Adobe rushes to fix more serious flaws in Flash
Two serious bugs in Flash left PCs open to attack
Adobe has hurried to fix two serious security flaws in Flash, adding to its unwanted reputation as one of the most insecure pieces of software available today. On Friday, the company announced that it had fixed a flaw in Flash that was already being exploited by data thieves on the internet, and was also working to close a second serious bug in its software.
Adobe later announced it had fixed the second bug on Saturday, adding that it “expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11″.
The second bug allows attackers to take remote control of a computer, which could be used to make the PC part of a “botnet” of thousands of infected systems. These are often used to bring down websites by flooding them with millions of simultaneous requests. Again, Adobe said it had seen evidence of the second bug being exploited on the internet, prompting the firm to work quickly on a patch.
Adobe has a poor track record for the security of its products. The independent security software test lab, AV-Test, claimed Adobe Reader and Flash were responsible for two thirds of all exploited Windows vulnerabilities between 2000 and 2013. Flash alone was the target of more than 20,000 successful attacks during that period. Steve Jobs infamously refused to allow Flash on the iPhone, citing security flaws as one of his chief concerns.
The constant nagging to update software such as Flash and Adobe Reader can lead many users to simply ignore essential security patches, leaving their systems vulnerable to attack.
Independent security expert, Graham Cluley, says Adobe should be applauded for the speed with which it reacted to these latest flaws. “Adobe often gets something of a beating because of the number of vulnerabilities found in its software (although its product security does appear to have improved considerably in recent years), but on this occasion we should all thank them for managing to get a fix out – for at least some users – ahead of schedule,” Cluley writes on his blog.
Flash is gradually being phased out in favour of HTML5 to deliver web animations and video, but is still installed on the vast majority of PCs. It’s built into browsers such as Internet Explorer and Google Chrome, and should therefore be automatically upgraded by the browser makers when new security patches are released, but it’s also available as a separate installation for users of Firefox and other browsers.