Forgot your password?

Adobe Rocked by Yet Another Critical Exploited Flash Vulnerability

flash logo

I was not really joking around in our April Fools post when I mentioned that “if your device runs Adobe Flash it is not a matter of if you will be hacked but when.” One of the questions I have asked RIM a few times is to explain how the managed to secure Flash on the BlackBerry PlayBook to an acceptable level. Flash and its components (AIR/FLEX) by proxy are notoriously exploited on a regular basis. Just take this new critical security vulnerability in Flash that is already being exploited on Windows machines through Word document files. This comes almost exactly a month after the previous exploited vulnerability.

This is pretty much standard business for Adobe which makes me wonder what steps RIM has taken to prevent this in the BlackBerry PlayBook. Adobe admits that this new vulnerability and previous vulnerability also leaves Android devices vulnerable though they already have a laughable security model that is designed to be broken.

 

Which leaves me wondering if RIM managed to cook up some QNX powered goodies to plug the inevitable Flash exploit. RIM has been mum on the subject so far and I have confirmed with some friends who are large enterprise customers of RIM that they are promising it is secure though not explaining how. The reason I worry is because previously the BlackBerry OS had a bit of security by obscurity going by not having public source code but that all changes with QNX which has had a relatively public source code for years.

On the other hand people have been telling me that consumers don’t really care about security. That is why they don’t care if their iToy or HackDroid can be jailbroken/rooted with one click. So I thought I would ask all of you if security/privacy matters to you and how that figures into your purchases?

15 total comments on this postSubmit your comment!
  1. It’s a matter of time, but the mobile device market will mature. I imagine that a widespread time delayed trojan virus will do a fantastic job of accelerating that “maturing” process.

    Remember the first time you got a virus on your PC? After that you took security a lot more seriously didn’t you? For those individuals using their phones more as tools and less as toys, that security issue will come into sharp focus if and when they encounter a virus or have their device hacked.

  2. if all the facebook games would just switch to html5 couldn’t we just do away with the insecure flash platform

  3. i hope that dev. and the smartphone company start to work on this!

  4. At this time I’m not too worried about the potential security issues; I’ve always felt that as long as one does not open sketchy emails or mingle in illegal internet activity one is pretty much safe from viruses. This will be a major issue for me though, when phones begin adding near field communications (NFC): then a security breach could mean your bank info being stolen.

    • Unfortunately you can’t assume your friends/family/colleagues aren’t opening sketchy email or engaging in illegal activity. A lot of the time it’s a “trusted source” that infects you.

    • jischoler, unfortunately this just isn’t true anymore. Malware nowadays is as likely (if not more) to be delivered to you from a trusted site that’s been hacked. A few days ago I was reading an article about the US Postal Service national customer support center website being hacked. The site is used for a variety of services including bar code tracking. Vistors would have their system assessed by the hack, which sought out vulnerabilities, and then deliver an attack specific to those vulnerabilities.

      – “There were nine Trojans to choose from, including executable files, malicious PDF files and PHP scripts. The PHP files exploited known Java vulnerabilities. According to Virus Total, none of them would have been detected by most major antivirus programs. Three of the potential downloads – an executable and two malicious PDF files – were the best recognized, with five out of 42 antivirus programs tracked by Virus Total able to detect them.”

      This is really not an out of place occurrence these days. Alot of infected sites prolong the detection time by coding to detect if Google or services that check if a site is infected visit. They then feed innocuous documents to those services, saving the malicious files for real life visitors.

      You can read the specific article here:
      http://www.eweek.com/c/a/Security/Blackhole-Exploit-Kit-Behind-USPS-Attack-224683/?kc=EWKNLEDP04112011D

  5. Being hacked is a big concern for me

  6. The alternative is to stay indoors all day in a controlled environment, looking at Blue Lego. No thanks, I prefer to venture out into the real world.

  7. It is true that RIM says RIM is baked in to the Playbook, but I suspect this is just marketing gobbledygook. It likely isn’t hard to protect the playbook from flash, especially in the current version where stuff on the BB is simply displayed and does not reside on the playbook.

    • The problem is exploits like this allow an application that is not normally allowed to run as superuser (admin) to do just that. Giving bad guys the ability to run any code they want on your device as superuser. Essentially giving them complete control of your system.

      *Note: I didn’t actually read the specifics about this exploit but the tone of the article suggests the above is the case.

  8. It doesn’t figure into purchases, but I do consider it after the fact. When it comes to smartphones, not so much though. I don’t really do anything on my berry that’s critical.

  9. Listen to Steve Jobs and start using HTML5.. till that’s broken..

  10. It’s one of the few reasons I hang onto a Blackberry for my mobile communication needs: It’s the most secure platform if you know what you’re doing.
    Just bare in mind that you don’t need to root/hack the phone to have access to useful information though.

    Some people will get a BB thinking it’s the safer option and will just sync all their personal data with whatever service has the best marketing speech (I haven’t yet seen a secure data backup solution for BB) or will fail to use a password because it’s annoying to have to unlock the phone every time they want to use it…

    Even if you’re semi-cautious, you don’t always see what apps are doing in the background and, again, you will have to know what you’re doing when choosing which rights to give to which app if you want to tighten up security.

    Anyway, Flash can be bad because it can help leak data through a rogue website or maybe turn your phone into a zombie bot, but hopefully we’ll be able to turn Flash off on the Playbook.

    And security through obscurity is not security. I wouldn’t trust RIM’s word if I was a CISO for a large corporation being asked to evaluate their mobile devices…

  11. If this is a poll – my vote – ability to turn off/block Flash is key. I would get the PlayBook even without Flash, but since it appears to have Flash, being able to block it is critical.

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC