05
Nov 10

Flash Update Plugs 18 Security Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

Adobe on Thursday released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.

The Flash update brings the latest version to v 10.1.102.64. To find out if your computer has Flash installed (it almost certainly does) and what version it may be running, go here. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner.

If you’d like to avoid Adobe’s obnoxious Download Manager and all these extras, grab the update from this link instead. Updates are available for Windows, Macintosh, Linux, and Solaris versions of Flash.

If you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox or Google Chrome (you may find that Google has already updated their browser with this fix). Also, while it’s not strictly necessary, Adobe recommends that users uninstall the previous version of Flash before updating to the latest copy of Flash. Instructions and tools for removing Flash are here.

More information on the vulnerabilities fixed in this patch is available in the Adobe advisory.

Tags:

26 comments

  1. You know how to make my Friday (sigh)

    Keep up the great work

  2. That linked page is Windows only, do you have a link to the Mac page?

  3. Hi Rob. I rejiggered the post above to include a link to the main update page, which should auto-detect what OS / browser you have.

  4. Thank you for this advisory, Brian. Your reminders are always helpful and timely.

  5. Got this when I went to the Adobe site: “Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available.”

    And it’s saying I have version 10.1.103.19 installed in chrome. Weird.

  6. I really dislike Adobe’s method of updating. Their updates are as arcane as the player which is only visible via Control Panel on my machine. The version verify page has no mention of a security update. However, there’s an option to download some crazy movie player. Plus, as usual, the Google toolbar is checked by default on the update page.

    Thanks to Brian, I’m in the loop for security updates.

  7. “If you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers,”

    This is incorrect, Brian. All Windows users who have Flash need to install the ActiveX version. It’s mandatory. The plug-in version is optional, if you use a non-IE browser.

    The ActiveX control is used by other apps, such as MS Office. If you neglect to update the ActiveX control because you don’t use IE, then you will be at risk.

    • @WD: Please clarify your post – what do you mean by “mandatory”?

      Are you saying that if you don’t have IE installed on your computer, but do have Windows and MS Office, then you are at risk?

      If that’s what you mean, then how can you install the Flash update without using IE?

      • I suspect that WD is referring to a situation like the one described here: http://support.microsoft.com/kb/291875, and is suggesting that if you have the ActiveX control on your machine and it might be used, regardless of whether it’s by IE or some other app, then you should update it.

      • I just updated Flash without IE or any other browser. All I did was boot up as administrator and I got a window saying their was an update to Flash Player so I clicked “install” and away we went. Flash in IE9 Beta was updated. What’s interesting is that I tried to update it this morning and got a message that Flash 10.1.102… was not compatible with IE9. This afternoon it is; of course IE9 gets updated about every day. I had previously updated Firefox, but I doubt if this update would have had any effect on Firefox.

      • The ActiveX version of Flash can be used by a wide range of Windows applications. Therefore, as I mentioned before, if you have Flash on your system, you must update the ActiveX version of flash. Regardless of whether you use IE or not.

        • Umm no. The solution I have found is to simply uninstall the ActiveX flash player on all of my (numerous) machines. I don’t need it for my work, so not having it doesn’t limit me in any way. On one machine, and one machine only, I have both the ActiveX and Firefox versions installed. But I think instead of updating the ActiveX one again I will uninstall. If I ever need it for any reason, I can get a fresh download.

          PDF is a harder one. That I do need for work. I wish I didn’t – in many cases people are just being lazy. But as a matter of general principle, I have Javascript turned off for PDF as I don’t need that either.

          • Good for you. But note that in both of my posts, I qualified my statement with “If you have Flash on your system…”

            Windows XP comes with Flash 6 installed by default, and it contains vulnerabilities.
            http://www.microsoft.com/technet/security/advisory/979267.mspx
            And there is no uninstaller in “Add/Remove Programs” either. You have to take explicit steps to disable/remove Flash 6.

            Completely removing Flash is obviously the safest thing to do. But most people probably go down the “update Flash” route.

  8. The Flash update 10.1.102.64 for Mac OS X apparently breaks the support for webcam within Flash.

    No video sources select work any more with this Flash update.

    I first noticed this in Chrome when it auto-updated and later after updating the plugin update my isight camera or any video source selected no longer worked.

    • Im having the same problem, the new flash update has broken any webcam support within Flash on Mac OSX. Cant seem to find a fix anywhere…

    • I’ve opened a bug report with Adobe:

      https://bugs.adobe.com/jira/browse/FP-5730

      I’m sure they’ll get around to fixing this issue in a month or two :-\

      • Awesome. You can let them know that the problem also exists on OSX 10.5.8 and that the camera works in Photobooth etc, just in nothing that uses flash. Microphone seems to work fine.

        • @Mike what flavor of Macbook do you have that is having this problem? My Macbook Air (1st generation) exhibits the problem with video while my wife’s Macbook (late 2008) doesn’t have a problem at all.

          I’m wondering if the issue is model-specific.

          Let me know and I’ll add it to the bug report.

          • White 2009 MacBook. Mac OSX 10.5.8

          • I’ve done a little digging, and discovered that if you have any third party QuickTime component files in /Library/QuickTime then there is a very high probability that one or more of them will not work including the iSight camera.

            I removed the component files from Google that are provided by Google Voice and ManyCam and was able to use my isight camera once again.

            Apparently, Adobe didn’t test with any third party QuickTime video source component files. Nice….

          • I actually dont have /Library/QuickTime ??

            I do have QuickTime installed of course…

  9. According to the release announcement on the Google Chrome Releases blog, the new version of Chrome, which is 7.0.517.44, does include the new version of Flash. (Google bundles Flash Player with the Chrome browser.) You will probably want the new release in any case, since it fixes 12 other security bugs.

    http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html

  10. The latest version of Chrome on Windows, includes Flash version 10.1.103.19. Yet, everything from Adobe says that the latest version is 10.1.102.64. See

    http://blogs.computerworld.com/17305/whats_up_with_flash_in_chrome

  11. 18 security holes is about what I’ve seen in OpenBSD in the last _5 years_.

  12. For Mac, I keep getting version 10.1.85.3 though the website claims that it is delivering 10.1.102.64. I verified this through the supplied plist file. All the files are dated September 14.

  13. Brian, Adobe has a simpler webpage for uninstalling the previous flash player.

    This is the webpage with the instructions and link to the uninstaller program for Adobe Flash
    http://kb2.adobe.com/cps/141/tn_14157.html

    direct link to the program file:
    http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player.exe

    Uninstalling Shockwave is not given much explanation on Adobe’s website, this webpage lists most files:

    http://www.adobe.com/shockwave/download/alternates/

    With the Shockwave uninstaller at :
    http://fpdownload.macromedia.com/get/shockwave/uninstall/win/sw_uninstaller.exe

    Same page also has the Flash uninstaller :
    http://fpdownload.macromedia.com/get/flashplayer/current/uninstall_flash_player.exe