Posted by: Samker
« on: 31. March 2010., 19:32:36 »Google and Adobe announced a cozy new partnership--combining Flash directly into the Chrome Web browser rather than requiring an additional plug-in. While inherent functionality is better than having to find, install, and update plugins, Adobe is also a prime target for malicious code and may weaken Chrome's security posture.
Of the major Web browsers--including Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari in addition to Chrome--Google's was the only one left standing at the recent Pwn2Own contest. Google did admit that the Chrome browser is vulnerable to the same exploit used to take down Safari, but Chrome emerged as the only browser not hacked during the contest: http://www.cio.com/article/492821/Google_s_Chrome_Was_Hackable_At_Pwn2Own_Contest
With built-in Flash, Google exposes the Chrome Web browser to a whole new realm of code it doesn't even control, possibly introducing flaws and vulnerabilities that could be exploited to attack the browser. If the Pwn2Own contest taught security professionals anything this year, it's that the Web browser is the Achilles heel of the computer, and selecting and maintaining a secure browser are important for the overall security of the system.
Combining the Achilles heel of computer security with the weakest link in the security chain is probably not a good recipe for protecting your computer systems. I don't mean to pick on Adobe per se, but I am not the one that started it. Malicious code developers have figured out that Adobe is a fairly ubiquitous cross-platform target that doesn't have the same level of maturity for developing secure application code as Microsoft, and other operating system vendors.
Adobe exploitation isn't limited to Adobe Flash. The freely distributed Adobe Reader software has been plagued with zero-day exploits, and security vendor F-Secure has noted a spike in PDF-based targeted attacks in 2010: http://www.f-secure.com/weblog/archives/00001903.html
Nuance, makers of PDF Converter Pro, has developed a free PDF reader of its own to help customers view PDF files without exposing the system to the security vulnerabilities of Adobe. The Nuance PDF Reader software provides a more secure alternative to Adobe Reader by turning off Javascript processing by default--a security control Adobe has not implemented: http://www.nuance.com/imaging/products/pdf-reader.asp
My PCWorld colleague Harry McCracken is cautiously optimistic about the integration of Flash with Chrome. "Conceptually, I like the idea--but only if it makes Flash more or less transparent. Over the years, I've wasted a fair amount of time reinstalling and updating Flash, dealing with odd errors (like demands for more storage), and recovering from Flash crashes."
McCracken adds "If the integrated version results in a Flash that's just there, it'll be a good thing. And it would help make Flash more palatable in a world in which it'll compete with open, browser-native HTML5 technologies-which is presumably part of the idea."
It is true that it would be nice for Flash to "just work" without the need to download and install plugins. What is even more critical for businesses, though, is the consideration of whether or not Flash, Reader, or other Adobe products compromise the security posture of the computer and expose the network to unnecessary risk.
If you are already using Chrome, you will be able to enable or disable the built-in Flash feature. If you are using another browser, consider the security implications of the built-in Adobe Flash functionality when examining Chrome as an option.
One last note; Adobe may be a primary target for attackers right now, but don't let your guard down in other areas. Make sure you keep all of your software patched against known vulnerabilities, and keep your anti-malware and other security applications up to date.
(PCW)