November 10, 2011

Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, LinuxSolaris and Android versions of Flash and Adobe Air.

The update fixes flaws present in Flash Player versions 11.0.1.152 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash 11.0.1.153 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.

Adobe’s advisory says users of Flash version 11.0.1.152 and earlier should update to v. 11.1.102.55; those using Flash v. 11.0.1.153 and earlier versions for Android should update to Flash Player 11.1.102.59. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR  v. 3.1.0.4880. The company says it is not aware of any active attacks against these flaws at this time.

To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). Again, check the About Flash page with each browser you use to see whether you need to apply this update. To avoid using Adobe’s Download Manager, which tends to add little “extras” if you’re not careful, IE users can grab the latest update directly from these links; 32-bit IE installer, and 64-bit IE installer. Firefox and Opera users can grab the 32-bit installer here and the 64-bit version here. If you don’t know which one you need, just let Adobe’s site choose for you (although the download manager may try to foist other software unless you uncheck pre-checked options).

The installer for the latest Adobe Air version is available from this link.

Some Flash components also are bundled with Adobe Reader, so I asked Adobe whether current versions of Reader also were exposed to these vulnerabilities. Adobe spokeswoman Wiebke Lips confirmed that some of the issues fixed in today’s Flash Player update do impact the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and 9.x for Windows and Mac. Lips said Adobe feels comfortable that its sandboxing technology built into the latest versions of Reader will protect users until January, when the company expects to issue the next quarterly update for Reader.

“These issues will be resolved in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” Lips wrote. “Note that the Authplay.dll component is part of the ‘sandbox’ for users of Adobe Reader X (Protected Mode) and Acrobat X (Protected View), which would protect against potential exploits.”

Update: 11:34 p.m. ET: Updated the download links.


38 thoughts on “Critical Flash Update Plugs 12 Security Holes

  1. Jeff R

    If only Adobe had been organised enough to release this on Tuesday with their Shockwave update.

  2. Mark from Columbus

    The direct links, above, to the “latest” versions download older versions of both.

  3. Mark from Columbus

    Beware all those who, like me, went to the Adobe Flash website and installed the updates from there. I wound up with an unwanted and unwarned-of (that I could see) installation of a McAfee “Security Scan” program. Just uninstalled it via Windows XP “add and remove programs.” So far, no harm done that I can detect.

    1. Chris

      Are you running a “NoScript” plugin? When I go to their update site, I don’t see the McAfee warning, but when I temporarily allow the site to run scripts, I see the warning, so I then I’m able to un-check it.

  4. Gabriel

    The DIRECT link for non-IE browsers is downloading 10.3 installer! Please check your links.

    1. Dave

      >The DIRECT link for non-IE browsers is downloading 10.3 installer!

      I noticed that too, if you go to the version-check page it sends you to a download page that feeds you 10.3 (which then fails to install because it’s much older than the already-installed version). Mind you this is pretty much par for the course for Adobe.

  5. BrianKrebs Post author

    I believe these are the latest direct links, for 32-bit and 64-bit systems

    IE (ActiveX, ~3.5 or 7.5 MB respectively):
    http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
    http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_64bit.exe

    Netscape (Mozilla, Opera & all the rest; DLL, ~3.5 or 7.5 MB respectively):
    http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
    http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_64bit.exe

  6. Deon Fialkov

    Hi. Thanks for the informative article. Should I uninstall my current flash before installing the new version or will updating it suffice safely

    1. BrianKrebs Post author

      Hi Deon. Sorry about your comment getting stuck in the spam filter. Not sure what happened there, except that no kidding about 80 percent of the spam in there now starts off with a nice compliment like yours did 🙂

      You do not need to remove the current version before upgrading: the installer should take care of that. If you have any problems after installing, use Adobe’s Flash removal tool, and then reinstall the latest version.

      http://kb2.adobe.com/cps/141/tn_14157.html

    2. JCitizen

      @Deon;

      Depends on whether you have any really old versions on your system as “zombie” files. You can download Secunia PSI to look for these. All newer versions are self uninstalled upon update. PSI also provides removal tools to get rid of these files, but you may have to reinstall the newest version after that.

      On some of these older versions, I’ve had to simply delete them from the folders where they reside; PSI always provides the path – all you have to do is double click on the reported file and PSI will open the target location for you. This is especially handy in that you don’t have to mess with hiding and unhiding your files and folders to get the job done.

  7. SteveO

    I can’t get the FF version to install, no matter which way I go about it. Chrome still shows the old version, too. The only browser I have successfully updated is IE9 — with absolutely no problems. I hardly ever use IE9. I’m running 64-bit Windows 7 Home Premium.

  8. SFdude

    just FYI everybody:

    UNinstalled the old Flash plugin,
    and installed the latest Flash 11.0.1.152 –
    from Brian’s links (above).

    No problems, everything running fine.

    *** Thanks Brian ***
    for always letting us know ref Flash updates,
    and supplying _all links_ needed, every time!

    SFdude
    Firefox 3.6.24 (latest) under XP-SP3 32bits.

  9. Matt

    Where do Adobe say that no exploits have been reported or attacks made?

    1. BrianKrebs Post author

      Matt,

      That was in a heads up that Adobe sent to reporters announcing the availability of this patch. From that email:

      “Exploits:
      At this time, Adobe is not aware of any exploits ‘in the wild’ for any of the issues addressed in this update.”

      1. Matt

        Thanks Brian – any chance us non-journos could get those releases?

      2. Matt

        Thanks for that Brian – annoying that there’s more info available than on the notification itself. Would make it easier to make judgement calls when patching larger estates if that kind of info is available more widely.

        Any ideas on how to get that info without relying on news sites?

        No offence 🙂

        1. JCitizen

          It really is better to check with Brian’s story on this subject, as things change rapidly. Secunia PSI and/or File Hippo Update Checker will notify you of download availability. File Hippo sent me a notice from the systray yesterday on my limited account. This is another reason I like FH, is that it usually beats other sources to zero day vulnerabilities in just the fact that the update comes sooner. Even if the newer version pans out to have new vulnerabilities, at least it keeps one step ahead of the criminals.

          1. Matt

            Thanks JCitizen. I know about both of those and use PSI at home. Can’t use them on our managed estate though as it would break all kinds of stuff. Application dependency is a wonderful thing isn’t it?

        2. Matt

          Hmm… curious about the Dislikes.

          I honestly think that if Adobe can tell us that there are no current attacks out in the wild using these vulnerabilities then they should tell us. If the opposite is true then that should be made known as well. It would help businesses with large estates assess risk and schedule their patching accordingly.

          Limiting the audience for that information to journalists makes no sense. Imagine the following two options:

          “Boss, we should patch now because Adobe state they are seeing attacks in the wild targeting these vulnerabilities” versus “Boss, we should patch now because some guy on the internet that you don’t know but I trust says that Adobe says there are attacks.”

          Which is the better argument?

  10. timmdrumm

    Anyone else have trouble with the Adobe Air update? Tried downloading it 2 times and each time it says “an error occurred”. The installer seems to be blaming it on administrative privileges, but I’m in the admin account and even ran it as an administrator.

    Ideas?

    1. JCitizen

      Are you on a business domain? Perhaps you need local machine permissions in that case.

      For some reason on Home versions of Windows, the system occasionally wants the authority of the hidden administrator. Sometimes right clicking the setup file and using “Run as” administrator can clear the logjam. This occurs even though you are logged in as an administrator.

    1. JCitizen

      Somebody told me version 9 is already out. I don’t know if it is a final release candidate or not.

  11. Nic

    If you mostly only use flash for the occasional Youtube video, and are tired of all the security holes, just uninstall flash and get youtube-dl and don’t look back.

  12. SteveO

    I finally got Flash v. 11.1.101.55 to install in Firefox by uninstalling v. 11.0.1.152 from the Control Panel. Interestingly, that also installed the correct version for the Comodo Dragon browser I’ve been messing around with since late Thursday.

    Chrome updated itself with the latest version this afternoon.

  13. Mario

    I use the Ubuntu 10.04 LTS . Today Flash stop runing
    and I read the messagem additional plugis are required to display all the media on this page.
    I click on Install Missing Plugins but it was no fixed.

    1. Jack

      You must be unfamiliar with Ubuntu. Flash is a program. You should install flash from an Ubuntu (proprietary) software repository.

      I don’t use Ubuntu that often. If you don’t now how to find the Flash program in an Ubuntu software repository – join an Ubuntu forum and ask someone who is more familiar with Ubuntu than I am.

  14. Charlie

    FYI, for Mac users, version 11 of Flash requires OS 10.6 (Snow Leopard) or later. If you are still running 10.5 Leopard, there is a new version 10,3,183,11 that is available through the Flash Download Center. There’s no explanation about this on the main Flash pages. It took me a lot of searching in obscure corners of the Adobe website to discover a disclaimer that Flash 11 won’t work on Leopard.

    Likewise, in another recent item, Brian mentioned that Apple has a new update to patch security holes in Java. That update is not available for Leopard users.

  15. JCitizen

    I’ll be glad when HTML5 catches up with flash – even Adobe released a news tidbit saying their flash is obsolete and going away.

    1. Laav

      I’m pretty sure they talked about the mobile platform, no?
      I think it will take a while for HTML5 to overtake Flash on PC’s.

      1. JCitizen

        True, but once it goes away for mobile, it won’t be long until it is gone for desktops. Adobe says they will supply their developers with the tool sets to start coding for HTML5.

  16. Peter

    Hhmmm. Updated on my laptop and now it takes two clicks for a click to register. Totally useless.

Comments are closed.