May 13, 2011

Adobe has released another batch of security updates for its ubiquitous Flash Player software. This “critical” patch fixes at least 11 vulnerabilities, including one that reports suggest is being exploited in targeted email attacks.

In the advisory that accompanies this update, Adobe said “there are reports of malware attempting to exploit one of the vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. However, to date, Adobe has not obtained a sample that successfully completes an attack.”

The vulnerabilities exist in Flash versions 10.2.159.1 and earlier for Windows, Mac, Linux and Solaris. To learn which version of Flash you have, visit this link. The new version for most platforms is 10.3.181.14; Android users should upgrade to Flash Player 10.3.185.21 available by browsing to the Android Marketplace on an Android phone; Google appears to have updated Chrome users automatically with this version of Flash back on May 6 (Chrome versions 11.0.696.68 and later have the newest Flash version).

Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows should be available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

Adobe says Flash Player 10.3 includes a new auto-update notification mechanism for the Macintosh platform, which should alert Mac users to new Flash updates (this feature has been available on the Windows platform for a while now).


48 thoughts on “Critical Flash Player Update Plugs 11 Holes

  1. lun

    Thanks for the heads-up.

    Speaking of update notifications, I wish you could set the check frequency to daily. That’s up to 7 days I’m needlessly exposed.

    The last time the auto updater found an update before me was at some point in 2010.

    1. JCitizen

      Dear lun;

      If you use File Hippo’s update checker you will get it immediately. However, if you rarely turn/(log) off you PC, you should right click the FH icon and select [Rescan for updates], at least once a day.

      1. F-3000

        Would be useful if the FH checker would work. On my Win7 it just stops working when I try to run it.

        1. JCitizen

          You could always try CNET email notifications, or download other updaters – I think SoftPedia has one now, but I’m not sure. I can’t recommend Software Informer, I don’t trust it.

            1. JCitizen

              @F-3000;

              CNET pretty well reminds their readers of the service. If you go to the review page for a favorite download, their is a “add this to my list” in the CNET community section. You may have to allow scripting to get that.

          1. AJ North

            Not to beat this to death, but the notification from CNET arrived in my Inbox a short time ago, time stamped 5/15/2011, 0323 PDT; Softpedia’s notification arrived on 5/13 at 0300 PDT – fully two days earlier (which has pretty much been my experience with their service). Next time, I’ll also perform an on-demand scan with FileHippo’s Update Checker to see whether they had updated their database; either way, they are also faster at updating than CNET are.

            1. JCitizen

              Thanks AJ!!

              If that utility from Softpedia gives notifications on standard accounts, I may use it instead of File Hippo! If not I still may download that today.

  2. AJ North

    Thanks, Brian.

    For those who’d like to be notified ASAP of new versions of Adobe Flash Player (and their Shockwave Player, along with a slew of other commonly-installed applications, such as the Java RTE), one can subscribe to the individual apps (after a free registration) at http://softpedia.com/ – they update their software list very soon after an update is released (often before it’s even listed at the vendor’s own site!); they’ll send you an e-mail alert with download links.

  3. Joshua

    Will a company ever challenge the dominance of Adobe Flash and create something compatiable, yet more secure? I hate the fact that it is at the center of 0-day after 0-day with little recourse due to heavy dependence for web functionality

    1. eCurmudgeon

      “something compatiable, yet more secure”? The better question to ask is when HTML5, SVG, etc. gets mature enough to remove Flash once and for all and get better security, browser performance and stability in one fell swoop.

      After we get that done, can we please work on re-architecting PDF into a stripped-down “Secure Document Format” with just enough functionality to render documents and all of the multimedia and JavaScript security holes removed as well? Please?

      1. Rabid Howler Monkey

        @Joshua
        There are plenty of options for dealing with Flash 0-days:
        o operate your OS as a non-admin user (and not the default user)
        o whitelist your favorite Flash sites in your browser (which blocks everything else) or use the Firefox add-on FlashBlock (which blocks everything until you click to allow)
        o use Google’s Chrome browser which includes Flash and automatically receives Flash updates (don’t let Vupen’s recently-announced Chrome exploit scare you away)
        o use an alternative OS such as Mac OS X, Linux or RIM’s QNX-based Playbook (just be aware that Flash 0-days also apply to these OSs, but have yet to be massively exploited as they are on Windows)

        @eCurmudgeon
        Adobe Reader X is sandboxed on Windows and includes configuration options for disabling JavaScript and executable launching. Or consider using an alternative PDF Reader such as FoxIt (also configurable), SumatraPDF or the PDF Reader included in Google’s Chrome browser. Default PDF Readers on alternate OSs are not Adobe’s.

        1. eCurmudgeon

          Adobe Reader X is sandboxed on Windows and includes configuration options for disabling JavaScript and executable launching.

          True. However, I’d still like to see these features along with other security vulnerabilities excised from the PDF standard altogether. This way, it becomes easier to validate PDF documents (via mail/web security gateways) for potential threats. In addition, a Secure Document Format spec would allow for “SDF Readers” that don’t even contain code to parse JavaScript, multimedia extensions, etc. and subsequently present a dramatically smaller attack surface.

          1. Rabid Howler Monkey

            @eCurmudgeon

            Understood, but until then …

            You did pique my interest though. Here’s a link to a free site (an experimental online service) that attempts to sanitize individual PDF documents of exploits via conversion of pdf to postscript and back to pdf:

            http://ossbox.com/pdfcleaner.htm

            Some users might be interested in this service if they want to take precautions for an individual pdf document they have received.

            And a link to using squid and python to do similarly in an automated manner:

            http://www.sans.edu/student-files/presentations/animalFarm_rev3.ppt
            “Animal Farm: Protection From Client-sideAttacks by Rendering Content With Python and Squid

            This looks like a lot of work. No wonder you want a secure document format. 🙂

  4. SFdude

    FileHippo.com
    is also a good source
    for the latest Flash Updates,
    (“manual updates” = no extra ad bars/nagware).

    1. AJ North

      True; I also use their little Update Checker – http://update.filehippo.com/updatechecker/ (a useful compliment to the Secunia PSI), but it only scans on restarts (and, of course, manually).

      Still, Softpedia.com consistently update their software list with impressive rapidity. A case in point was this morning; when I got their e-mail that Adobe Flash had updated (and the Adobe Flash Uninstaller, to which I also subscribe) and visited Adobe’s site, they were still listing the previous version – even scanning it as current. It was not until about an hour later that they updated their system.

  5. JimV

    FileHippo alerted me to the new Flash versions when I booted up this morning, so I downloaded and installed the updates on all the office machines before Brian’s notice arrived. I didn’t know the uninstaller had been updated, though — will grab the new version, so thanks to AJ for mentioning that.

    Note to Brian: I’m not sure if this happened to others, but I received 5 separate copies of the e-mail notice with identical time stamps that all arrived at the same time. Not a big problem for me to delete the extras and it might be the fault of my ISP, but thought I’d post it in case something was glitched in your system’s mail server that needed debugging.

    Here are the header bits (with the e-mail address domain names obscured) FYI:

    Received: from krebsonsecurity.com (mc-web10.prolocation.net [94.228.133.163])
    by mtain-mc02.r1001.mx.aol.com (Internet Inbound) with ESMTP id A28D038000084
    for ; Fri, 13 May 2011 15:01:34 -0400 (EDT)
    Received: from apache by krebsonsecurity.com with local (Exim 4.63)
    (envelope-from ) id 1QKwgC-0007tt-SB; Fri, 13 May
    2011 20:01:37 +0200

    1. JimV

      Clarification — the time stamps for none of the 5 messages were identical, and after the first the others lagged by 3, 6, 10 and 28 seconds. I think this was probably just a hiccup in the originating e-mail server.

    2. BrianKrebs Post author

      My apologies for the spam. I had a pretty major server outage for about an hour today, right after I published a blog post. When the server came back online, it burped out several copies of the same email. I think what happened was the mail server was trying to send out the new post notification but couldn’t because the Web server was down, and so it kept trying at some interval and for some reason the messages queued up.

      1. JCitizen

        Several of my forums quadruple the emails like this oncet and a while. You’re not the only one Brian. I just ignored it – I’m used to it.

        You gotta great page here, and I recommend you to everyone I meet on the other discussions. I even recommended your page today to my banker! He was very appreciative, as I scare the dickens out of him regularly!!

      2. JimV

        Brian, not a problem — I don’t consider anything you send out as spam, even having 5 duplicates of the same message appear simultaneously. The wonky server was just trying to follow its marching orders…

    3. AJ North

      The Adobe Flash Player Uninstaller is updated with each new release of the Flash Player. In fact, the download links themselves for the players (all) and the uninstaller don’t change from release to release, so if you bookmark them you’ll be good-to-go every time.

      Another small tip: if you’re keeping tabs on the Java RTE and manually updating it, its automatic update can be deselected, thus reducing the Services that load with Windows by one. (This is especially helpful on older, more modest rigs and netbooks.)

      1. 67GTV

        Tsk Tsk AJN. Are you running with Local Administrator privileges. 😉

        For over a year now, the Update tab has been missing from the Java Control Panel, when logged on as a Power User or as a (Restricted) User. Disabling the “Check for Updates Automatically” option when logged on as a Local Administrator does not carry over to non-admin users on the same machine.

        This is based on my experience with Win7 Pro and WinXP Pro. This may not apply to other flavors of these OSs.

  6. JCitizen

    Also – if you are a CNET subscriber – you can sign-up for email notifications of new versions of a wide variety of applications. I should think they cover flash also.

    1. AJ North

      Yes, I also subscribe to their notification service and they do (their library is far more extensive than FileHippo’s, as is Softpedia’s); however, it’s been my experience that they tend to lag both of the other sites. (For example, about two years ago, Sun brought out a new version of their Java RTE to patch several critical security holes, and it took CNET over a week to list it.)

      1. JCitizen

        Thanks for the tips AJ North; very interesting!

  7. Al Mac

    Thanks again for this critical heads up.

    1. JBV

      @ Steven

      Brian frequently has said: “Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.”

      Don’t know anything about the site you are recommending, but I think it’s worthwhile to go to the vendor and get the real thing without any spurious extras.

  8. Gordon

    According to MaxPC, the new Adobe update’s chief feature is its ability to delete flash cookies. This would be very nice, assuming it works effectively. Currently I use Better Privacy, a Firefox add-on, to accomplish this. It appears to work well.

    1. JCitizen

      CCleaner’s developers look for all zombie cookies, including LSOs from Adobe.

  9. PJ

    The OSX preference pane is a start, but I can’t believe they still don’t know how to sort columns! With machines that haven’t been cleaned up in a long time (due to the pain of the old web-based Settings pane), it is really obnoxious trying to remove most of the LSO’s while keeping those few that serve a purpose.

  10. spayed

    Many programs like Super AntiSpyware allow complete auto-updates to the program without manually uninstalling and reinstallation, why can’t Adobe provide this feature with their Flash plugin?

    Even Java has an update check which you may set by number of days and an auto update feature, surely by now Adobe should be considering something of this nature.

  11. xAdmin

    Best source for software update notifications, not to mention other important security info?

    It’s listed right in Brian’s Blogroll! 🙂

    http://isc.sans.edu

    Keep your ear to the ground and visit several times a day! 😉

    After all, security starts with awareness!

    1. Gordon

      Where on SANS would one find upgrade notifications? I wandered through the site without finding anything of that sort.

      1. xAdmin

        If not on the home page, then scroll down to the bottom to see the Diary Archive. Or click “Complete Archive” to see more. You’ll see various posts about software updates. As I said, if you visit the site frequently, you’ll always stay abreast of not only software updates, but other current security news. It’s the first place I found out about the recent Flash Player updates. 🙂

  12. Greybeard

    The update notes include the addition of a Flash Settings Panel manager under the users computer “Control Panel” (ie, like Java?)

    I’m running XP — but so far the Setting Panel does not appear in my Control Panel

    >>> From Adobe >>>
    Beginning with Flash Player 10.3, the Local Settings Manager supersedes this Online Settings Manager for managing global settings on Windows, Mac, and Linux computers. The Local Settings Manager can be accessed in the Control Panel on Windows and in System Preferences on Mac. Users of other operating systems and earlier versions of Flash Player can continue to use the Online Settings Manager described here.

    To access the local Flash Player Settings Manager that is native to your operating system:

    * Windows: click Start > Settings > Control Panel > Flash Player
    * Macintosh: System Preferences (under Other) click Flash Player
    * Linux Gnome: System > Preferences > Adobe Flash Player
    * Linux KDE: System Settings > Adobe Flash Player
    <<< end <<<

    So — if you can't access the local Settings Manager you left with all the Flash defaults on storage, P2P, etc.

    What Now???

    1. Sarah

      For Greybeard: If you follow the trail you noted in your post–namely, “Windows: click Start > Settings > Control Panel > Flash Player”–you may find the new “Flash Player” icon at the bottom of the list out of alphabetical order, if you have not rebooted your XP box in a while. That’s where I found it on my old PC.

      1. Greybeard

        Sarah,

        Thank you for the info — searched the list — and rebooted, but no joy — think I’ll re-install.

        Curious if you checked settings — and if so, did they retain your Setting Panel preferences.

        Again, Thank You

        1. xAdmin

          You can try using the Flash Player Uninstaller (links below). Be sure to close all open programs first. Then download the manual installers (plural if you need to up multiple browsers, I just use IE8). Then go to the “About” page to confirm the version.

          Uninstaller:
          http://kb2.adobe.com/cps/141/tn_14157.html

          Manual Installers:
          http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller

          About page:
          http://www.adobe.com/software/flash/about/

          I’m running Windows XP (w SP3) and use this process. It always works flawlessly. As to the new settings manager or Flash cookies, I just leave the defaults and instead use the commands listed below in a batch file that I run after every browser session. It deletes the Flash Player directories where any cookies are stored (they get re-created next time Flash is used) and clears everything in Internet Explorer (ex. cookies, history, temporary Internet files, etc.)

          @rem Removes Adobe Flash Player cache directories
          rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Adobe”
          rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Macromedia”
          @rem Clears IE Temporary Internet Files, Cookies, History, Form Data, and Stored passwords (Applies only to IE7 and newer)
          rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

          (hopefully this goes through without the commenting system flagging it) 🙂

          1. xAdmin

            Revise that first command as follows if you also have Adobe Reader, so the command ONLY removes Flash Player stuff (I don’t use Adobe Reader, Foxit instead, so I just delete the entire Adobe directory):

            rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Adobe\Flash Player”

      2. 67GTV

        Simply hit the F5 key to refresh your Control Panel icons. Likewise, F5 can refresh your Add/Remove Programs list.

    2. 67GTV

      Late reply to Greybeard…

      I am finding that the new Flash Player Settings Manager applet appears in WinXP Pro’s Control Panel, but not in Win7 Pro’s Control Panel.

      You can access the new F.P.S.M. by right-clicking any Flash content in your browser and selecting “Global Settings…”. (Same method as with previous versions) Your Flash Player does not need a re-install.

      Btw, I am changing the Playback>Peer-assisted Networking from the default “Ask me when a site wants to use peer-assisted networking” option to the “Block all sites…” option on all our employee systems. Sends up a P2P red flag for me. Any thoughts on this ‘feature’?

      http://help.adobe.com/en_US/FlashPlayer/LSM/WS6aa5ec234ff3f285139dc56112e3786b68c-7ff5.html#WS6aa5ec234ff3f285139dc56112e3786b68c-7ff3

Comments are closed.