Adobe: We REALLY are taking Flash security seriously – honest

Read their Lips – get our tips


Adobe insists it is working hard to boost the security defenses in its pilloried Flash Player.

The Photoshop giant, based in San Jose, California, says it is making an "extensive" push to secure its plugin before another wave of vulnerabilities are revealed in the software. We're told that, as a result of "recent developments," Adobe is stepping up its efforts to shore up Flash's defenses with mitigations against attacks.

Speaking of recent developments, three critical security holes in Flash have emerged in the past fortnight – two over the weekend (CVE-2015-5122 and CVE-2015-5123) and CVE-2015-5119 earlier this month. The 5119 bug has been patched by Adobe, and updates to fix the other two are due this week.

All three were revealed in the Hacking Team leaks, and all three allow miscreants to install malware and execute other malicious code on Windows, OS X and Linux computers. Crooks are already exploiting them to hijack systems because they have all the information they need to do so.

Adobe is under fire because these security flaws keep cropping up time and time and time again – if not in Flash then Adobe Reader and Acrobat. We've described Flash as software from Hell and "the screen door through which the raw unfiltered sewage of the internet oozes into the homes of netizens." Harsh, perhaps, but we are not alone in our opinion.

Yes, all sorts of programs and operating systems – from Windows and OS X to Oracle Java and IBM products you've never even heard of – suffer from critical remote-code execution bugs. But Flash is everywhere, on every platform, and in everyone's browser: your parents use it, your children use it, admit it – you use it. It can be playing a video one moment, and helping a criminal install malware the next. It's an obvious target for hackers, and too often it puts up too little resistance.

Facebook's new chief security officer Alex Stamos, a respected chap in the infosec world, said this week that it's time for Adobe to kill off Flash, and for web browser makers to permanently block it.

'There are extensive efforts underway internally'

Apart from issuing security patches virtually every month, the silence from Adobe on the matter is deafening. Does Adobe care? Does it simply sit on its hands and wait for people to report vulnerabilities before it fixes them?

"Absolutely not," Wiebke Lips, senior manager of Adobe's corporate communications, told The Register.

"There are extensive efforts underway internally, in addition to our work with the security community and our counterparts in other organizations, to help keep our products and our users safe.

"Aside from generally hardening the code, and finding and addressing vulnerabilities internally, a key focus area has been the development of mitigation techniques that prevent entire classes of vulnerabilities from being exploited. The introduction of some of these mitigation techniques has been on the roadmap but is moving forward more quickly as a result of recent developments."

Exactly what these mitigations are, we don't know: Adobe doesn't want to say, but it may blog about them on its website. Last year, Adobe's chief security officer Brad Arkin said he wanted to make life much harder for attackers who try to exploit programming cockups, rather than spend all day finding and fixing bad code hidden in millions of lines of source.

Until those mitigations are put in place, an untold number of classic errors, like use-after-free() bugs, lurking within Flash will remain exploitable until patched.

"Adobe products are relied on by individuals and organizations worldwide. Given the relative ubiquity and cross-platform reach of Adobe Flash Player, we have seen increasing attention from attackers," Lips added, before pointing us to the corporation's security pages.

"Adobe takes the security of our products, technologies and our customers very seriously. Adobe employs comprehensive security software engineering practices and processes in building our products and responding to security issues."

There are other mitigations. Adobe recommends installing antivirus software that catches malicious Flash files after they are downloaded and before they are opened in your web browser.

If you don't want to outright uninstall or disable Flash (because you want to watch BBC iPlayer, non-HTML5 YouTube or Twitch.tv videos, or play poker online, or something like that) consider telling your browser to only run Flash files when you tell it to – "click to play" in other words. This slashes the risk of infection if your browser surfs to a dodgy or compromised website that silently and invisibly loads a malicious file that exploits a vulnerability in Flash.

To enable click-to-play in Chrome or Firefox, see these instructions. For all other browsers, take a look here.

Adobe hopes to patch the critical CVE-2015-5122 and CVE-2015-5123 holes today (Tuesday). ®

Similar topics


Other stories you might like

  • Adobe lowers 2022 forecast, blames Ukraine war, strong dollar
    Extended 'summer season' also at fault, says software slinger as share price slides

    Creative software slinger Adobe booked in double-digit revenues rises in its latest quarter but lowered forecasts due to conflict in Ukraine and and currency challenges. As such, Wall Street frowned and the share price went down.

    The Photoshop maker reported turnover from sales of $4.39 billion for Q2 ended June 3, up 14 percent year-on-year. The vast bulk of this, some $4.07 billion, was subscription-based, something other software vendors must eye with some envy because investors love recurring revenues.

    The Digital Media division, which includes Creative Cloud and Document Cloud products, jumped 15 percent to $3.20 billion, higher than analysts had estimated. The Digital Experience wing was $1.1bn, up 17 per cent, again trumping analysts' projections of $1.08 billion.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Adobe apologizes for repeated outages of its Creative Cloud video collaboration service
    Frame.io admits it was 'slow to scale as demand rose

    Adobe-owned cloudy video workflow outfit Frame.io has apologized and promised to do better after a series of lengthy outages to its service, which became part of Adobe's flagship Creative Cloud in 2021.

    Frame.io bills itself as "The fastest, easiest, and most secure way to automatically get footage from cameras to collaborators – anywhere in the world" because its "Camera to Cloud" approach "eliminates the delay between production and post" by uploading audio and video "from the set to Frame.io between each take." In theory, that means all the creatives involved in filmed projects don't have to wait before getting to work.

    In theory. Customers say that's not the current Frame.io experience. Downdetector's listing for the site records plenty of complaints about outages and tweets like the one below are not hard to find.

    Continue reading

Biting the hand that feeds IT © 1998–2022