Adobe in a Mad Rush to Fix Vulnerabilities

Adobe has been very busy the past few days responding to vulnerabilities found in two of its most popular software, Adobe Flash and Adobe Reader. With almost all computers connected (most of the time) to the Internet, the chances of malicious code infecting critical files in computers are getting higher.

As a response to the number of threats detected each day, Microsoft marks every second Tuesday of each month as Patch Tuesday where updates and fixes to files, that have been found to be vulnerable to hackers, are made available for downloading. Indeed, last week’s Patch Tuesday (June 7, 2010) was very busy for IT staff worldwide where 10 security bulletins were issued as a response to more than 30 newly discovered vulnerabilities.  Aside from Microsoft, Apple issued fixes for 48 flaws that made its Safari web browser open to attacks.

But what gathered the most interest was Adobe’s rush to fix an uncharacteristically high number (32) of vulnerabilities that was affecting Adobe Flash. With such a high number of bugs, experts have been reminded of earlier days when it used to be Microsoft that had to contend with buggy software. Although the targets include non-Microsoft software, hackers still employ tried and true tactics in attacking computers. What these hackers rely on are sites that contain malicious code and the detection of the browsing habits of people. There are reports that even reputable sites are being exploited by hackers in order to infect the computers of visitors.

How hackers do it is to inject unauthorized pieces of executable code called JavaScript into the source code (the HTML markup) of web pages. If the browser used to view the website is using an earlier version of Flash, the malicious bits of JavaScript makes Flash execute code that results in an error condition called a buffer overflow. Buffer overflows result in erratic computer behavior and have been the basis of many hacker attacks.

What makes the attacks on Adobe software newsworthy is that Steve Jobs has recently been very vocal in his refusal to use Adobe Flash in the iPhone and the iPad. What Jobs wants to happen instead is to use HTML 5 to deliver video content over the net instead of SWF or Adobe Flash files. Jobs explains that since HTML5 is non proprietary and is an open standard, and it is a more secure platform in delivering web content to browsers. However, experts pointed out the Jobs is not being consistent since Safari, which is Apple’s web browser, is in itself buggy, and it only took minutes to hack an iPhone using the bugs found in the browser.

Other personalities make the situation more interesting. Tavis Ormandy, who works for Google, was one of those who discovered the bugs that affect Adobe software. He informed Adobe about the bug as soon as he found it but only informed Microsoft at a later date. In fact, four days after telling Microsoft about the flaw, he publicly disclosed the bug. This had the IT staff at Microsoft scrambling to find a fix for the bug and heighten whatever conspiracy, real or imagined, seems to be at play between Google and Microsoft.

Users are advised to update all their software at the soonest time possible. Owners of Microsoft Windows should set their computers to update their software automatically. Adobe Flash players version 10.0.45.2 and earlier are vulnerable and therefore should be updated to the latest release.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.