September 20, 2010
24 Comments

Adobe Systems Inc. today rushed out a software update to remedy a dangerous security hole in its ubiquitous Flash Player that hackers have been exploiting to break into vulnerable systems.

Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3, and users of Adobe Flash Player 10.1.92.10 for Android update to Adobe Flash Player 10.1.95.1. Updates are available from this link.

Adobe’s advisory on this flaw is here. The same security vulnerability also exists in the latest versions of Adobe Reader and Acrobat, although Adobe says it doesn’t plan to fix this vulnerability in those products until the week of Oct. 4.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update at least twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera or Safari. Google Chrome users can update to Chrome 6.0.472.62 to grab this latest Flash update. To check which version of Flash you have installed, visit this link.

Also, unless you want some “free” software — like McAfee Security Scan or whatever browser toolbar Adobe is bundling with Flash player this month — remember to uncheck that option before you agree to download the software.


24 thoughts on “Security Fix for Critical Adobe Flash Flaw

  1. Russ

    Call me cynical, but could it be Adobe actually desires numerous vulnerabilities in their products? Each patched installation is another opportunity for them to get paid for toolbar installation. Most people uncheck the box, but if you have to do it EVERY SINGLE G-D D-MN MONTH you’ll probably forget at some point and WHAM-O that’s a nickel in Adobe’s piggy bank.

    What a piece of junk. HTML5 can’t get here soon enough; even if it has problems it couldn’t be this bad. Hell even Silverlight could be a better alternative.

    1. BrianKrebs Post author

      I can see how one might get that impression. Adobe sure has issued a LOT of updates and warnings so far this year. It is one of the most-attacked vendors on the planet, mainly because its software installed on most of the computers on the planet.

      The company is coming close to approaching the number of vulnerabilities Microsoft has fixed so far this year.

      Jan 5: Attackers Targeting Adobe Reader Flaw,
      http://krebsonsecurity.com/2010/01/security-tweaks-for-adobe-reader/

      Jan 13: Adobe Update Covers Eight Reader, Acrobat Flaws
      http://krebsonsecurity.com/2010/01/microsoft-adobe-issue-security-updates/

      Feb. 11: Flash Update Fixes 2 Critical Holes
      http://krebsonsecurity.com/2010/02/critical-security-update-for-adobe-flash-player/

      Feb. 17: Reader, Acrobat Updates Fix Two Security Bugs
      http://krebsonsecurity.com/2010/02/security-updates-for-adobe-reader-acrobat/

      Apr. 13: Adobe Reader, Acrobat Update Plugs 15 Security Holes
      http://krebsonsecurity.com/2010/04/adobe-microsoft-push-security-upgrades/

      June 5: Hackers Exploit Critical Flaw in Flash, Acrobat, Reader
      http://krebsonsecurity.com/2010/06/adobe-warns-of-critical-flaw-in-flash-acrobat-reader/

      June 10: Flash Update Fixes 32 Security Flaws
      http://krebsonsecurity.com/2010/06/adobe-flash-update-plugs-32-security-holes/

      June 29: Adobe Fixes critical Reader, Acrobat Bug
      http://krebsonsecurity.com/2010/06/security-update-for-adobe-acrobat-reader/

      Aug. 10: Adobe Update Corrects Six Critical Flash Flaws
      http://krebsonsecurity.com/2010/08/critical-updates-for-windows-flash-player/

      Aug. 19: Adobe Targets Two Flaws in Acrobat, Reader
      http://krebsonsecurity.com/2010/08/adobe-issues-acrobat-reader-security-patches/

      Aug. 25: Adobe Shockwave Update Fixes 20 Security Holes
      http://krebsonsecurity.com/2010/08/adobe-apple-issue-security-updates/

      Sept. 8: Attackers Exploiting New Acrobat/Reader Flaw
      http://krebsonsecurity.com/2010/09/attackers-exploiting-new-acrobatreader-flaw/

      Sept. 13: Adobe Warns of Attacks on New Flash Flaw
      http://krebsonsecurity.com/2010/09/adobe-warns-of-attacks-on-new-flash-flaw/

      Sept. 20: Security Fix for Critical Adobe Flash Flaw
      http://krebsonsecurity.com/2010/09/security-fix-for-critical-adobe-flash-flaw/

      1. Russ

        They need to rebuild Flash from the ground up; all new code developed using a modern SDLC and going through independent code reviews every step of the way.

        Adobe probably knows this, but won’t do it because they want to maintain compatibility with with existing Flash on the web, built by and for crummy legacy versions.

      2. Faust

        “Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3”

        Any idea how the 10.1.85.3 release relates to 10.2.161.22 Beta?

  2. Hinky

    What’s this crapware “New York Times Reader” they snuck in with their Firefox update?

    They didn’t even ask.

    1. Russ

      My install, using the unfortunate Adobe Download Mangler, had a banner ad for TimesReader 2.0 and an “Add to Download” button you had to push. I wonder if they changed the installer from opt-out to opt-in between your post and mine?

      1. F-3000

        For my luck, I use Ubuntu (Linux) for everything else, and Windows Only For Gaming, thus I lack problems like ADM, because flash-plugin gets updated as like all other regular updates on Ubu.

        Just remember to slam your head on the wall if you forget to shut Firefox while running the updating, because you most likely need to reinstall flash-plugin – if you ever notice that updating did fail.

    1. JCitizen

      Yeah, I had to reboot Vista to get the download manager to wake the heck up!

  4. JCitizen

    WOW! Thanks Brian!

    Who needs Secunia or File Hippo when we have BK watching our back!!! 🙂

    1. xAdmin

      Excellent advice! One more step many may find useful is the uninstaller:

      http://kb2.adobe.com/cps/141/tn_14157.html

      I’ve always used the uninstaller first, then installed the new version (using the exe installer you reference above). Works like a charm everytime.

      Note: to minimize having to reboot, be sure to close all open programs that may be using Flash (ex. browsers, IM clients, see step 3 in the uninstaller link above). 🙂

  6. CloudLiam

    When installing the Flash plug-in for Firefox remember to allow scripts on adobe.com if you use NoScript.

    I also had to disable Microsoft Security Essentials real time protection before the FF plug-in would install on my laptop. I’m not sure why, since the Flash plug-in had already installed on IE8 without my having to do that.

    1. JCitizen

      The Adobe page does warn that one may have to turn off any AV or AS solution to install the update. Since I don’t like doing that, I simply rebooted.

  7. JohnJ

    As usual, Adobe’s web site falsely claims that my IE8-32 is IE8-64, so it won’t allow me to get the latest update.

    Adobe’s web site would, however, be willing to install Flash-64 Beta on IE8-32. How helpful – NOT.

    (My previous workaround on this issue no longer works.)

  8. TenorBrian

    Of course, if you’d had the Chrome browser, you’d have already been updated about 48 hours ago with it’s built in Flash plugin! 😉

    Cheers!

  9. JBV

    Thank you, Brian. Your “time to patch” reminders are always helpful and are appreciated by your less computer-savvy readers!

  10. Jim

    Perhaps Adobe is not overly concerned with vending a secure product . After all, they can only push the useless toolbar and plug-ins via new installs and updates.

  11. muffin

    thanks, alex for reminding us that we can bypass adobe DLM by doing a manual install. i did that with no problem.

  12. axial

    XP, SP3. Using the Adobe DLM in Firefox, the error: “Adobe Flash Player 10.1” “The download did not pass the integrity check (16291.304.428)”. Clicked OK.

    The DLM says there was an error and it did not install correctly, but then Adobe’s “success” page opened and said it had correctly installed Version 10.1.82.76 — not the latest 85.3 version. Despite the DLM error dialog, I can imagine lots of folks could be easily misled into thinking Flash had indeed updated correctly because the “success” page opens.

  13. stvs

    If you haven’t done so already, be sure to configure your Adobe Flash Global Storage Settings panel to (attempt) to turn off Flash cookies and tracking capabilities. And Firefox users should install/configure both the TACO and BetterPrivacy plugins to kill Flash tracking cookies.

    It’s a scandal that the default Flash setting invade everyone’s privacy, and that controlling them requires visiting this obscure website.

    I hope that the recent lawsuits (see NYT, Code That Tracks Users’ Browsing Prompts Lawsuits) are costly enough to stop this odious industry practice.

  14. curious

    Is there ANY progress on getting Adobe to build an auto-updater?

    You wrote about this as far back as 2006, and seemed to get the attention of some Adobe product manager at the time. But their promises never materialized and now we’re faced with, as you say, a sad patch history that rivals Microsoft. The difference, of course, is that Microsoft has an effective auto-updater, while Abode has a defective, sometimes-it-works-sometimes-is-doesn’t update process that’s painfully manual.

    The cynics who suggest this is deliberate on Adobe’s part–just to get clickthroughs for their flavor-of-the-month add-ins–is starting to ring true.

    While the technically adept can work their way through this minefield, our less-sophisticated users have no chance.

    Here’s the business model for making zillions: build a service that will keep this bleeping computer patched!

    1. drzaiusapelord

      9.2 and 8.3 of Acrobat now have an auto-update auto-install option under preferences.

      Flash has a similiar thing, but it runs when windows boots and warns you at boot time. Doesn’t seem to work all the time and there’s no GUI or anything. It either works or it doesn’t.

      Adobe needs to default to make all this stuff auto-update via a dedicated app like the Apple Update manager, instead of multiple mechanisms.

      1. curious

        > 9.2 and 8.3 of Acrobat now have an auto-update auto-install option under preferences.

        They do. But it’s not reliable, and it’s almost never timely. I think it was in another Krebs post that I saw Adobe admit that they don’t trigger the auto-update right away when a patch is available–it would cause too much of a strain on their servers, and they want to “make sure” the patch is working properly.

        In a day zero patch situation, that’s simply Not Acceptable.

        Adobe even messes up the manual patch process–in a day zero situation Adobe rolls out the patched version on one update page, but still leaves the old version hanging around on other update pages. So your success depends on 1) guessing which page is up to date, 2) avoiding the wrong page and 3) double-checking that the patch actually got applied.

        Show of hands: how many people “update their flash by uninstalling and re-installing?

        Yeesh.

        on depending on which Web page you go toEven patching manually invokeAdobe seems to

Comments are closed.