Update: Security expert warns users against Flash Player

News by Max Metzger

Brian Krebs, the mastermind behind Krebs on Security, has expressed doubts about Adobe's Flash, despite recent patches

Investigative journalist and security blogger Brian Krebs has encouraged his readers to consider disabling their Flash Player software.

While a new patch has been released for Flash Player, fixing more than 20 security problems with the freeware, Krebs claims that though “Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it.” 

Browser plugins like Flash are supposedly a favourite target for attackers and Flash player has been called up in the past for security issues.  A Symantec report in 2010, said that “Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability.” 

In 2010, Apple founder Steve Jobs published an open letter to Adobe, claiming that “Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now.” Adobe CEO, Shantanu Narayen, responded saying that, "If Flash (is) the number one reason that Macs crash, which I'm not aware of, it has as much to do with the Apple operating system."

Krebs, speaking to SCmagazineUK.com, explained part of the problem: “Flash is ubiquitous, or at least until very recently it was more or less so. It's probably the most common browser plugin out there, and it's cross-platform, commonly running on Windows, Linux and Mac systems alike. That kind of distribution has made Flash a huge target for malware writers.”

Krebs added that, “Flash is powerful and externally accessible because it's designed to interact directly with websites. Compromise a website or set one up that targets a flaw in Flash, and you own the visitor's browser, which is the doorway to compromising the entire system.”

Historically suspicious of Adobe's Shockwave Player, a multimedia platform, Krebs has also proved sceptical of the new version released just two weeks ago. Krebs said that this new version, “lacks fixes for a whopping 155 vulnerabilities in Flash that can be used to backdoor virtually any computer running it”.

Krebs told SC what Flash's weaknesses might mean for users: “Flash requires far too much patching for the average user to keep up with. Consequently, far too many users fall behind in patching it.” He added that, “It's safer for most users just to remove the plugin entirely, or at least to use some kind of blocker or feature (like Click-to-Play) that disables Flash elements by default unless approved.”

In his post, Krebs said that, for those who don't want to get rid of Flash completely, they should, “consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.”

An Adobe spokesperson spoke to SC, saying that "Adobe has made significant investments into enhancing Flash Player security over the last five years in particular, as new technologies have become available in response to the constantly evolving threat and attack landscape."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews