What Can We Learn From The Latest Adobe Security Flaw?

Adobe Systems has released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible.

But why does Adobe keep getting targeted by attackers and what can you do to protect yourself? Here’s what the IT security sector had to say:

Mark James, security specialist at IT security firm ESET

“Since Flash is such a widely used plugin, it stands to reason that it will be one of the most targeted apps for vulnerability. If you want to affect as many people as possible then you need an application that a lot of users use and flash is one of them. This is an excellent example of why you should be very aware of updates for software not only operating systems. Checking to see if any updates are available and installing them immediately is the only way to help protect yourself in the minefield of the software world that we use today.
There is an excellent link that everyone should save and use as often as they can to check to see the latest version of flash and more importantly see if their version is the same or needs updating – https://www.adobe.com/software/flash/about/

“Please be very careful of following links to update sites as these could sometimes be used to direct you to other malicious sites. I would personally recommend that you manually type the link to be absolutely sure if you have any concerns at all.”

John Smith, solution architects at Veracode

Adobe Flash is a very common software component and a successful exploit of this flaw would give the attacker the ability to run their own code on the vulnerable targets within an organisation’s own infrastructure. So, it is important the patch for this flaw is applied right away. As with other recent critical vulnerability disclosures – such as Heartbleed – the combination of high prevalence and high impact is very valuable to attackers and potentially very costly for targets.

“Protecting against attacks that target vulnerable software requires organisations to have a good understanding of their software inventory so that they can act quickly when a new flaw is identified – whether by a vulnerability disclosure such as this one or through testing. When a piece of software – such as Adobe Flash – is found to have serious flaws like this one, organisations will need inventory knowledge to help weigh up the costs and benefits of continuing to use it.

Craig Young, security researcher at Tripwire

“Flash, along with ActiveX and Java are remnants of the 1990s ‘Web 2.0’ technology boom. The nature of these technologies allows attackers to run code directly on remote computers and revolutionised the attack surface of the Internet.

“There has been a constant barrage of vulnerabilities in all ‘Web 2.0’ technology as well as a constant stream of ‘update’ messages to users. This has given way to a newer and very successful form of attack wherein the attacker spoofs an update message tricking users into downloading malware. These tricks can be particularly effective, as illustrated by the 2012 Flashback malware which exploited Java on roughly 600,000 Apple computers in the 6 weeks it took for Apple to respond with patches.”

Amichai Shulman, CTO of Imperva

“This is a reminder that the average end user machine is extremely vulnerable to infection at any given point in time, even for individuals and organisations who carefully observe patching practices. It emphasises what we believe is should be the moto for modern corporate information practices: you have been compromised, make sure it does not turn into a breach. What it means is that organisations must shift their security investments to solutions that protect their data from abuse rather than their end stations from being compromised.”

Clinton Karr, senior security strategist at Bromium

“This Adobe Flash zero-day illustrates why Internet content is so untrustworthy: attacks can be committed through the browser, through scripting languages and even through extensions. It’s a greenfield for hackers with no end in sight if the status quo for protection doesn’t change.

“Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack. Or test the patch to make sure it integrates with legacy systems. This latest zero-day and others before it could have been isolated in the first place. Only by isolating the threat, are security and ops teams granted the grace period needed to test and deploy these critical patches.”

How much do you know about Internet security? Take our quiz!