US-CERT: Adobe Flash and AIR vulnerabilities can allow hackers to take control of your computer

The United States Computer Emergency Readiness Team (US-CERT) has used the National Cyber Alert System to issue a Cyber Security Alert (SA10-223A) regarding flaws in Adobe Flash and AIR.

Systems Affected
• Adobe Flash Player
• Adobe AIR

US-CERT’s alert states also that “other Adobe products that support Flash may also be vulnerable.”

According to the alert, “there are vulnerabilities in Adobe Flash player and AIR. An attacker could exploit these vulnerabilities to take control of your computer.”

Solution

Update Flash Player and Adobe AIR Adobe Security Bulletin APSB10-16 recommends updating using the Adobe Flash Player Download Center and the Adobe AIR Download Center. Both Flash Player and AIR support automatic updates. Following these instructions will update the Flash web browser plug-in and ActiveX control, as well as AIR. However, it will not update Flash support in Adobe Reader, Acrobat, or other products.

To reduce your exposure to these and other Flash vulnerabilities, consider the following mitigation technique.

Disable Flash in your web browser Uninstall Flash or restrict which sites are allowed to run Flash. To the extent possible, only run trusted Flash content on trusted domains. For more information, see Securing Your Web Browser. Note that disabling Flash may affect your browsing experience on certain websites.

US-CERT’s alert explains, “Adobe Security Advisory APSB10-16 describes vulnerabilities in Flash Player and AIR. Flash content could be on a web page, in a PDF document, in an email attachment, or embedded in another file. By convincing you to open malicious Flash content, an attacker may be able to take control of your computer or cause it to crash.”

References:

• Adobe Security Bulletin APSB10-16 – http://www.adobe.com/support/security/bulletins/apsb10-16.html
• Adobe Flash Player Download Center – http://get.adobe.com/flashplayer/
• Adobe AIR Download Center – http://get.adobe.com/air/
• Securing Your Web Browser – http://www.us-cert.gov/reading_room/securing_browser/

Source: US-CERT National Cyber Alert System, Cyber Security Alert SA10-223A

MacDailyNews Take: Being Flash-free is a selling point.

Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.

In addition, Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it. Adobe publicly said that Flash would ship on a smartphone in early 2009, then the second half of 2009, then the first half of 2010, and now they say the second half of 2010. We think it will eventually ship, but we’re glad we didn’t hold our breath. Who knows how it will perform?

Apple CEO Steve Jobs, Thoughts on Flash, April, 2010

[Thanks to MacDailyNews Reader “Carl H.” for the heads up.]

22 Comments

  1. Safari on my almost 10 year old Cube has new life thanks to Click-To-Flash. I see a speed improvement even on Flash-free websites if another tab is open to a site that uses Flash.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.