Adobe Flash's security woes: How to protect yourself

InfoWorld - Adobe's Flash Player software is on 99 percent of Internet-connected desktops, offering up multimedia and video capabilities on a multitude of popular Web sites such as YouTube. But the Adobe Flash platform has been beset by a rash of security problems that give intruders potential access to computers running the software.

Issues have included one recent vulnerability described as "frighteningly bad" by a security expert. Technologists, however, disagree on the severity of Flash's weaknesses. Some say Flash is merely a victim of its own success, attracting attention from those with bad intentions but being no worse off than other software platforms when it comes to its inherent security. An alternate opinion is that Adobe simply lacks tight security practices in its internal development procedure and so has become a preferred vector for cyberthieves.

[ Keep up on good security practices with Roger A. Grimes' Security Adviser blog and with our Security Central newsletter, both only at InfoWorld. | Learn why Web application security is a growing problem for enterprises. ]

A review of Flash-focused security incidents of late raises eyebrows:

• Just last week, Adobe issued a critical patch for both Flash and AIR; the fixed flaws included what Adobe called "a vulnerability in the parsing of JPEG data that could potentially lead to code execution."
• Foreground Security in November detailed what one company official has described as a "frighteningly bad" security flaw in which an attacker can put a malicious Flash object on a Web site via user-generated content capabilities. Malicious scripts can then be executed.
• Adobe in July confirmed a Flash zero-day bug in its Flash and Reader software had a critical vulnerability on Windows, Macintosh, Linux, and Solaris operating systems that could cause a crash and enable an intruder to take control of a system. Product updates were issued to resolve the problem.
• Adobe also in July issued a patch for 12 vulnerabilities in Flash Player, 10 of which could lead to hijacked systems or hackers executing malware.
• Adobe in February released a bulletin about a potential vulnerability in Flash Player that could allow an attacker to take control of an affected system. The company issued a patch and advised users to upgrade their Flash Player software.
• In October 2008, Adobe warned of a Flash vulnerability that would let hackers use "clickjacking" attacks to secretly turn on a computer’s microphone and Web camera. That vulnerability was later fixed through an update.

Is Adobe immature when it comes to security? Adobe, says Foreground CIO Mike Murray, suffers from immaturity in its software development processes: "Adobe is just big enough that its issues [are starting] to impact the whole Internet."