieved from http://contagiodump.blogspot.in/2012/05/may-3-cve-2012-0779-world-uyghur.html

Paul, R. (2010). Mozilla borrows from WebKit to build fast new JS engine. Ars Technica.

Petkov, P. D. (2008). Hacking the interwebs. . Retrieved from GnuCitizen: http://www.gnucitizen.org/blog/hacking-the-interwebs

Pfaff, D. H. (2015). Learning how to prevent return-oriented programming efficiently. (pp. 68-85). 7th Int. Sym. Engineering Secure Software and Systems (ESSoS).

Phung, P. H. (2015). Between worlds: Securing mixed JavaScript/ActionScript multi-party web content. IEEE Trans. Dependable and Secure Computing (TDSC), 12(4):443-457.

Poole, N. (2012). XSS and CSRF via SWF applets (SWFUpload, Plupload). Retrieved from https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload

Rad, M. B. (2013). Flash based XSS in Yahoo Mail. Retrieved from http://miladbr.blogspot.com/2013/06/flash-based-xss-in-yahoo-mail.html

Seltzer, L. (2010). New JIT spray penetrates best Windows defenses. PC Magazine. Retrieved from http://securitywatch.pcmag.com/apple/284124-new-jit-spray-penetrates-best-windows-defenses

Serna, F. J. (2013). Flash JIT - spraying info leak gadgets. Retrieved from http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf

Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). 14th ACM Conf. Computer and Communications Security (CCS), (pp. 552-561).

Siek, J. a. (2007). Gradual typing for object. In Proc. 21st European Conf. Object-Oriented Programming (ECOOP), 2-27.

Siek, J. and Taha, W. (2007). Gradual typing for objects. 21st European Conf. Object-Oriented Programming (ECOOP), (pp. 2-27).

sinn3r and Vazquez, J. (2012). Adobe Flash player object type confusion. Rapid7. Retrieved from https://www.rapid7.com/db/modules/exploit/windows/browser/adobe_flash_rtmp

Song, C. Z. (2015). Exploiting and protecting dynamic code generation. 22nd Annual Network & Distributed System Security Sym. (NDSS).

Sophos. (2013). Security threat report 2013: New platforms and changing threats.

Striegel, J. (2007). DNS rebinding: How an attacker can use your web browser to bypass a firewall. Retrieved from Make Magazine: http://makezine.com/2007/08/01/dns-rebinding-how-an-attacker

Symantec Corporation. (2015). Internet security threat report (ISTR), Volume 20.

Symantec Security Response. (2012). Targeted attacks using confusion (CVE-2012-0779). Retrieved from https://www.symantec.com/connect/blogs/targeted-attacks-using-confusion-cve-2012-0779

Tenable Network Security. (2016). Adobe Flash Player <= 19.0.0.245 multiple vulnerabilities (APSB15-32). Retrieved from https://www.tenable.com/plugins/index.php?view=single&id=87244

Thomas, K. B. (2015). Ad injection at scale: Assessing deceptive advertisement modifications. 20th ACM Conf. Computer and Communications Security (CCS), (pp. 151-167).

Thomas, K. G. (2011). Design and evaluation of a real-time URL Spam filtering service. 32nd IEEE Sym. Security & Privacy (S&P), (pp. 447-462).

Trend Micro Forward-Looking Threat Research Team. (2012). Luckycat redux: Inside an APT campaign with multiple targets in India and Japan. Retrieved from Trend Micro Research Paper.: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf

Uhley, P. (2015). Community collaboration enhances Flas. Retrieved from https://blogs.adobe.com/security/2015/12/community-collaboration-enhances-flash.html

van Kesteren, A. (2014). Cross-origin resource sharing. W3C Recommendation. Retrieved from http://www.w3.org/TR/cors

Verisign. (2012). Adobe Flash Player TrueType font parsing integer overflow vulnerability. Retrieved from http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1001

W3Techs. (2016). Usage of Flash for websites. Retrieved from http://w3techs.com/technologies/details/cp-flash/all/all

Wang, R. C. (2012). Signing me onto your accounts through Facebook and Google: A traffic-guided security study of commercially deployed single-sign-on web services. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 365-379).

Weinberg, Z. C. (2011). I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. 32nd IEEE Sym. Security & Privacy (S&P), (pp. 147-161).

Wolf, J. (2009). Heap spraying with ActionScript: Why turning off JavaScript won't help this time. Retrieved from FireEye Malware Intelligence Lab: http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html

Wressnegger, C. Y. (2015). Analyzing and detecting Flash-based malware using lightweight multi-path exploration. Technical Report IFI-TB-2015-05, Institute of Computer Science,University of Gottingen.

Zalewski, M. (2011). Same-origin policy, In Browser Security Handbook, Part 2. Retrieved from Google: https://code.google.com/archive/p/browsersec/wikis/Part2.wiki#Same-origin_policy

Zetter. (2015). Hacking team shows the world how not to stockpile exploits. Retrieved from Wired: http://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploits