Even before Steve Jobs cited the Adobe Flash plug-in for a dreadful security record and the main cause of Mac computers crashing in 2010, the web staple of the last two decades began to show signs that its light was growing dim.
Releasing yet another zero-day update, Adobe Flash may be heading for a burnout, as Mozilla is now ready to stop supporting Flash. Mark Schmidt, head of Firefox Support, announced earlier this month: “All versions of Flash are now blocked by default in Firefox,” also adding, “Nothing relies on Flash as much as malware.”
Could this be the beginning of the end for the Flash plugin?
You will also notice that this month includes last month’s pulled patch “MS15-058.” Due to the heightened exposure of this vulnerability, even though it has been rated as Important, increased testing should be conducted before deployment of this patch; after all, we don’t really know why it was pulled from June’s release.
Also, a big event on this month’s Microsoft release is the end-of-life for Windows Server 2003. After this month, any further security updates are not guaranteed to be available. We encourage our customers to be certain that their environment is as safe as possible by either ensuring all their servers are patched, or plan to migrate to a supported server operating system.
Verismic recommends that our clients consider the following updates for their remediation cycle this month: MS15-058, MS15-067, MS15-065, MS15-066, MS15-069 & MS15-070 by combining the vendor severity, the independent CVSS score & their current exposure. In our opinion, due to the CVSS score of 10, the most important update in this release is MS15-067. This is the highest score—and will likely impact our customers the most.
The CVSS scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 are Medium, and 0-3.9 are Low.
Adobe had decades to improve Flash’s security, but without pressure from the millions who continue to faithfully use it—for a lack of a better replacement—why race to extinguish the fire? Though it looks like we’ve been sufficiently burned, extinction may take more time.
In addition to trepidation in switching to a more secure and appropriate technology, organizations, in particular, may be too addicted to Adobe’s useful back-end elements that make it difficult to replace. Yet, due to the acute seriousness of this vulnerability and the potential risk of its continual use in cyber-attacks in the near future, we urge users to disable Adobe Flash in their browsers until the issue is resolved.
- Gone in a Flash: Is Adobe’s plug-in heading for the home stretch? - August 5, 2015