March 5, 2012

For the second time in less than a month, Adobe has issued an update to fix dangerous flaws in its Flash Player software. The patch addresses two vulnerabilities rated “critical,” but Adobe says it is not aware of active attacks against either flaw.

The fixes being released today address a pair of critical bugs that are present in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Mac, Linux and Solaris, Flash Player v 11.1.115.6 and earlier versions for Android 4.x, and Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. Adobe says both flaws in today’s release were reported by Google security researchers.

For Windows, Mac, Linux and Solaris users, the newest version is 11.1.102.63, and is available through the Player Download Center. To find out which version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted.

Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome normally auto-updates Flash – often hours or days before the fixes are publicly released for download — although for some reason I still had the vulnerable version 11.1.102.62 installed when Adobe’s security advisory was released today. According to the Chrome Releases blog, Google began pushing out an update last night that includes the new Flash version.

Today’s update comes close on the heels of a critical Flash patch that closed at least seven security holes, including one that was at the time already being exploited to break into vulnerable systems (that one, also, was reported by Google).


30 thoughts on “Adobe Patches Critical Flash Flaws

  1. SFdude

    Hi,

    Firefox + XP, here.

    (1) When I go to the Adobe D/L site,
    I’m offered Flash Player version: 10.3.183.16.

    (2) If I go to MajorGeeks,
    they offer Flash Player version: 11.1.102.63.

    (3) the Question:
    Which is the latest version of Flash Player
    and where should I get D/L from?
    (safely & w/o Adware, of course…)
    Kinda confusing…

    thks for pointers!

  2. SFdude

    Thanks, Tea-Time!

    Weird, your 2 prev. posts (above mine),
    only appeared after I posted my comment.

    btw:
    Is Krebs’s site
    having a CSS styling problem? ~bad-hair day 🙂

    (Firefox + XP here).

  3. SFdude

    Well,
    this Flash update,
    is getting weirder by the minute.

    (1) I UNinstalled Flash Player v.11.2.102.62.
    (using the official ADOBE Flash Player uninstaller).
    from my Firefox 3.6.27 / XP.

    Ok – v.11.2.102.62 UNinstalled successfully.

    (2) I then INSTALLED Flash Player v.11.2.102.63,
    for Firefox , XP 32 bit –
    from the Adobe site pointed by Tea-Time, (see links above)

    But when I re-opened Firefox,
    it still says
    I have the old Flash Player v.11.2.102.62 installed…

    The Adobe site also detects
    that the old v.11.2.102.62 is still installed.

    Any ideas of what’s happening?

    1. BrianKrebs Post author

      I’ve had this exact same thing happen with Flash updates. Try rebooting the box and checking the version. If that doesn’t work, remove, reboot, reinstall Flash. Should work then.

      1. SFdude

        Thanks Brian – did that,
        but still get
        the OLD Flash Player v.11.2.102.62 installed,
        after D/L v.11.2.102.63 from Adobe.

    2. TEA-Time

      Hmm! It looks like those direct links still point to v11.2.102.62 up on Adobe’s servers. I would like to take this opportunity to say.. freakin’ Adobe!!

      Here are some more direct links I gleaned from another site. They are different than the ones on the direct links page I posted above and do give you v11.2.102.63!

      Download Adobe Flash Player 11.1 (for all other browsers) 32-bit
      http://fpdownload.adobe.com/get/flashplayer/pdc/11.1.102.63/install_flash_player_32bit.exe

      Download Adobe Flash Player 11.1 (for all other browsers) 64-bit
      http://fpdownload.adobe.com/get/flashplayer/pdc/11.1.102.63/install_flash_player_64bit.exe

      Download Adobe Flash Player 11.1 (for Internet Explorer) 32-bit
      http://fpdownload.macromedia.com/get/flashplayer/pdc/11.1.102.63/install_flash_player_ax_32bit.exe

      Download Adobe Flash Player 11.1 (for Internet Explorer) 64-bit
      http://fpdownload.macromedia.com/get/flashplayer/pdc/11.1.102.63/install_flash_player_ax_64bit.exe

      1. SFdude

        Success!

        This, most recent link (post above)
        from Tea-Time, worked fine.

        v.11.2.102.63 installed ok
        in FF 3.6.27, XP-32 bit.

        Thanks Tea-Time !!

        Of course, we’ll never know
        what’s happening @ Adobe HQs…

        How can they botch such an important link
        to the latest Flash Player, after all these critical vulnerabilities were discovered…?

        Just asking…

        1. TEA-Time

          You’re welcome, SFdude.

          That’s a very good question!!

      2. Debbie Kearns

        TEA-Time and SFdude, it’s v. 11.1.102.63, NOT 11.2.102.63! Stop mislabeling it as the latter! 😮

        1. TEA-Time

          Whoops, that’s what I get for copy & pasting from SFdude’s post. Heh

          My individual links were right. 😉

  4. Debbie Kearns

    I think you forgot one thing, Brian: the Adobe Flash Player update for Mac users is 11.1.102.64, NOT 11.1.102.63! Just wanted to point that out to you.

    1. Lynda

      Ya, I noticed the same thing. Interesting, that just that tiny number can make one slightly paranoid. 🙂

  5. Phoenix

    I like to use Ccleaner to check which versions are loaded. Takes only one operatioln. BTW that recent Mozilla up certainly sneaked through quietly.

  6. fastoy

    Chrome still isn’t pushing the new version to me.

    1. Ron Blackwell

      Google has now pushed out the new Chrome update.

      1. JCitizen

        Yeah! And it TOTALLY failed on Vista Home Premium x64. I can no longer use Chrome – good riddance for all I care, I didn’t like their new EULA.

        So I went to Comodo and got their version of Chrome, and it works WAY better. They pay attention to privacy issues too! All my pluggins work better – I could go on and on – – – ]:)

  7. SFdude

    ok – people on the DSLreports thread
    are reporting exactly the same problem –

    They d/l the new Flash Player v.11.2.102.63,
    from Adobe,
    but they get the old Flash Player v.11.2.102.62…

    see most recent posts,
    at the bottom of the DSLreports thread:
    http://goo.gl/dpfKW

    1. Debbie Kearns

      SFdude, why do you keep mislabeling v. 11.1.102.63 as v. 11.2.102.63?

      1. SFdude

        You are right, Debbie.
        It’s 11.1… (NOT 11.2 ) .
        My mistake.

        Anyhow,
        ” .63″ is finally installed & working fine,
        thanks to Tea-Time’s perseverance.

        I had some Darjeeling Tea later, in his honor.

        1. TEA-Time

          Lol

          Those are my initials, btw. It’s an oxymoron due to the fact that I really don’t even like tea. Heh

  8. Wiz Feinberg

    Brian;
    All is well now with the site css. It must have been a slow loading of scripts and graphics problem. Or, it was being restored from backups as I was viewing this article.

    I’ll let you know if this happens again on my watch.

    Wiz

  9. Debbie Kearns

    I have a feeling that many people like TEA-Time and SFdude keep mislabeling Adobe Flash Player 11.1 as “11.2”! FYI, Adobe Flash Player is NOT 11.2!

  10. Nic

    Number of security holes in Flash since last time: 20
    Number of security holes in HTML5 video since last time: 0

    Take the no-flash challenge: Uninstall it and don’t use it for one week. Then reinstall it, use it, and evaluate whether the security risk is worth it.

  11. Ape

    March 6, 2012

    ### BREAKING NEWS ! ### ADOBE PRESENTS: ###

    Adobe SWF Investigator

    Perform quick, comprehensive, analysis of SWF applications

    http://labs.adobe.com/technologies/swfinvestigator/

    Download and Discuss:
    http://labs.adobe.com/downloads/swfinvestigator.html
    Discuss SWF Investigator:
    http://forums.adobe.com/community/labs/swfinvestigator/

    Adobe® SWF Investigator is the only comprehensive, cross-platform, GUI-based set of tools, which enables quality engineers, developers and security researchers to quickly analyze SWF files to improve the quality and security of their applications. With SWF Investigator, you can perform both static and dynamic analysis of SWF applications with just one toolset. SWF Investigator lets you quickly inspect every aspect of a SWF file from viewing the individual bits all the way through to dynamically interacting with a running SWF.

  12. Jay Wocky

    Don’t know if this is a glitch of the newest flash player or a Firefox problem. Today–for no apparent reason–no video (e.g. YouTube et al.) can be adjusted on my XPSP3 system via the video’s own volume or screen size controls. On Firefox, I am stuck with the small image and with the volume controls on my computer and speakers. However, the YouTube et al. on-screen controls work for videos played on IE8.

    Can’t find anything today via Google re this issue. Anyone else encounter it?

    1. Jay Wocky

      This evening, the problem disappeared as mysteriously and spontaneously as it appeared. I have no explanation for either.

  13. John David Galt

    I did the Flash update (on Windows XP) and now am going to have to reinstall the old version, because the new one disables the “Download This Video” capability.

    I’m very annoyed that they did this without any prior notice. Could it be that Adobe regards it as a vulnerability when computer owners can download the videos we are viewing with Flash?

    No computer has business being “secure” against its owner.

Comments are closed.