patching your client-side application

earlier this week i received the latest CERT Advisory in my inbox (TA08-100A) reporting a number of critical vulnerabilities in adobe flash (Adobe Security advisory APSB08-11) which could allow remote code execution. Whenever I read something like this I just hit the delete key and forget about it. I'm more concerned with a vulnerability in the OS or in a high profile application (like a web-browser). I'm wrong in being so dismissive of the security risk imposed by these kind of applications I think.

Recently, in the high profile "PWN to OWN" challenge from CanSecWest, Quicktime lead to the compromise of the Mac machines. The vulnerability wasn't in the OS. It wasn't in the browser. It was in a client-side application, a browser-plugin. Similar in function and in the same class of applications (client-side) to TA08-100A's vulnerable Flash application.

browser-plugins have a long history of security problems. Active-X, Quicktime, Flash all can lead to the compromise of your machine. The horrible thing is that many people (myself included) don't have these applications on their 'things to patch' list. I mean, really, when was the last time you updated your Real Player? If you run a network, when was the last time you made sure your network had the latest version of flash installed on all browsers?