More Adobe Patches

   Security experts have warned for some time now that as the process for patching operating systems {Chapter 3 Security+ 3ed} has become more mature, attackers will focus more of their attention to applications instead.  If there's any doubt about that prediction, just look at Adobe, which is struggling to keep its Flash, Reader and other products secure.

   Yesterday (Jun 14 2011) Adobe issued an "out-of-band" (not in their normal update cycle) patch for their Flash player.  A "critical" vulnerability that attackers were already taking advantage of was plugged. This follows another out-of-band critical vulnerability that was patched nine days ago on June 5.  If you are keeping count, Adobe has patched its Flash Player four times in the last two months for a total of six times in 2011 (so far).

   And the sad news doesn't end there.  Adobe also patched 13 new vulnerabilities in its Reader product, and all but two of these were called "critical" by Adobe.  Yet unlike previous incidences these Flash and Adobe vulnerabilities are not related.  Many Flash vulnerabilities can be exploited using a specially crafted PDF documents, because Adobe Reader includes a customized version of Flash (authplay.dll) that can render flash contnet within a PDF.  This most recent Flash patch does not impact Reader.  Adobe also patched 24 vulnerabilities in Shockwave Player, two in LifeCycle Data Services and Blaze DS, and two in ColdFusion.

   If you're concerned about security (and hopefully you are), what can you do?  You can uninstall Flash, but so many Web sites rely on it that it's difficult to surf the Web without it (I know, I've tried that).  Yet another option is switch to the Google Chrome browser.  Unlike other Windows browsers, Flash is integrated into Chrome and is not a separate application.  Chrome automatically updates itself whenever Windows starts as well as throughout the session, without even telling you.  So when Chrome updates, Flash is updated.  (I've now moved to Chrome as my default browser, and rarely use anything else).  As far as Reader is concerned, there are also several excellent free PDF readers available (my favorite is PDF-Xchange PDF Viewer).

   Stay secure!

http://www.cengage.com/community/infosec