Adobe promises Flash improvements after Firefox and Facebook snubs

[Aerosol]

Adobe has promised to do it all can to improve the security of its much maligned Flash tool, in response to criticisms from the new chief security officer of Facebook and Mozilla blocking the tool from its Firefox browser.

The company said in a blog post that it is working hard to fix problems that came to light after data was leaked from the server of Italian surveillance software firm Hacking Team.

Adobe went on to say that Flash is widely used and is naturally a target for hackers, but that the firm is confident of maintaining an adequate level of security for the product.

"Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world and, as such, is a target of malicious hackers," the blog said.

"We are actively working to improve Flash Player security and, as we did in this case, will work to quickly address issues when they are discovered."

The comments come after Mozilla took the notable step of blocking Flash from its browser in light of security concerns that came to light in the past 10 days.

Mark Schmidt, head of Firefox support at Mozilla, confirmed that all versions of Flash up to the most recent 18.0.0.203 release have been added to the official Mozilla blocklist.

This came after incoming Facebook chief security officer Alex Stamos called for Adobe to announce an ‘end-of-life date’ for Flash given the problems it is causing.

“Even if it's 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” he added.

Adobe has issued two major updates for Flash since the flaws were revealed. The first patch fixed the CVE-2015-5119 vulnerability. The firm was soon forced to issue a second patch for two further flaws that were uncovered, termed CVE-2015-5122 and CVE-2015-5123, as explained in a post on its website.

"Critical vulnerabilities have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux," it said.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe rates the flaws as critical and firms have been urged to upgrade as soon as possible. The firm also thanked researchers at FireEye and Trend Micro for uncovering the vulnerabilities.

The revelations are just the latest information to come to light since the Hacking Team breach. Other data revealed that the FBI is a customer of Hacking Team, and is reported to have spent $775,000 on the firm's software.

The revelations from the hack have not come as a huge surprise to those who have criticised Hacking Team in the past, and the firm has been labelled an "enemy of the internet" by Reporters Without Borders.

"Hacking Team describes its lawful interception products as 'offensive technology' and has been called into question over deliveries to Morocco and the United Arab Emirates," the organisation said.

"The company’s 'Remote Control System', called DaVinci, is able, it says, to break encryption on emails, files and internet telephony protocols."

The attackers behind the hack have not yet come to light, but they too were clearly keen to embarrass and discredit Hacking Team, not only releasing the data from its systems but defacing its Twitter account and posting company emails.

The firm’s bio on Twitter was changed to read: 'Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.'

The leaked information allegedly includes contracts the company signed with repressive governments such as in Sudan, Uzbekistan and Russia. Hacking Team had denied ever working with Sudan after a report in 2014 accused it of doing so.

Source