Issues have included one recent vulnerability described as "frighteningly bad" by a security expert. Technologists, however, disagree on the severity of Flash's weaknesses. Some say Flash is merely a victim of its own success, attracting attention from those with bad intentions but being no worse off than other software platforms when it comes to its inherent security. An alternate opinion is that Adobe simply lacks tight security practices in its internal development procedure and so has become a preferred vector for cyberthieves.
A review of Flash-focused security incidents of late raises eyebrows:
- Just last week, Adobe issued a critical patch for both Flash and AIR; the fixed flaws included what Adobe called "a vulnerability in the parsing of JPEG data that could potentially lead to code execution."
- Foreground Security in November detailed what one company official has described as a "frighteningly bad" security flaw in which an attacker can put a malicious Flash object on a Web site via user-generated content capabilities. Malicious scripts can then be executed.
- Adobe in July confirmed a Flash zero-day bug in its Flash and Reader software had a critical vulnerability on Windows, Macintosh, Linux, and Solaris operating systems that could cause a crash and enable an intruder to take control of a system. Product updates were issued to resolve the problem.
The link for this article located at ComputerWorld is no longer available.
