Adobe Flash - Flash Client Security

Flash Client Security

Flash's security record has caused several security experts to recommend to either not install Flash or to block it. The US-CERT recommends to block Flash using NoScript. Charlie Miller recommended "not to install Flash" at the computer security conference CanSecWest. As of November 3, 2012, The Flash Player has over 200 CVE entries, 185 of which have been ranked with a high severity (leading to arbitrary code execution), and 46 ranked medium. In February 2010, Adobe officially apologized for not fixing a known vulnerability for over 1 year. In June 2010 Adobe announced a "critical vulnerability" in recent versions, saying there are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. Later, in October 2010, Adobe announced another critical vulnerability, this time also affecting Android-based mobile devices. Android users have been recommended to disable Flash or make it only on demand.

Symantec's Internet Security Threat Report states that a remote code execution in Adobe Reader and Flash Player was the second most attacked vulnerability in 2009. The same report also recommends to employ browser add-ons wherever possible to disable Adobe Flash Player when visiting untrusted sites. McAfee predicted that Adobe software, especially Reader and Flash, would be primary target for attacks in 2010. Adobe applications had become, at least at some point, the most popular client-software targets for attackers during the last quarter of 2009. The Kaspersky Security Network published statistics for the third quarter of 2012 showing that 47.5% of its users were affected by one or more critical vulnerabilities. The report also highlighted that "Flash Player vulnerabilities enable cybercriminals to bypass security systems integrated into the application".