08
Jun 12

Critical Security Fixes for Adobe Flash Player

facebooktwittergoogle_plusredditpinterestlinkedinmail

Adobe has released a critical update to its Flash Player software that fixes at least seven security vulnerabilities in the program. The new version also extends the background updater to Mac OS X users browsing the Web with Mozilla Firefox.

The update, Flash Player 11.3, plugs at least seven security holes in Flash Player and Adobe Air. The company warns that attackers could use these flaws to crash the applications and seize control over unpatched systems. Flash updates are available for Windows, Mac, Linux and Android systems. Adobe AIR patches are available for Windows, Mac and Android platforms. See the chart below for the latest, patched versions numbers for each platform.

According to Adobe, the background updater being delivered for Mac OS X uses the same design as the Flash Player updater on Windows. If the user chooses to accept background updates, then the Mac Launch Daemon will launch the background updater every hour to check for updates until it receives a response from the Adobe server. If the server responds that no update is available, the system will begin checking again 24 hours later. If a background update is available, the background updater can download and install the update without interrupting the end-user’s session with a prompt.

To find out if you have Flash installed, or which version is on your system, visit this link. If you have trouble updating your Flash version, consider uninstalling the program using Adobe’s Flash removal tool, rebooting, and then reinstalling the latest version. Windows users who have Flash 11.2 or higher installed also have Adobe’s new updater, which is designed to auto-install updates shortly after they’re made available. Those who’d prefer not to wait can grab the new version from the Adobe Flash Player Download Center, but if you choose this route to update, be on the lookout for pre-checked boxes offering potentially unwanted extras (for example, McAfee’s security scan is often bundled here). Alternatively, direct links to the OS-specific downloads are here.

Readers who have Adobe Air installed will need to update that application separately. The latest version, v. 3.3.0.3610, is available from this link.

Update, June 10, 9:40 a.m.: An earlier version of this post incorrectly stated that Adobe had ported its sandbox protection for Flash to Mac OS X users. It was only the background updater function that was ported to Firefox users on Macs in this version of Flash. The above text has been corrected.

Tags: , , , , , , , , ,

28 comments

  1. Adobe should make an auto-update system for Air on Windows ASAP.

  2. Ron Blackwell

    Interestingly, Google Chrome, which usually leads with the Flash updates, hasn’t been updated yet.

  3. OK, so exactly when does Flash auto-updater lets users know of an update? I have the recommended settings on.

    Since it was introduced, this is the second time the auto-updater has NOT informed me of an update.

    Thanks Brian!

    • From what I’ve seen so far if you’re set to auto update it doesn’t tell you – it just does it.

    • If you check your task schedular you will see when it tries to auto update.

      Mine says at 8:37pm every day – After triggered, repeat every 1 hour for a duration of 1 day.

    • To guarantee that the task is triggered when the PC is scheduled to be up and running, I went to the task scheduler and changed the trigger from 6:30PM to 8:30 AM so that the task will trigger shortly after the start of my work day rather than after the end of the work day. I checked all of the other tabs to make sure that the default options were set correctly. The “Run whether user logged on or not” radio button should be set to On since the task is set to run in the rarely used Administrator account and I do my work from a User level of authorization account.

  4. thanks Brian !! thank you very much…!
    Well Done Blog, Very Well Done. I have been reading every one since discovering your site a couple of years ago. Your reporting is very much appreciated here.

  5. Brian,

    Thanks for the reminders. One minor thing noted re Air. You said the latest version is 3.3.0.3610, but after updating and checking the version installed it reads 3.3.0.3650. (Windows XP if it makes any difference).

    Ken

  6. Debbie Kearns

    Thanks for the heads-up! :)

  7. The Adobe AIR Version installed is 3.3.0.3650

  8. BTW while updating Flash I found Mozilla just updated Firefox and Thunderbird to version 13.

  9. If you run utilities like PatchMyPC regularly (like weekly), they will update your Flash and Air as well as Java and other critical software.

    I install PatchMyPC on all my clients and tell them to run it weekly. Of course, they probably don’t necessarily do it. :-) It probably would be better if it ran as a service and did regular checks on its own.

  10. Debbie Kearns

    Well, there seems to have been sound issues in the new Adobe Flash Player 11.3, as the sound is all choppy! :(

  11. same proprietary sh-t with exploits, different day.

    Adobe should pull a smart move and switch to an open and free streaming format. But that would require a loss of money, wouldn’t it?

    I hate snake oil.

  12. Didn’t I just upgrade Flash last week? It at least seems like it. (And the week before, and …)

  13. As others have said, the update notification doesn’t.

    The manual update went fine for IE9 and Chrome (which does have the new version). Not so fine for Firefox and SeaMonkey. I uninstalled and launched the test page, which then located and loaded 11.2.0.235, which tested fine. Updated again to 11.3, which again did not work. Is this yet one more example of Adobe releasing software which is not ready for prime time? Or do I just have to give up using Firefox?

  14. I just configured Flash to run under Microsoft EMET 3.0. We’ll see what that does.

    • Since I installed Flash Player 11.3, EMET has been closing down plugin-container.exe regularly.

      Check theWindows Logs > Applications in Event Viewer if you have plugin-container.exe covered by EMET as well as firefox.exe.

      The new processes for running protected mode have names which include the version of Flash Player. Since EMET doesn’t allow wildcards in process names, if you want to include this in EMET, you will have to edit the name each time there is an update. I’ve not tried putting this into EMET yet.

  15. I’m not sure where you got the information that Flash Player supports Protected Mode on MacOS X Firefox. It does not not.
    http://helpx.adobe.com/flash-player/release-note/enduser-release-notes-11_3.html

  16. Updated manually my Firefox 12
    (32 bit XP Pro SP3),
    to the latest Flash plugin:
    v. 11.3.300.257.

    Flash sound is now choppy, unstable, freezes, etc.
    Problems…

    Found this amazing statement from Adobe,
    blogged June 7, 2012:
    (read carefully…)

    =quote:
    “Today, with Windows 8 just around the corner and _Windows XP usage rapidly decreasing_ , it did not make sense for the Flash Player team to make that same engineering investment for Windows XP.

    Therefore, we’ve focused on making Protected Mode for Firefox available on Windows Vista and later.”
    =end quote.

    quote source:
    —————-
    http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html

    “….with Windows XP usage rapidly decreasing…”.

    What?
    Abandoning millions of XP users, Adobe?

    How incompetent of you…one more nail in your coffin, Adobe.

  17. While I generally dislike Microsoft releasing 3rd party modifications or add-on, as they’ve done in the past with Firefox and some .NET related add-on, I would applaud Microsoft were they to add Flash updates to their Windows Update.

    Surely some deal could be struck with Adobe?

    Or is Silver light too much of a competitor and they’re not concerned with their (Microsoft Windows) users and their system’s security?

    Were I Microsoft, I would strike a deal with Adobe to add Flash updates to Windows Update and push them out on the exact day of the Flash update’s release, giving the option to the user to set a lasting configuration value for Flash updates for MSIE, and/or other browsers, with the option to set a permanent disable option for those who wouldn’t wish to receive these updates with Windows Update.

    Flash may or may not be a competitor to Silver light, but with the established installed base of millions of Flash users, one would hope Microsoft would care more about the security of its users and provide it as a Windows Update.

    • It’s being done with Windows 8. Copied from:
      http://blogs.msdn.com/b/b8/archive/2012/06/01/web-browsing-in-windows-8-release-preview-with-ie10.aspx

      The Windows 8 Release Preview includes a new power-optimized, touch-friendly Adobe Flash Player for IE10 that is updated through Windows Update. Adobe Flash content on compatible websites will now play in the new Metro style web browser. This optimized Flash Player is integrated with IE 10 in Windows 8 to ensure that our customers have a great experience browsing the web on Windows 8. We believe that having more sites “just work” in the Metro style browser improves the experience for consumers and businesses alike.

  18. Thanks Brian. I’d also suggest that everyone control their flash settings to:

    • Block all sites from storing information on this computer
    • Block all sites from using the camera and microphone
    • Block all sites from using peer-assisted networking

    On OS X this is in System Preferences>Flash Player
    Also set these at the Adobe Settings Manager at http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html

  19. If only the automatic update facility actually worked. I guess that the Adobe update servers are underpowered. One is obliged to download and install via the web to avoid exploitation of the flawed Flash.

  20. Adobe released a new version today: Firefox, Mozilla, Netscape, Opera (and other plugin-based browsers) Version: 11.3.300.262. The Task Manager said the update task ran successfully. The Download folder is empty. Adobe says that I am still running Version 11.3.300.257. The Admin user was active during the first update window. Bottom line: the Auto Update function still does not work for plugin-based browsers.