Adobe Flashplayer and AIR Critical Security Updates

[Corrine]

Adobe has released security updates for Adobe Flash Player 16.0.0.235. and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.425 and earlier versions for Linux. In addition, Version 16 of Adobe AIR has been released.

These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Details of the vulnerabilities are included in the below-referenced Security Bulletin.

The direct download links:

• Non-IE Plugin (Opera, Firefox, Etc.): http://download.macromedia.com/get/...ensing/win/install_flash_player_16_plugin.exe
• Flash Player For Internet Explorer, Windows 7 and earlier: http://download.macromedia.com/get/...sing/win/install_flash_player_16_active_x.exe
• Internet Explorer, Windows 8 and above: Microsoft updated Security Advisory 2755801. If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from Microsoft Security Advisory: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10: July 9, 2013.
  
  
• Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
  
• Adobe AIR: Adobe - Adobe AIR

Security Bulletin: APSB15-01
Release Notes: Flash Player® 16 AIR® 16

 

[x BlueRobot]

When are Adobe going to release products which do not contain vulnerabilities? Every few months it seems a new vulnerability is discovered.

 

[Corrine]

Don't forget, Adobe updates Flash Player (and usually AIR) the second Tuesday of the month along with Microsoft security updates. Comparing the number of software products Adobe has with Microsoft, yes, it would seem they could do a better job.

 

[x BlueRobot]

I understand due to the popularity of the product, the more likely it will be penetration tested and vulnerability discovered.

 

[Patrick]

When are Adobe going to release products which do not contain vulnerabilities? Every few months it seems a new vulnerability is discovered.

It's how it will always be. When you push a release you're almost guaranteed a vulnerability (or a few). There's only so much internal testing that can be done regarding code, especially if it's being screamed at their engineers to get it out quick because of a prior exploit. It's unfortunately not just Adobe with flash, it's with Microsoft, Apple, Firefox, Chrome, you name it. A lot of malware depends on OS privilege escalation and there's vulnerabilities found left and right for that, and look how many security fixes we've applied to Windows over the years for various versions.

A lot of applications also have different features that are more vulnerable than the application itself, like Java's sandbox. Java by itself is just as robust as any C language, and JVM's memory safety is pretty great. When you add in the sandbox though, different story.

 

[niemiro]

There's another issue too which is that these codebases are all millions of lines long and very old. One of the most important steps to take towards reducing vulnerabilities in production code is taking the very expensive step of gearing the entire company ethos towards good quality, secure, well written code, and making sure that all code is carefully reviewed by another developer before being committed. Carefully is the keyword here - just having another developer glance over it is no good, there has got to be support from the management to take the time to make a careful assessment of the code, not review as quickly as possible.

The impression I get is that Microsoft - along with many other companies - does have this attitude. Adobe and Oracle may well do so too. However, an awful lot of these vulnerabilities are being discovered in old code, not the new code which has only recently been written. All of the current generation Windows OS and other products have had their codebases started whilst Microsoft was a modern, massive, and rich company which would have been able to afford to take these steps. By contrast, Flash and Java have a much longer history, going back through many years and several companies. Even if standards today are fantastic, it's likely that they're still fighting fires from vulnerabilities written into the code long ago by a much smaller former company which simply couldn't afford to take the precaution which Microsoft does today.

 

[x BlueRobot]

The most important factor is cost. At the end of the day, Microsoft and Adobe are all companies looking to make a profit.