Adobe managed to go one better than Microsoft this week with a bulletin featuring multiple security updates for Flash, Reader, Illustrator and Acrobat.
The software maker’s tally included “priority 1” ratings related to two updates each for Reader and Acrobat and four critical updates for Flash.
It had the following in a statement:
“Adobe has released security updates for Adobe Flash Player 13.0.0.206 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.356 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions.”
It added that the Windows and Mac updates for Adobe Reader and Acrobat XI and earlier versions relate to vulnerabilities ”that could cause a crash and potentially allow an attacker to take control of the affected system.”
Qualys CTO Wolfgang Kandek noted in a blog post that the update is the last to provide Windows XP users with Adobe patches – they will be on their own from now on.
Imperva co-founder Amichai Shulman, meanwhile, argued that software vendors are fighting a losing battle when it comes to patching vulnerabilities.
“Software vendors will keep doing their best to timely patch the vulnerabilities but enterprises should learn to accept the reality of compromised machines,” he told Infosecurity. “Rather than keep spending their security budgets on trying to avoid infection organizations should adjust security spending to mitigate the effects on such compromise on enterprise data.”
Paul Ducklin, Sophos head of technology in APAC, argued that it might not even be worth the effort installing the patches for Flash.
“These days, thanks to HTML5, a lot of interactive web functionality that used to rely on Flash is provided inside your browser,” he claimed in a post. “So you may be able to turn off Flash in your browser and thus reduce what's known as your attack surface area. Try it and see. If you find that you need or prefer to have Flash, you can always turn it back on.”
He added that users wishing to avoid Adobe “foistware” – additional software that tries to download at the same time as the update – may be better off signing up for access to the standalone installer available via the Adobe Flash Player Distribution page.