Adobe Squeezes More Security Into - and More Cash Out of - Flash
Mar 28, 2012 11:45 AM PT
In its ongoing quest to keep Flash relevant in the face of strong competition from HTML5, Adobe on Wednesday announced Flash Player 11.2, featuring a silent updates option to enhance the platform's security.
Improving the security of Flash Player through silent updates is critical because more than 99 percent of malware installations succeed by targeting out-of-date software installations, and attackers have been targeting users trying to manually search for Flash Player updates with fake update sites, Adobe said.
Adobe Flash Player is a favorite target for hackers, and "improving the update process is probably the single most important challenge we can tackle for our customers at this time," Adobe spokesperson Wiebke Lips told TechNewsWorld.
Adobe also announced on Wednesday that it will charge game developers to use premium features in Flash Player.
How the Silent Update Works
Users who install Flash Player 11.2 will see a dialog box offering three update choices. The default option is automatic updates. The others are to notify the user when updates are available, and to never check for updates.
The background updater will check Adobe's site for updates hourly until it gets a response. If there are no new updates, it will wait 24 hours before checking again.
Once updates are available, the latest version of Flash Player, with all updates made to it since the user's system was last updated, will be installed, Lips said. If users are running multiple browsers, every browser will be automatically updated.
When automatic updates are available, the background updater will install them without requiring a browser or system restart, Lips said. If users turn off their PCs, the background updater resumes checking for updates as soon as the PCs are switched on again.
Reactions to the Silent Update
"All I can say [about the silent update option] is, it's about time," Joe Levy, chief technology officer of Solera Networks, told TechNewsWorld. "Not two days ago, a colleague and I were joking that Flash should be an on-demand, ephemeral installable rather than something that's system-resident, too often outdated, and frequently exploited. Auto-updates are a very welcome and perfectly reasonable compromise."
The strain on a PC's resources imposed by the frequent checks for updates is "negligible," Levy said.
However, Mike Ricci, vice president of Webtrends' digital solutions group, contends that the frequency of the checks "will invariably consume a great deal of memory."
"Zscaler ThreatLabZ's research shows a prevalence of outdated Adobe Reader and Flash Player plugins, even among enterprise users," Mike Geide, the lab's senior security researcher, pointed out. In Q4 2011, 64 percent of Adobe Reader plug-ins used in the enterprise were outdated, he told TechNewsWorld.
However, the silent update feature in Flash Player 11.2 may not significantly beef up security, Webtrends' Ricci cautioned, because users will have to update to Flash Player 11.2 first.
"That tends to be a slow process at best," Ricci told TechNewsWorld. "So to say that it would reduce exploits by any substantive amount is a huge leap of faith." Many users routinely ignore updates, "so it's unlikely that the majority will upgrade to 11.2 and therefore have silent update capability."
Games People Play
Adobe has also announced premium features that support specialized gaming middleware and development tools from third parties as well as from its own devs.
These new features provide access to domain memory in combination with hardware-accelerated Stage3D in Flash Player. They let existing C or C++ codebases run sandboxed across browsers in Flash Player.
The premium features are available royalty-free and without restriction through July 31. From Aug. 1, applications that make less than US$50,000 will be able to continue using the premium features at no charge. Others, though, will have to pay Adobe 9 percent of net revenues above $50,000. Net revenue is what's left after deducting taxes and all fees. Devs who offer apps packaged for iOS, Android, Windows or Mac OS using Adobe AIR will not have to pay fees.
"Moves like this only promise to yield Adobe diminishing returns over time," Eric Leland, a partner at FivePaths, told TechNewsWorld. "I expect that while Flash gaming companies will take a close look [at the premium features], this move will push many to more seriously consider the alternatives to Flash."