Adobe patches Flash Player for second time in 20 days
Quashes two bugs as it applies new patch priority ranking for the first time
Computerworld - Adobe today patched a pair of critical vulnerabilities in Flash Player and told IT administrators to apply the update within 30 days.
The update was the second for Flash this year; Adobe last patched it less than three weeks ago.
"These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in an accompanying security advisory issued around 3 p.m. ET.
One of the bugs was a memory corruption vulnerability in Matrix3D -- an Adobe ActionScript class that determines the position of three-dimensional objects in Flash -- and, said Adobe, "could lead to code execution."
The second, less serious vulnerability, was labeled an "information disclosure" bug.
Unlike last month's Flash update, attackers have not yet begun exploiting these vulnerabilities, said Adobe.
Because of that, Adobe tagged today's Flash Player update as "Priority 2," the midpoint of a new three-label advisory system the company quietly announced last week in a blog post by David Lenoe, group manager of Adobe's product security incident response team.
Arguing that "All critical security updates are not created equal," Lenoe said Adobe was instituting a three-step update recommendation ranking.
Priority 1 will be reserved for updates Adobe believes should be applied immediately by consumers, and within 72 hours by enterprises. These updates, said Lenoe, will patch so-called "zero-day" bugs that are already being exploited by hackers.
By that definition, the Feb. 15 Flash update would have been pegged as Priority 1.
Priority 2 updates -- such as today's -- should be deployed "soon" said Adobe, and suggested that corporate IT administrators roll them out within 30 days. "[These updates] resolve vulnerabilities in a product that has historically been at elevated risk ... [and] based on previous experience, we do not anticipate exploits are imminent," said Adobe last week.
Finally, Priority 3 updates will be those that Adobe will recommend administrators apply "at their discretion" because they "resolve vulnerabilities in a product that has historically not been a target for attackers."
Lenoe said the new priority ranking took into account historical attack patterns, the type of bug, the software affected and mitigations that may be available. Adobe will also continue to broadcast its already-in-use ratings, such as "critical," alongside the new priority labels.
"It's basically 1 for now, 2 for tomorrow and 3 for maybe," said Andrew Storms, director of security operations at nCircle Security, in an interview conducted Monday via instant messaging.
Storms also saw the new rankings as a logical move for Adobe, which has adopted several of Microsoft's security practices, including the latter's development process and for some products a regular patching schedule.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!