Shared publicly  - 
 
Adobe introduces automatic updating for Flash Player. Hopefully this will be a trend for all PC software.
1
2
Colin Whatabr's profile photoPeter Bance's profile photoTimothy White's profile photoSimon Cousins's profile photo
6 comments
 
Automatic updates aren't always good. What if someone gets a "trojan" into an update, then everyone has been updated to the new insecure version... It can be useful, and good, but it needs to be used wisely.
 
+Timothy White You'll find most auto-update mechanisms will include a digital signature verification process of some kind - obviously doesn't make it impossible for a malicious update to be rolled out, but does mean that the perpetrator would have to do a lot to make it happen.

To be honest, where Flash (in its current form) is concerned, the software itself represents a bigger risk to your system than the slim chance of somebody infiltrating Adobe's servers (or a disgruntled developer having a laugh)...
 
They would need to get the hacked cert, have control over Adobe's servers, and hope that Adobe doesn't notice anything's wrong while they distribute the package to people (they can't push, only on request.)
 
Don't forget, that years ago manufacturers shipped viruses by accident with software they sold. And it can still happen today. My point is that with automatic updates, you'd have plenty more people with the virus before it was discovered that with manual updates. Although, it also means with security fixes, you have plenty more people fixed before an exploit is written.
 
Not really. The adobe servers can not push updates, the service on the computer runs and checks for updates at some interval of time.

Instead of hacking Adobe and hoping people update before anyone realizes why not hack Facebook and throw blackhole exploit kit? I mean, if we're assuming the hackers are capable of such feats. In 30 seconds on Facebook with bhek you'd have millions of Flash/Java/PDF etc exploits.

Simpler hacks are better hacks. Breaking into adobe's servers, using forged certificates, and waiting for users to update - complicated. Hacking 1million pages with automated SQL injection and loading up blackhole exploit kit - easy.
Add a comment...