The new Adobe Flash update is designed to patch some of the behavior of the software to counter some of the potentially dangerous hardware vulnerabilities that were recently disclosed. Sized only at 22 megabytes, the new update is available for all platforms. If you haven’t downloaded it yet, you can get it from here. Run the installer once the download is over and you should be all set.
Meltdown and Spectre
In July 2017, several research teams from Google, Cyberus Technology, and Graz University of Technology independently discovered two grave vulnerabilities affecting modern CPUs. The identified flaws particularly impacted IBM POWER processors, Intel x86 microprocessors, and some ARM-based microprocessors. The two security weaknesses were given the infamous code names Meltdown and Spectre.
Meltdown and Spectre are two security defects embedded in the architecture of most modern processing units. They allow attackers or rogue software to exploit hardware vulnerabilities and read data without prior permission. Typical programs are not designed to exploit these loopholes but a malicious software might. The vulnerable information could include passwords, emails, instant messages, or any other type of document that can be cached.
Despite being linked together, Meltdown and Spectre perform two compatible but different tasks. Meltdown allows malicious programs to break the foundational barrier between the operating system and user applications. Any malevolent 3rd party software exploiting the Meltdown vulnerability will gain direct access to the memory and subsequently secrets stored by other programs. On the other hand, Spectre works on dissolving the barrier between applications. It essentially tricks other applications to leak their information.
What Does the New Update Bring?
The new Flash Update mitigates the potential danger of Meltodwn and Spectre. To reduce the risk, and possibly eliminate it, the Adobe Flash team decided to turn off the ‘shareable’ property of the ActionScript ByteArray class by default. Unless users chose to enable it on their own accord. The feature can be overridden for Flash Player 30 and above by setting ‘EnableInsecureByteArrayShareable’ to 1 instead of 0. Only administrators have access to carry out this change. The developing team also decided to add jitter to the event and timer APIs.
The update also allows administrators to enable the shareable feature on a per-domain basis. The ‘EnableInsecureByteArrayShareableDomain’ setting will allow admins to create a whitelist that includes exceptions to the rule. The enabled setting will only apply to the domain names or IP addresses included in the list. Otherwise, any access request will be denied. To make it easier for developers, an asterisk wildcard can be used as a prefix for a domain name to include it automatically in the whitelist. For example, *gadgetadvisor.com would allow all Flash content that requires the shareable property to run on gadgetadvisor.com.
After a long-lasting history of helping to create animated content on the web, Adobe has announced in 2017 that it has decided to end the life of Flash by the end of 2020. However, the company is planning to continue support for the freeware until the last minute. Over the upcoming months, Adobe is expected to roll out more updates to fortify Flash against security vulnerabilities and improve its features before they put it to bed once and for all in two years time.