Adobe patches Flash Player for second time in 20 days
Quashes two bugs as it applies new patch priority ranking for the first time
Computerworld - Adobe today patched a pair of critical vulnerabilities in Flash Player and told IT administrators to apply the update within 30 days.
The update was the second for Flash this year; Adobe last patched it less than three weeks ago.
"These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in an accompanying security advisory issued around 3 p.m. ET.
One of the bugs was a memory corruption vulnerability in Matrix3D -- an Adobe ActionScript class that determines the position of three-dimensional objects in Flash -- and, said Adobe, "could lead to code execution."
The second, less serious vulnerability, was labeled an "information disclosure" bug.
Unlike last month's Flash update, attackers have not yet begun exploiting these vulnerabilities, said Adobe.
Because of that, Adobe tagged today's Flash Player update as "Priority 2," the midpoint of a new three-label advisory system the company quietly announced last week in a blog post by David Lenoe, group manager of Adobe's product security incident response team.
Arguing that "All critical security updates are not created equal," Lenoe said Adobe was instituting a three-step update recommendation ranking.
Priority 1 will be reserved for updates Adobe believes should be applied immediately by consumers, and within 72 hours by enterprises. These updates, said Lenoe, will patch so-called "zero-day" bugs that are already being exploited by hackers.
By that definition, the Feb. 15 Flash update would have been pegged as Priority 1.
Priority 2 updates -- such as today's -- should be deployed "soon" said Adobe, and suggested that corporate IT administrators roll them out within 30 days. "[These updates] resolve vulnerabilities in a product that has historically been at elevated risk ... [and] based on previous experience, we do not anticipate exploits are imminent," said Adobe last week.
Finally, Priority 3 updates will be those that Adobe will recommend administrators apply "at their discretion" because they "resolve vulnerabilities in a product that has historically not been a target for attackers."
Lenoe said the new priority ranking took into account historical attack patterns, the type of bug, the software affected and mitigations that may be available. Adobe will also continue to broadcast its already-in-use ratings, such as "critical," alongside the new priority labels.
"It's basically 1 for now, 2 for tomorrow and 3 for maybe," said Andrew Storms, director of security operations at nCircle Security, in an interview conducted Monday via instant messaging.
Storms also saw the new rankings as a logical move for Adobe, which has adopted several of Microsoft's security practices, including the latter's development process and for some products a regular patching schedule.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts