RealTime IT News

F-Secure: Flash, ActiveX Still Under Attack

Old, unpatched vulnerabilities continue to be a source of danger for PC users, with F-Secure warning today that malware authors are ramping up their attacks on security holes in two major vendors' Firefox plugins.

It's the latest incident of old vulnerabilities remaining unpatched and potentially dangerous. In its quarterly threat report two weeks ago, the company warned that many PCs still have open security holes in Adobe and Microsoft software, despite available patches.

Today, the company said in a blog post that the bad guys have written malware to automate attacks on security holes. The attacks exploit an Adobe Flash Player flaw from 2007 and a Microsoft ActiveX flaw from 2008.

The flaws might be old, but they still impact the latest edition of Mozilla Firefox, version 3.5. It's especially critical since many PC users are downloading Firefox 3.5, F-Secure added.

"Updating the browser -- good. Not updating web apps at the same time -- not so good," F-Secure said. "Just as a precaution, don't forget to update all your plugins, apps and so on when you update your browser."

Microsoft (NASDAQ: MSFT) and Adobe (NASDAQ: ADOBE) have each encouraged users and IT managers to deploy the patches necessary to close the holes.

Patchy patching proves problematic

It's not the first time that security companies and software makers have warned users about the dangers of unpatched software. Many luminaries at the RSA security conference earlier this year discussed the problem.

At the conference, Symantec CEO Enrique Salem called for a fundamental change in the way that software is developed.

Also at RSA, IBM announced products designed to improve security in specific areas, from mainframes to the cloud.

Since then, several companies including IBM and CA have announced new frameworks designed to make it easier to bake security into software at an early stage.

Despite those efforts, and the constant stream of new malware attacks in the headlines, users are often less-than-diligent in updating their software. In April, Microsoft found in a study that much of users' problems with infected files stems from their failure to apply available updates.

"Adobe recommends users update to the most current version of Flash Player available for their platform to help mitigate potential issues. Adobe communicates potential issues via security advisories and bulletins. By signing up for notifications here, customers will receive timely information that can help protect them against potential issues," an Adobe representative said in an e-mail to InternetNews.com.

Another reason PCs remain unpatched may be the use of pirated software, according to a major industry association.

Today, the Business Software Alliance (BSA) reminded enterprises that pirated software will always have vulnerabilities. As the association fined Donegal Mutual Insurance Company of Marietta, Penn., $105,000 for using Microsoft software without the required licenses, it was eager to point out the security implications.

"By utilizing pirated software, users' networks and computers are vulnerable to serious IT security threats. Company computers could be infected with Trojans, viruses, malware, and other threats," the BSA said in a statement.

Update adds Adobe comment.