Yet Another Flash Player Patch

February 26, 2013

Today Adobe released another update to its ubiquitous Flash Player for all platforms (Windows, Linux, Mac OS X) to address what it says are critical security vulnerabilities. The update addresses two identified vulnerabilities (CVE-2013-0643 and CVE-2013-0648); an attacker who exploited these vulnerabilities might cause a system crash, or be able to take control of the affected system.

According to Adobe’s Security Bulletin [APSB13-08], the following versions of the software are vulnerable:

  • Adobe Flash Player 11.6.602.168 and earlier versions for Windows
  • Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh
  • Adobe Flash Player  and earlier versions for Linux

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.  The new version for Mac OS X and Windows is 11.6.602.171; for Linux, the new version is  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   The Flash Player bundled with Google Chrome will be automatically updated to version 11.6.602.171.

There are reports that these vulnerabilities are being actively exploited, primarily in attacks against the Firefox browser running on Windows systems.  The exploit attempts to trick the user into visiting a Web site with malicious Flash content.  Because of this, and because Flash Player has always been an attractive target for the Bad Guys, I recommend that you  update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Ars Technica has a brief article on this update, which is the third for Flash Player this month.

More Java-Induced Jitters

January 20, 2013

I’ve written here several times before (most recently last October) about some of the security issues with Oracle’s Java software.   Lately, Java has been in the news again, because of a new, serious security vulnerability recently discovered in the latest version of the software.

Java has proved to be, over the years, a rich source of security vulnerabilities, at least in part because it is widely installed across multiple platforms (including Windows, Mac OS X, and Linux), making it an attractive target.   Also, unlike a typical application software package, installing a new version  of the Java environment did not necessarily remove older versions that had been installed previously.  (This was done, I think, because the definition of the language was evolving, and a new version was not guaranteed to be 100% compatible with an older one.)  This meant that, although the updated software might fix security flaws, the old version, complete with flaws, was still there to be exploited.

I won’t take the time and space here to relate the history of the latest vulnerability.  (If you are interested, Brian Krebs has a good summary at his Krebs on Security blog.)  Oracle issued a Security Alert  for this problem, together with a new version of the Java Runtime Environment [JRE], version 7 update 11.  (You can download the new version, for all platforms, here.)  However, subsequent to that release, testers discovered that the new version fixed only part of the vulnerability, so that an exploit was still possible.

US-CERT has issued a Vulnerability Note (VU#625617) concerning the situation at present.  Their recommendation, which I endorse, is that users who require Java should update to version 7 update 11 immediately, and should also disable the Java browser plugin(s).   Instructions for doing this are available at the Java site.  The Vulnerability Note also contains links to more technical information.

As I wrote in last October’s post (and in another post a couple of years before that), there is a good case that the average individual user is better off without Java on his or her system.   I won’t bore you by going through all of it again.  If you do decide to install or keep Java, though, please be careful to keep it up to date.

Update Monday, 21 January, 11:13 EST

The SANS Internet Storm Center has a diary post with links to some additional technical information on the latest vulnerability.

Java Survey Results

October 24, 2012

Last Friday, I posted a note here about an article and informal survey at Ars Technica, on whether keeping Java on the desktop was a significant security risk; and, if so, whether the risk was worth running.  Ars has posted a follow-up article, summarizing the results of their survey.  The results are interesting, although likely to disappoint anyone expecting a clear-cut, black and white sort of answer.

There seems to be a consensus of sorts that the most risky part of the Java system is the browser plug-in.  Those respondents who had security concerns often focused on mitigating that aspect of risk,

Some users have disabled or uninstalled Java entirely. But the most common solution for those worried about security risks is to leave the Java Runtime Environment in place on the desktop while disabling the browser plugins that allow Java applets to run on websites. Those plugins are often vulnerable to attacks involving remote code execution.

This approach, which I mentioned in an earlier post on getting rid of Java, probably removes the most serious threat, while leaving the Java Runtime Environment available to support features of packages like the open-source office suite, Libre Office (the successor to Open Office).   Libre Office can still be installed without Java, but some features will not be available.

Not surprisingly, the responses also indicated that Java still enjoys substantial popularity among developers; one respondent wrote:

I use Java heavily at work because it has the killer combination of: being good enough as a programming language; being cross-platform; having a great set of libraries; running fast.

Java is also used extensively in enterprise environments.

Java has lots of real-world use cases, enough that uninstalling or disabling the platform isn’t realistic for many users. Numerous people report keeping Java enabled in browsers because of banking, government, work, and school-related websites.

For both the developers and enterprise users, a common theme seems to be that Java, while not being perfect for any particular application, offers a practical approach for many things.  That it is available and gives decent performance across a variety of platforms is an obvious selling point.   Beyond that, it is a reasonably structured language, and much better for sizable projects than a scripting language like Perl.

For the average individual user, I’d recommend the following approach:

  1. Look through the list of software and Web sites that you use regularly, and see if any of them require Java.
  2. If none does, then removing Java will reduce your risk at minimal cost.  (You can always re-install it if your situation changes, of course.)
  3. If you have application software, like Libre Office or Minecraft, that requires Java, you can leave the Java environment installed, but remove or disable the browser plugin.
  4. If you regularly use Web sites that require Java, you can leave the plugin enabled, or disable it, re-enabliing it when you need the Java-dependent site, depending on how frequently that occurs.

As always in security, there are trade-offs, but I hope that making this sort of information available will help people in making choices.

%d bloggers like this: