Adobe insists it is working hard to boost the security defenses in its pilloried Flash Player.
The Photoshop giant, based in San Jose, California, says it is making an "extensive" push to secure its plugin before another wave of vulnerabilities are revealed in the software. We're told that, as a result of "recent developments," Adobe is stepping up its efforts to shore up Flash's defenses with mitigations against attacks.
Speaking of recent developments, three critical security holes in Flash have emerged in the past fortnight – two over the weekend (CVE-2015-5122 and CVE-2015-5123) and CVE-2015-5119 earlier this month. The 5119 bug has been patched by Adobe, and updates to fix the other two are due this week.
All three were revealed in the Hacking Team leaks, and all three allow miscreants to install malware and execute other malicious code on Windows, OS X and Linux computers. Crooks are already exploiting them to hijack systems because they have all the information they need to do so.
Adobe is under fire because these security flaws keep cropping up time and time and time again – if not in Flash then Adobe Reader and Acrobat. We've described Flash as software from Hell and "the screen door through which the raw unfiltered sewage of the internet oozes into the homes of netizens." Harsh, perhaps, but we are not alone in our opinion.
Yes, all sorts of programs and operating systems – from Windows and OS X to Oracle Java and IBM products you've never even heard of – suffer from critical remote-code execution bugs. But Flash is everywhere, on every platform, and in everyone's browser: your parents use it, your children use it, admit it – you use it. It can be playing a video one moment, and helping a criminal install malware the next. It's an obvious target for hackers, and too often it puts up too little resistance.
Facebook's new chief security officer Alex Stamos, a respected chap in the infosec world, said this week that it's time for Adobe to kill off Flash, and for web browser makers to permanently block it.
'There are extensive efforts underway internally'
Apart from issuing security patches virtually every month, the silence from Adobe on the matter is deafening. Does Adobe care? Does it simply sit on its hands and wait for people to report vulnerabilities before it fixes them?
"Absolutely not," Wiebke Lips, senior manager of Adobe's corporate communications, told The Register.
"There are extensive efforts underway internally, in addition to our work with the security community and our counterparts in other organizations, to help keep our products and our users safe.
"Aside from generally hardening the code, and finding and addressing vulnerabilities internally, a key focus area has been the development of mitigation techniques that prevent entire classes of vulnerabilities from being exploited. The introduction of some of these mitigation techniques has been on the roadmap but is moving forward more quickly as a result of recent developments."
Exactly what these mitigations are, we don't know: Adobe doesn't want to say, but it may blog about them on its website. Last year, Adobe's chief security officer Brad Arkin said he wanted to make life much harder for attackers who try to exploit programming cockups, rather than spend all day finding and fixing bad code hidden in millions of lines of source.
Until those mitigations are put in place, an untold number of classic errors, like use-after-free() bugs, lurking within Flash will remain exploitable until patched.
"Adobe products are relied on by individuals and organizations worldwide. Given the relative ubiquity and cross-platform reach of Adobe Flash Player, we have seen increasing attention from attackers," Lips added, before pointing us to the corporation's security pages.
"Adobe takes the security of our products, technologies and our customers very seriously. Adobe employs comprehensive security software engineering practices and processes in building our products and responding to security issues."
There are other mitigations. Adobe recommends installing antivirus software that catches malicious Flash files after they are downloaded and before they are opened in your web browser.
If you don't want to outright uninstall or disable Flash (because you want to watch BBC iPlayer, non-HTML5 YouTube or Twitch.tv videos, or play poker online, or something like that) consider telling your browser to only run Flash files when you tell it to – "click to play" in other words. This slashes the risk of infection if your browser surfs to a dodgy or compromised website that silently and invisibly loads a malicious file that exploits a vulnerability in Flash.
Adobe hopes to patch the critical CVE-2015-5122 and CVE-2015-5123 holes today (Tuesday). ®