Steve Jobs has called Adobe Flash a security risk. This is part of the reason he refuses to support it on any of the Apple devices. For the second time in nine days Adobe has patched a critical vulnerability in Flash Player which the hacking community was already exploiting. We ask …. is Flash a major security problem for enthusiast users?
If you run a Windows computer, there is a good chance you have seen updates for Flash on a really regular basis lately. Almost everyday I reboot my server at home for instance I am presented with a ‘new update’ for Adobe Flash. Adobe are at the center of security risks recently, not just from their Flash Player, but with Reader PDF viewer, Shockwave and ColdFusion.
The latest memory vulnerability in Flash Player was tagged as ‘critical’ by Adobe, who have said that the bug could ‘potentially allow an attacker to take control of the affected system’. They added “There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages”.
The last security update, classed as an emergency update was made on June 5th when Adobe fixed a critical flaw which attackers were exploiting to steal Gmail login credentials. We ask ourselves was Steve Jobs just out to prove a point when he dismissed Adobe Flash as a major security risk, or was he actually making a valid statement ?
Google have reacted quickly as they bundle Flash with Chrome, updating their browser a few days ago to include the just patched version of Flash.
This continues a constant update routine for Adobe, who have so far patched Adobe Flash Player four times in the last 8 weeks and six times in 2011, so far.
One of the biggest loopholes for Flash is when opening and using a specially created PDF file – Adobe’s Reader includes ‘authplay.dll’ which is a special version of Flash that renders content inside a PDF file. This has been documented as a problem for Adobe in the past.
Adobe not only patched Flash, but they have fixed 13 new reported vulnerabilities in Reader. The newest version, Reader X, received 17 patches. What makes matters more concerning is that all of the bugs, barring two of them were tagged as ‘critical’ by Adobe. The latest security problems included heap overflow bugs, cross document scripting flaws, memory corruption vulnerabilities and a DLL load hijacking vulnerability, and one vaguely tagged with a ‘security bypass’ bug.
Adobe patched 24 more vulnerabilities in Shockwave Player, two in LifeCycle Data Services and Blaze DS, which is a live streaming service. Two bugs were also fixed in Coldfusion, which is an Adobe development platform.
The patched versions of Reader and Flash Player are now available, either via updates or directly from Adobes website and we suggest that everyone updates them as soon as possible.
Kitguru says: a constant stream of critically flagged issues is not doing much for consumer faith in Adobe’s software development.