Maybe Steve Jobs isn’t wrong about Flash; maybe it really is not reliably maintained. Matthew Dempsey has set up a web page showing a proof-of-concept example of a Flash vulnerability that hasn’t been patched, even though he reported it to Adobe in September 2008. As he says on his web page, “Despite numerous email exchanges with the Flash product manager about the bug, the bug report being hidden from the public for “security” reasons, and Adobe CTO Kevin Lynch’s claims otherwise, it continues to be an issue.” A more detailed explanation of the issue is found here.
Adobe gives a confusing response, suggesting that, since the bug was filed just as Flash 10 was being prepped for release, it wasn’t fixed right away. But they don’t say why it still hasn’t been fixed 16 months later. They claim it will be fixed in Flash 10.1, due to be released soon, though. Rest assured, Adobe will fix that bug someday.
But how about looking more closely at this bug. Why is a bug that causes a crash considered to be a vulnerability? When applications (or, in this case, plug-ins) crash, they open a door, in a way, allowing for the possibility of remote code to be executed, or other objects to be injected into a user’s software. Using Javascript injections on hacked websites, it is possible to provide booby-trapped Flash files to unsuspecting users. These Flash files can then allow remote users to potentially run code that can compromise a computer that simply went to a web page and may not have even seen the corrupted Flash file.
So what are your choices? Deactivate Flash, by uninstalling it? That’s always a possibility; you can download an uninstaller here. But Flash is widely used, for both on-line videos and other animated content such as games, and, alas, ads. For now, Flash is omni-present, and it looks like the only thing is to hope that this vulnerability is not exploited.
Intego’s Virus Monitoring Center is looking out for malicious Flash files, and VirusBarrier X6 will block them if any are found.