Adobe releases Flash update amidst growing security concerns

Adobe has today released yet another security update for Adobe Flash Player aimed at Flash developers and marking the 12th update of 2015.

It follows recent pleas from Facebook’s newly appointed chief security officer (CSO) Alex Stamos to discontinue Flash as soon as possible, because it is has become increasingly vulnerable to hacking.

Today’s update is intended to fix “critical vulnerabilities” that are detailed in the company’s Security Bulletin APSB 15-19, although all current links go to a 404 error, probably because their UPDATES: Security Bulletins Posted was last updated on 14 July. However, it is clear that the update is for the updated debugger and standalone versions of Flash Player, for Windows, Mac and Linux.

The company does though state that from today (11 August, 2015), the version of “Extended Support Release” from Flash Player version 13 has been updated to Flash Player version 18 for Mac and Windows. It tells users to install the full version 18 or to update to the most recent available release to stay current and up-to-date with all the security updates that are available. However it also urges IT companies to test the new version 18 releases thoroughly before using them.

The company states that its latest update is intended for organisations that “prefer Flash Player stability” rather than so-called “new functionality.” It also states that it intends to create “a branch of the Flash Player code” that will stay up-to-date with all the latest security updates. However none of these bug fixes or new features will be available via their “normal release branch.” The reason for this is that it will allow organisations to certify and also remain secure with Flash Player with “minimal effort.”

Vulnerability Issues With Adobe Flash

There have been numerous vulnerability issues with Flash over time, the most recent at the beginning of July this year, that ended up with hackers executing malicious code on a computer via a website. The security flaw was discovered by Hacking Team, an Italian cyber-surveillance company, which reportedly decided to keep the hack secret while malware developers went on to steal more than 400 GB of data.

At the time, Adobe warned that successful exploitation of the vulnerability might cause systems to crash. They also acknowledged that the vulnerability might enable attackers to “take control” of systems that were affected, and that they were aware the vulnerability had been published publicly. This resulted in an immediate security update for Flash Player as well as an update for Acrobat and Reader (July 8). Another Flash Player update followed on 14 July.

Earlier this year, in January and February, Adobe released six emergency security updates for Flash, indicating that this is clearly an ongoing problem. But its security issues go back even longer than many people realise. Five years ago Apple’s Steve Jobs noted that Flash had had a shocking security record for 2009. In an open letter, Thoughts on Flash, he explained why Apple would not allow Flash to be used on iPads, iPods, and iPhones, but instead uses JavaScript, HTML5 and CSS.

Essentially Apple’s reasoning, historically, was based on technology issues, major technical drawbacks, and the fact that even though Flash is widely available it is a “closed system” only available from Adobe. He also slated the performance, security and reliability of Flash, stating that the software was the number one cause of Mac computers crashing. While Apple was working with Adobe fix computer-based problems, Apple did not want to reduce the security and reliability of their other devices.

YouTube recently moved away from Flash technology, and from January 2015 dropped its default support for Flash in favour of HTML5. While Facebook has traditionally supported Flash, it now also allows HTML5 because it is not as vulnerable as Flash, and is better optimised for mobile devices.

Stamos and Facebook Security

facebook-alex-stamos

Stamos

Famously head-hunted from Yahoo in June this year, Stamos has stated publicly (via his Facebook page of course) that Facebook is best positioned to build safe, trustworthy products on the Internet. “The Facebook security team has demonstrated a history of innovation as well as a unique willingness to share those innovations with the world, and we will build upon that history in the years to come,” he wrote.

Less than two months into his new job, Stamos has attracted considerable attention after leaving Yahoo, joining Facebook, and announcing that he is determined to force Adobe to shut down Flash. He made his own announcement on Facebook on 24 June that he was leaving Yahoo and taking up the new Facebook position.

Then a few weeks later he used Twitter to state that it was time for Adobe to discontinue Flash, calling on the company to announce an “end-of-life date” for the software plug-in that has been installed on more than 1.3 billion computers worldwide.

Stamos has made it clear that he doesn’t believe the Internet needs Adobe Flash and instead of the company helplessly trying to find the ultimate security fix for its problems, should “announce the end-of-life date for Flash.” He also urged Adobe to “set killbits” that will disable the software worldwide on that date.