Wednesday, June 9, 2010

A Flash in the Pan?

By: Avi Bashan, Information Security Consultant

Just as we thought that the last aftershocks of the recent Flash debate between Apple and Adobe were yesterday's news, the Flash headlines endure. Last Friday Adobe announced a new critical vulnerability in the Flash Players, 9.0.262, and earlier versions 10.0.x and 9.0.x. The vulnerability can potentially cause the Flash Player to crash and allow an attacker to take control of an affected system.

The vulnerability affects Adobe Reader and Acrobat 9.3.2 and the earlier 9.x versions as well. Adobe reported that the vulnerability is currently being exploited across the web. The security update for the Flash Players is scheduled to be released on June 10th, as for the security update for Adobe Reader, we will have to wait until June 29th!

This brings us to the unavoidable question, was Steve Jobs right in his adamant anti-Flash stance? As we can recall, Jobs made several pointed remarks about Flash Player's security and stability. And as of now, Apple still refuses to incorporate Flash into their technology, notedly the iPad and iPhone products.

On the other hand Google approaches the subject quite differently, just recently Google announced and even released a new beta version for their popular mobile operating system Android (version 2.2) named Froyo. The system supports Flash 10.1, furthermore Google's last version of their popular browser Chrome, adds Flash as a built-in feature.

The question still remains open, since as of today there is no real substitute for the Web 2.0 experience that Flash provides. That said, anyone who uses Flash, should probably stop using it for now, or browse knowing full well about the potential repercussions. If you can't forgo the Flash experience, it would be prudent to follow these mitigations for continued use of Flash until the patch is released. As for the Acrobat Reader? It may be high time to start using alternate free PDF viewers readily available on the web, for now at least.