Adobe says the updates address critical vulnerabilities, although the precise priority rating depends on the platform being used. Flash on Windows is priority 1 (it is lower on other platforms), meaning that it updates ‘vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild.’ In reality, it is thought that none of the vulnerabilities are currently being exploited. However, Wolfgang Kandek, CTO of Qualys, points out that “a capable attacker would be able to analyze the patches and develop an exploit for one of the vulnerabilities in a few days.”
The timing of the update is a surprise. However, there is a possible link to Google’s Pwnium 2 competition starting tomorrow (10 October) at the current Hack in the Box (HitB) 10th anniversary conference in Kuala Lumpur, Malaysia. Twenty-four of the 25 vulnerabilites were discovered by Google’s security team. Google has built Flash into its Chrome browser, so Flash vulnerabilities could break Chrome. Since Google is offering up to $2 million dollars in rewards for successful Chrome exploits, the whole exercise looks very much like a hardening exercise prior to the Pwnium 2 contest.
However, whatever the cause for this sudden update, Chrome users needn’t worry too much about it. Since Google has built Flash into the browser, it is Google’s responsibility to perform the update – and provided the user has the latest version of Chrome, the updates have already happened.
Microsoft has followed Google’s lead and built Flash into the latest version of Internet Explorer (v10) on Windows 8. While this is not yet generally available (Windows 8 goes on sale later this month), developers and many enterprises have had access since August. Following the previous Flash update, Microsoft came in for heavy criticism for saying it would not immediately fix the flaws – although it backtracked and quickly did so. This time Redmond has been quicker off the mark, announcing yesterday that it had addressed the issues. “Customers who have automatic updates enabled will not need to take any action because protections will be downloaded and installed automatically.”
All other users, however, should follow the instructions in the Adobe advisory and update all versions of Flash as soon as possible.