Security & Privacy + Software & Apps

Adobe has issued a security bulletin covering a dozen bugs in its Flash Player application, a widely used browser plug-in. Adobe says:

Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

However, they go on to say, “We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009.” It’s odd that they would issue an alert on the 30th and say they expect to provide an update by the 31st. It’s not clear if the update they’re providing fixes these vulnerabilities or whether there’s another update to be issued.

Unfortunately, most users rarely update Flash, since it’s not an application and doesn’t do automatic checks for updates. Given the risks of infected Flash content, and the ability for that content to run on any web page with no user interaction, Adobe should add some kind of auto-update check to the Flash plug-in. As it stands, the only way users know they need to update the software is when they read an article such as this, or if, in rare cases, they visit a page that requires a specific version of Flash and they find that their plug-in is out of date.