Adobe Patches Flash, But Expect More Problems

Adobe’s Flash application is great for creating and watching rich multimedia applications, but it’s one of the applications security researchers fear most because it is highly vulnerable to hackers. The application has come under more intensive scrutiny recently after Adobe issued a patch for yet another vulnerability discovered earlier this week.

“We’re spending a lot of time researching the vulnerability of Adobe Flash because we foresee the problem getting worse before it gets better,” Holly Stewart, threat response manager at IBM (NYSE: IBM) Internet Security Systems’ X-Force research team told InternetNews.com by e-mail.

At the end of 2008, 15 percent of all malicious links were to Flash movies containing malware, Stewart said. She added that people continue falling victim to Flash exploits because most of them do not patch Adobe applications when these are available.

The latest vulnerability lets attackers take control of victims’ computers through a buffer overflow, Adobe (NASDAQ: ADBE) said in a security bulletin. It occurs in Flash Player 10.0.12.36 and earlier versions, Adobe said. The vendor has issued a patch for the vulnerability, which it has named APSB09-01.

Adobe’s bulletin said the user must load a malicious Shockwave Flash (SWF) file in the Flash Player before hackers can exploit the vulnerability. SWF files can contain animations or applets with different functions.

That need to download a malicious SWF file first could mean hackers would have to launch a two-pronged attack of the kind that hit the Microsoft (NASDAQ: MSFT) Excel zero-day vulnerability earlier this week.

Adobe did not respond to requests for comment by press time.

The patch released this week also resolves other possible attacks. One could lead to a Denial of Service attack; another, for Linux only, could lead to privilege escalation, meaning an attacker could get more extensive privileges after hacking into a system.

Two other possible attacks are Clickjacking attacks. One affects Windows systems only and the other affects Flash Player itself, Adobe’s Web site said.

In with the new

Adobe’s Web site recommends users update to the most current version of Flash Player available for their platform. Users can go to this Adobe site to verify the version of Flash Player on their computers.

Flash Player versions 10 and later are not available for the Microsoft Windows 98 or Windows ME, Apple (NASDAQ: AAPL) Macintosh OSX 10.1 to 10.3, and Red Hat Enterprise Linux 3 and 4, Adobe said on its Web site. That is because they are not supported on older operating systems and these operating systems’ manufacturers will not fix problems in them, according to Adobe’s Web site.

Adobe has developed Flash Player 9.0.159.0, a patched version of Flash Player 9, for users who cannot update to version 10. It can be downloaded from this Web page.

This is the second time since November that Adobe has had to issue a patch for Flash.

Security experts contend that Flash Player has too many features that are hidden so users cannot configure it. “Flash is a frightening technology in that Adobe has tried to make it do so many things in addition to playing content,” Randy Abrams, director of technical education at antivirus vendor ESET, told InternetNews.com.

“If Adobe doesn’t get real smart about making the Flash Player user configurable, they may end up playing second fiddle to Microsoft Silverlight instead of being in the lead as they are now.”

Flash and Silverlight are locked in a heated battle for market share.