Adobe patches Flash Player for second time in 20 days
Quashes two bugs as it applies new patch priority ranking for the first time
Computerworld - Adobe today patched a pair of critical vulnerabilities in Flash Player and told IT administrators to apply the update within 30 days.
The update was the second for Flash this year; Adobe last patched it less than three weeks ago.
"These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in an accompanying security advisory issued around 3 p.m. ET.
One of the bugs was a memory corruption vulnerability in Matrix3D -- an Adobe ActionScript class that determines the position of three-dimensional objects in Flash -- and, said Adobe, "could lead to code execution."
The second, less serious vulnerability, was labeled an "information disclosure" bug.
Unlike last month's Flash update, attackers have not yet begun exploiting these vulnerabilities, said Adobe.
Because of that, Adobe tagged today's Flash Player update as "Priority 2," the midpoint of a new three-label advisory system the company quietly announced last week in a blog post by David Lenoe, group manager of Adobe's product security incident response team.
Arguing that "All critical security updates are not created equal," Lenoe said Adobe was instituting a three-step update recommendation ranking.
Priority 1 will be reserved for updates Adobe believes should be applied immediately by consumers, and within 72 hours by enterprises. These updates, said Lenoe, will patch so-called "zero-day" bugs that are already being exploited by hackers.
By that definition, the Feb. 15 Flash update would have been pegged as Priority 1.
Priority 2 updates -- such as today's -- should be deployed "soon" said Adobe, and suggested that corporate IT administrators roll them out within 30 days. "[These updates] resolve vulnerabilities in a product that has historically been at elevated risk ... [and] based on previous experience, we do not anticipate exploits are imminent," said Adobe last week.
Finally, Priority 3 updates will be those that Adobe will recommend administrators apply "at their discretion" because they "resolve vulnerabilities in a product that has historically not been a target for attackers."
Lenoe said the new priority ranking took into account historical attack patterns, the type of bug, the software affected and mitigations that may be available. Adobe will also continue to broadcast its already-in-use ratings, such as "critical," alongside the new priority labels.
"It's basically 1 for now, 2 for tomorrow and 3 for maybe," said Andrew Storms, director of security operations at nCircle Security, in an interview conducted Monday via instant messaging.
Storms also saw the new rankings as a logical move for Adobe, which has adopted several of Microsoft's security practices, including the latter's development process and for some products a regular patching schedule.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts