Flash Player update or Groundhog Day?

News came out this week that Adobe has issued a new update for Flash Player. My initial reaction was, "Oh great, Groundhog Day." 

From Salted Hash on CSO:

On Tuesday, Adobe issued an update to Flash Player, which addresses a vulnerability that's being actively targeted by criminals.

 

The vulnerability itself exists in version 12.0.0.43 of Flash Player, for both Windows and OS X; or version 11.2.202.335 for Linux. According to Adobe, the issue is an integer overflow bug that could lead to an attacker gaining remote control over the victim's system.

 

But, why does this continue to happen? There are various pieces of software that people use almost daily such as Internet Explorer, Java and Flash. My curiousity lies in a perplexing question. Why must live in a perpetual Groundhog day?

Case in point, Microsoft's Internet Explorer 6.0 still commands a 4.54% market share. Granted there have been multiple version revisions since then. And to be fair, that lies on the heads of the end users as opposed to Microsoft. Why for all that is good and holy do users continue to make use of outdated and extremely vulnerable software? 

Then we have the software that is a perpetual target. Sorry Adobe, I'm just going to pick on you because it is convenient. Their latest release for Flash deals with a problem that could lead to "an attacker gaining remote control over the victim's system". While I grant this is bad, my difficulty is with how often this type of issue pops up with that software. I ran a quick search on Secunia to see how often "Adobe Flash" was found. A search revealed 176 vulnerabilities. I freely admit I didn't parse through them all to see which affected what. My point is simple. I am curious to know why does this continue?

At some point does it not make sense to rebuild an application from scratch? I understand that there are costs involved to rebuild an application from the ground up. But, how much does it cost to deal with broken software? What is the cost to the company to be in constant fire brigade mode? Would it not make more financial sense to deal with the problem by attacking the core issues? 

While end users can hold on to software like Internet Explorer 6.0 for an absurdly long time, eventually they move on. Similarly, software that puts end users at risk of being compromised by the criminal element will eventually drive them away. 

What are your thoughts on this? Drop me a line in the comments section.

(Image used under CC from StephenZacharias)

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)