Google exploit update; what no Flash?

Microsoft has published a critical security update, MS10-002, as
of Thursday, 21 January. They rushed out this patch that covers
seven different IE vulnerabilties, even as attackers were working
on converting the Google exploit so it succeeds against later
versions of IE.

If you thought there was only one IE vulnerability to patch, you
might be wondering why seven get patched here? In reality, there
are still more outstanding IE vulnerabilities. Microsoft is not
alone here, as other browser vendors also have outstanding
vulnerabilites. But IE is still the top browser that gets targeted
by attackers. Brian Krebs posted a nice blog entry about his look
at the Eleonore Browser Exploit Kit, where he shows screen shots
that include logs of successfully exploited browsers, including
older versions of Firefox, as well as Safari, Chrome, and Opera.

http://www.krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browse...

On other news, Apple announced the iPad yesterday. The iPad will
run iPhone and iTouch apps, and like these devices has no support
for Flash applications. While Apple is most likely doing this for
competitive reasons, Flash remains one of the most dangerous, and
popular, browser plugins. Plugins run as browser code, and thus
aren't included in the limited sandbox most browsers erect around
code and data from the same origin (Same Origin Policy). Thus,
anytime you run an application in Flash, you are running code with
in an interpreter that runs with your user privileges, and can do
what you can do. On top of that, Flash is very difficult to sandbox,
as it needs to write to your display and wants the ability to
read and write to your filesystem as well.

So, from my perspective, leaving Flash out of the iPad is a good
thing...