June 10, 2010

As promised, Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version 10.0.45.2 and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.

Please take a moment to check if you have Flash installed and — if so — to update it: A working copy of the code used to exploit this vulnerability has been included in Metasploit, an open source penetration testing framework. Also note that Adobe likes to bundle all kinds of third party software — from security scanners to various browser toolbars — with its software, so if you don’t want these extras you will need to uncheck the box next to the added software before you click the download button.

The vulnerability that prompted Adobe to issue this interim update (the company had been slated to issue these and other security updates on July 13) also is present in Adobe Reader and Acrobat, although Adobe says it does not plan to fix the flaw in either of these products until June 29.

Now would be a great time for longtime users of Adobe’s free Reader software to consider removing Reader and switching to an alternative free reader, such as Foxit or Sumatra.

Note that Flash generally comes with Adobe Download manager, a package that in prior versions has been found to harbor its own security vulnerabilities. The download manager is designed to uninstall itself from machines after a reboot, so to be on the safe side, you may want to reboot your system after updating Flash.

http://www.adobe.com/support/security/bulletins/apsb10-08.html

33 thoughts on “Adobe Flash Update Plugs 32 Security Holes

  1. Toni

    This is such a pain in the ass to install into Firefox, and I consider myself pretty tech savvy. Missing plugins are needed for the Flash installation, and their instructions for Firefox users link doesn’t go to an instructions page. So screw it, I’m just going to uninstall Flash and be done with it.

  2. JBV

    Thanks yet again, Brian.

    Version 10.1.53.64 wouldn’t install in either IE or Chrome until I uninstalled the old version.

  3. Toni

    That’s what I had to do as well. Once I uninstalled all the old versions, 10.1 finally installed.

    1. raul

      that’s only because it’s a beta release, major upgrades install without uninstall

      1. Mike A.

        Nope, Flash Player 10.1.53.64 is a stable release (not beta).

      2. prairie_sailor

        Per Adobe you should only have to uninstall if you had one of the betas or RCs of 10.1 installed.

  4. F-3000

    You can round the need to install Adobe Download Manager by downloading the .exe with Linux, by choosing “Different operating system or browser?”-link at http://get.adobe.com/flashplayer/, and from there picking the Win version you’re using.

    I hope Adobe will get rid of the annoying ADM.

    1. F-3000

      Below are direct links (by TekFan) for the .exe-files, which most likely can be used to download installers without DLM, on Windows.

  5. JCitizen

    I have version 10.1.53.64. Secunia reports this one has some vulnerabilities as well. Lists it as a CAT 3 threat.

    It appears only the 10.0.x.x version is available for Firefox plug-in.

    When is the HTML-5 standard coming out, so we can dump Flash?

    I’m getting very sick and tired of Adobe’s junkware.

      1. JCitizen

        @F-3000,

        Yes my FF reports the same version number; 10.1.53.64.

        The plug-in page animation works!

        I don’t know why they reported they only had a previous version available!?!?

    1. Russ

      Assuming HTML5 won’t bring a host of new security issues is naive. If a machine requires high security today, I can run it without Flash or Reader/Acrobat. That won’t work the same way in a world where everything you use is an HTML5 webapp.

      1. JCitizen

        I’m not saying HTML-5 will be perfect, but getting rid of Adobe, will make it seem like perfection from heaven. The patch cycle will go on, of course.

        I’m sure this is why Steve Jobs was trying to dump Adobe with his new products, as things are going quite well in HTML-5 development.

      2. Mike

        HTML5 will almost have implementation errors. It will also not be a monoculture (there will be competing implementations) so they will be easier to work around and hopefully less susceptible to catastrophic 0days.

  6. JCitizen

    That’s weird! The page reported they only had version 10.0.45.x – or some older version like that, if I remember correctly; but when you install it, the same page reports the newer 10.1.53.64!

    Go figure!

  7. Lech D

    You can get around the need for the Adobe DLM (on Windows at least) by going to the download page and starting a download but canceling the DLM install. As soon as you do that you should see a link “if your download has not begun, click here” to trouble-shoot at the bottom of the page and it should link to a manual installer. Both ActiveX and non-AX installers should be available so you can cover IE + Firefox/Chrome/Opera/Whatever without having to worry about an extra Download Manager or extras.

    The only drawback is having to download and run two separate updates, but that’s a small price to pay. Afterward just point your browser to http://www.adobe.com/software/flash/about/ to make sure the update was successful and your version number is up to date.

    1. JCitizen

      On my Vista x64, I used the download manager and still had to install the FF plug-in separately.

      I think Adobe could care less, they are just limping along until HTML-5 comes out.

  8. Jim

    I made several uninstall/install attempts. The update Flash Player would not install. Had to do a previous day restore to get Flash going.

    Adobe should just go into the maleware business and stay there. What a hassle.

  9. JohnJ

    As usual, when I go to the the Adobe Flash Player Installation Page with IE8-32, the web site falsely claims that I am using IE8-64, and refuses to make the Flash update available.

  10. d

    Its no wonder people have unwanted issues on their computers. Adobe – which obviously doesn’t care – still can’t decide on a name for their Flash Player, hence a large portion of users aren’t sure if they have it on their systems or not.

    Hopefully, someone designs a half-a**ed alternative so we dump Flash just like I did with Reader years ago.

    (Dear Mozilla, I have yet to get Plugin Check to work. Does it work?)

    1. Michael

      Gnash has one (google “adobe flash alternative”). Have read that it works but lags behind in features and not Gnash’s fault as Adobe refuses to release info to 3rd-party developers.

  11. JustMyThreeCents

    Is there a substitute for the Flash plug-in? I find having to download it multiple times for different browsers, having to remove older versions manually, having to install the Windows version twice (don’t know why but that’s what my PC requires), and having to manually remove the DLM each time I update a real pain.

    And, if it weren’t for this Blog, I wouldn’t know when to update the Flash plug-in at all potentially exposing my computer to who knows what mischief.

    1. JustMyThreeCents

      Sorry – just read the post from Michael.

  12. xAdmin

    Not sure what all the hullabaloo is about. I’ve updated multiple systems, some with multiple browsers and haven’t had an issue. I do the following:

    1. Download the uninstaller: http://kb2.adobe.com/cps/141/tn_14157.html
    (Note: it gets updated everytime the player is updated)

    2. Download the browser specific exe:
    For IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

    For other browsers (Chrome, Firefox, Safari, Opera): http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

    3. Put all files somewhere centrally accessible (ex. network storage, thumb drive, CD-R, etc.)

    4. Logged in as administrator, close all open programs (to minimize something holding Flash Player in use and requiring a reboot), run the uninstaller

    5. Run the installer (for each browser if needed)

    6. Verify installation (in each browser if multiple): http://www.adobe.com/software/flash/about

    Never needed a reboot. No Download Manager stuff, no toolbar offers. Done. Move on. 🙂

  13. Jim

    Flash update is nagging me to update again. I went through the default uninstall/install, again, with the same can’t install results. Sooooooooooooooooo…..I’m stuck with the outdated bundle.

  14. Reid

    I had no issues updating the Adobe Flash Player for both Firefox and IE8 using the Adobe DLM.

    However, updating all the instances of FlashPlayer and the Firefox/Netscape Plugin and the IE ActiveX controls located within the Flash app in CS4 was another case entirely.

    Currently, there is no global update available from Adobe for Flash CS4. All that is available are four files that must be renamed and copy/replace into the appropriate folders within the Flash CS4 Program Files folder. I found a total of 7 files that were affected. The file updates are available here:

    http://www.adobe.com/support/flashplayer/downloads.html

    Unfortunately there are no clear cut instructions regarding which files go where. I had to compare versions and size of the existing files before overwriting with the new file versions.

    While Secunia PSI helped to find the file locations for the insecure versions, its suggested fixes were inaccurate in many cases.

    For those interested in uninstalling Flash Player, and its related Firefox/Netscape Plugin and IE Active X control, an un-installer is available for both Windows and Mac. From the Adobe TechNote “tn_14157”:

    “You can uninstall the player only by using the Adobe Flash Player uninstaller. Follow these steps to download and run the appropriate uninstaller for your system:”

    http://kb2.adobe.com/cps/141/tn_14157.html

    1. JCitizen

      PSI has a new version now; they seem pretty good at updating and improving. When I use PSI for flash, I always click the hyperlink with the uninstaller for the previous version first – run it – then click the “fix-it” button to download the replacement. I never have to go chasing files after that.

      File locations seem to have become more accurate for XP now. I haven’t noticed for Vista x64 yet, as I never have to go looking for them anymore.

Comments are closed.