Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Adobe Flash Player 11 Promises Security Improvements

Flash Player upgrade will add SSL and better crypto features, while Android version gets the ability to nuke Flash cookies.

Adobe CS 5.5: Evaluating Bundle, Feature Upgrades
Slideshow: Adobe CS 5.5: Evaluating Bundle, Feature Upgrades
(click image for larger view and for slideshow)
Adobe announced this week that it's putting the finishing touches on a new version of Flash Player that will provide new security and privacy enhancements on both the desktop and mobile versions of its application.

Notably, Flash Player 11--set to debut in early October--adds desktop support for SSL socket connections, as well as a secure, random number generator, both of which should help developers to better secure users' information. "Flash Player previously provided a basic, random number generator through Math.random. This was good enough for games and other lighter-weight use cases, but it didn't meet the complete cryptographic standards for random number generation," said Adobe's Lindsey Wegrzyn, senior product manager for privacy, and Peleus Uhley, a platform security strategist, in a blog post.

Instead, Flash Player 11 will include a random number generator API that hooks into the cryptographic functionality built into the underlying operating system. "The native OS cryptographic providers have better sources of entropy and have been peer reviewed by industry experts," said Wegrzyn and Uhley.

For the first time, Flash Player 11 adds 64-bit operating system support. One upside of this will be more effective address space layout randomization (ASLR) for Linux, Mac OS, and Windows browsers that support ASLR in 64-bit mode. "Traditional 32-bit ASLR only has a small number of bits available in the memory address for randomizing locations. Memory addresses based on 64-bit registers have a wider range of free bits for randomization, increasing the effectiveness of ASLR," said Wegrzyn and Uhley.

[ What is the future of Flash? Adobe Insists Flash Will Survive HTML 5 ]

The Android version of Flash Player 11, meanwhile, will also sport a number of security enhancements, some of them previously introduced for desktops as of Flash Player 10.3 in May. Notably, mobile device users will gain the ability to clear local shared objects--aka Flash cookies--from their browser. Other improvements include a device-native control panel for controlling Flash Player settings, as well as support for private browsing, aka incognito mode, although this feature will only work on Android Honeycomb (version 3.x).

Beyond these security and privacy enhancements, Adobe said Flash Player 11, as well as AIR 3--the new version of Adobe's cross-platform, Web application runtime environment, also set to be released next month--will offer high-definition video and three-dimensional rendering. Adobe said the new, underlying rendering engine, called Stage 3D (which runs on desktops and laptops, but not smartphones or tablets), renders 1,000 times more quickly than the engine built into Flash Player 10. As a result, Adobe is touting Flash Player 11 as a way to offer "console-quality games" to users, and said the technology will also support high-quality HD videoconferencing.

With AIR 3, Adobe is also adding support for three new platforms: iOS (including the iPhone and iPad), Android, and Adobe AIR for TV. In addition, AIR developers will be able to build their own, native extensions for AIR applications, which Adobe said may improve performance. Developers can also use these extensions to access native operating system and hardware features, "such as sensors (gyroscopes, magnetometers, light sensors, etc.), multiple screens, native in-app payments, haptic/vibration control, device status, and Near Field Communications," said Adobe.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.