February 15, 2012

Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.

In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google —  was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.

Adobe is urging users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris to update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

To find out what version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted. Thankfully, Adobe no longer appears to make you first install its annoying Download Manager to grab the latest Flash version, or at least it didn’t when I fetched the update today.

Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome users should already have this update, as Chrome auto-installs Flash updates – often hours or days before the fixes are publicly released for download.


16 thoughts on “Flash Player Update Nixes Zero-Day Flaw

  1. Jay Wocky

    No mention of a separate Flash player update for IE8 (Active X). Is there one this time? My IE8 still shows 11.1.102.55 still running there following my update installation via Firefox.

  2. JimV

    Adobe hasn’t gotten rid of their download manager exactly, just provided it in a different form — the download from Adobe through that link above is simply a 750 Kb stub installer. After it initializes, it will download the full 7+Mb file required for the complete installation of whichever flavor (IE vs. other browser) was selected.

    Here’s a link to a thread from mid-January on Adobe’s forums with the explicit direct-download links for all the different browser flavors and OS options:

    http://forums.adobe.com/thread/909550

  3. Stratocaster

    A good while ago Adobe announced they were going to release all this stuff on Black Tuesday when Microsoft released their monthly scheduled updates to help avoid user confusion and extra work for IT types. Why couldn’t they have done this yesterday along with the Shockwave security update? Do we need to send them more Red Bull?

  4. Sid

    Hi. I was wondering if the patched security holes include what was briefly reported as 0-days sometime in December 2011?
    The company which found them refused to tell Adobe about them without being paid a fee.
    Since Secunia rated those flaws as “critical”, for last 2 months, I have been forced to keep Flash disabled at all times, unless its really necessary.
    Mr. Brian, do you have any information on this?
    Thanks!

  5. Tim

    It’s worth remembering that Flash has to be installed separately for each browser instance on your machine. Adobe’s successful confirmation of the update can be very misleading. If for example…..

    – Firefox is your browser of choice and what you use all day.
    – I.E. is your default browser for whatever reason (primarily work-related and possibly enforced by Group Policy)
    – You update Flash for Firefox and the update succeeds
    – The install routine culminates in launching the default browser (as above I.E.) stating that the update was successful and you are running the latest version.

    This is wrong and misleading. Flash for I.E. will have to be updated separately!

    Tim

    1. BrianKrebs Post author

      Thanks, Tim. I usually include this information in my Flash stories, but somehow forgot this time. I’ve added a sentence to that end in the blog post above.

    1. BrianKrebs Post author

      Hrm. Sid, I don’t think that Secunia advisory is related to this 0day. The CVEs in that Secunia write-up are cve-2011-4693 and cve-2011-4694 — the one above is CVE-2012-0767.

      1. Sid

        Ok. I did not observe that. But the point is, there may still be 0-days lurking for Flash Player as Adobe is determined not to pay the “fee” to access what Intevydis has found out.
        A “bad guy” may also “purchase” it from them & use it for their nefarious activities. Since the CVEs listed by Secunia DO NOT specify anything [“Unspecified Vulnerability” in both cases], I was only wondering if above CVEs actually fix the CVEs which list “unspecified” risks in Flash Player.
        But, it now seems that it may be impossible to know this, till Adobe & Intevydis agree to collaborate.

        In summary, there may be positives & negatives in the stances taken by Intevydis [by charging fees for their “hard work”] and Adobe [by not “purchasing”] – but at the end, the end-user suffers.

        Mr. Krebs, just imagine if all security research companies decide to be like Intevydis & affected product’s vendor also shows no interest, we may soon be running lots of vulnerable software which can be exploited by the “bad guys”.
        For now, it seems I have to continue “using” Flash in disabled mode & only enable it on trusted sites and/or when absolutely essential.
        Thank you!

  6. Phoenix

    Brian, or anyone else still trying the Adobe sandboxed flashplayer beta version: Take a look at your flash player versioon in IE and seeif the version 11.202… beta version is running. I found the sandboxed flashplayer overrides the regular version but I doubt very much if IE sandboxes it. BTW removing the sandboxed beta version requirees the special uninstaller; the normal one doesn’t kill it.

  7. thegreyfoxx

    I find the Flash Update v. 11.1.102.62 does not support Vista OS 64-bit version…
    so, we 64-bit users remain vulnerable with v. 11.1.102.55 ??
    this is not good.

    What is with Adobe not supporting XP and Vista 64-bit OS ??

  8. junki

    I am running XP Pro SP3 32 bit and FF 3.6.26 with Flash 11.1.102.55. Adobe download center continually wants to give me 10.3.183.15 instead of 11.1.102.62. Does anyone know whats up with that? The dist3 listed above shows both but doesnt explain.

  9. junki

    Thanks Brian, Adobe has certainly got this messed up. After using the uninstaller to remove the Flash, their site http://www.adobe.com/products/flash/about/ confirmed but wanted to give me 11.0.1.152 so I linked to the download center at http://get.adobe.com/flashplayer/, it still wanted to give me 10.3.183.15. I ended up downloading 11.1.102.62 from dist3 as above http://www.adobe.com/products/flashplayer/distribution3.html and all is well. I suppose all options to disallow flash cookies, sound. camera etc need to be rest.

  10. Charlie

    For Mac OSX users who haven’t upgraded to Lion or Snow Leopard, Flash version 11 doesn’t work with older systems. But Adobe has released a recent upgrade to version 10 — it’s 10,3,183,15.

Comments are closed.