Adobe fixes fatal flaw in Flash
Adobe's accident prone Flash software is fixed again
Adobe has fixed two serious flaws in Flash, which could have allowed hackers to take remote control of infected PCs. The flaw was so serious that Mozilla banned Flash from running automatically in the Firefox browser.
The critical vulnerabilities were discovered last week, and affected the latest version of the Adobe Flash Player and earlier versions for Windows, Mac and Linux. Worse still, attacks exploiting the flaws had been discovered, leaving systems with Flash installed vulnerable.
Adobe says it has now patched the software and has taken steps “to ensure that this class of attack cannot be used as a future attack vector”. The company says it is “proactively pushing the update out to users” and working with browser vendors to distribute the update. Flash is built into Google Chrome’s browser, for example, although with more and more websites moving to HTML5 for video and interactive content, that may not be the case for much longer.
Flash has one of the worst security records of any software, including Windows. A 2013 study by AV-Test found that Adobe’s Reader and Flash and Oracle’s Java software were responsible for two thirds of all the vulnerabilities on Windows PCs. Flash was fifth on the list.
Steve Jobs infamously refused to allow Adobe’s software to run on the iPhone, stating that “we don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash,” in a public letter published in 2010.
In its defence, Adobe claims Flash is targeted because of its popularity. “Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers,” Adobe writes on a blog announcing the latest fixes. “We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered.”
That’s unlikely to be enough to appease Facebook’s new security chief, Alex Stamos, who this week urged Adobe to announce an end-of-life date for Flash.