Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Security Vulnerabilities
Identity and Authentication Blog

Adobe Flash Vulnerability ctd.

Monday, 10 May 2010 17:24 Charles Bouthot

Steve Jobs reference in "Thoughts On Flash"  to "Symantec recently highlighted Flash for having one of the worst security records in 2009" peaked our curiosity. What exactly did Symantec say?

"Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009."

The Symantec report references a SecurityFocus item further commenting on the vulnerability - "An attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file. Successful exploits may allow the attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions."

 

Steve Jobs Further Exposes Security Issues With Adobe Flash

Thursday, 06 May 2010 17:24 Charles Bouthot

Steve Jobs recent "Thoughts On Flash", has caused quite a stir. However, none of this is new information. The Flash Player plug-in can access and control system resources, as well as write to the user's file system (to add updates and store Flash cookies). Development issues and security vulnerabilities related to the use of flash have been written about extensively on blogs and technology sites, and are frequently noted in security warnings and reports (see SANs Top Cyber Security Risks, Symantec Global Internet Threat Report or US-Cert Cyber Security Alert.)  Flash has a very large user base that presents a large target for attackers, but has been fairly resiliant to its critics. What is different now is that Jobs is no ordinary critic.

The other interesting news in Jobs missive is Apples claim to be big supporters of open standards - HTML5, CSS, JavaScript, and their role in Webkit. Never really thought of Apple as an "open standards company."  Guess I wasn't paying attention.