Last week — yet again — more security issues in Adobe products were announced. Adobe’s Security Advisory APSA10-01 confirmed that a 0-day exploit was being actively exploited. This vulnerability affected Flash Player, Acrobat Reader, and Acrobat. While the advisory listed techniques for mitigation, many of these are simply not feasible or practical in many environments.
While some organizations may have taken steps to mitigate these issues, I would wager that nearly no home users did (us geeks being the obvious exception), simply because they aren’t aware of the issues. With some reports putting the installed base at around 98% (Adobe says 99%), the vulnerable hosts number in the millions. For software that is so widespread and has the potential to wreak havoc in our environments, we — the IT industry — need to do something.
For Adobe, these security issues are nothing new. This is just the latest instance. A few months ago, we saw the same thing happen and, in a few more months, I’m sure we’ll see it again. Adobe Security Bulletin APSB10-14, for example, lists a total of 32 security holes across Adobe Flash Player, Adobe AIR, and Adobe Flex, each of which are severe enough to justify separate CVE identifiers!
Does it really surprise any of us that Apple refuses to allow Flash on iPhones, iPods, or iPads? In “Thoughts on Flash“, Steve Jobs wrote:
“Symantec recently highlighted Flash for having one of the worst security records in 2009.”
Flash, to me, serves no useful purpose. The only function it serves on my computers is to provide me with advertisements when I’m surfing the web. Likewise, I don’t use Adobe Acrobat either. Sumatra (a standalone executable, by the way) serves my purposes just fine, and there are plenty of free utilities to create PDF documents so there’s no point in paying for Acrobat.
Anyone in IT has heard the “security versus convenience” argument (or should have). There comes a point, however, when it becomes obvious that a software vendor is not doing their part. If they continue to put out insecure code time and time again, the only choice we ultimately have is to stop using their products. Eventually, we’ll hit the tipping point and organizations will begin to do just that. Personally, I can’t wait until Flash, in particular, is dead.