08
Oct 12

Critical Adobe Flash Player Update Nixes 25 Flaws

facebooktwittergoogle_plusredditpinterestlinkedinmail

Adobe has issued an update for its Flash Player software that fixes at least 25 separate security vulnerabilities in the widely-installed program. The company also pushed out a security patch for its Adobe AIR software.

The chart below shows the newest patch version numbers released today. Updates are available for Windows, Mac, Linux and Android systems. Windows and Mac users can grab the latest updates from the Flash Player Download Center, but be on the lookout for bloatware toolbar add-ons that come pre-checked (like McAfee VirusScan). Other OS users should consult the Adobe security bulletin. Internet Explorer 10 users on Windows 8 can grab the update via Windows Update or from Microsoft’s site.

Note that Windows users who browse the Web with Internet Explorer and another browser will need to apply the Flash update twice, once using IE and again with the other browser.

Most users can find out what version of Flash they have installed by visiting this link. Google released an update to Chrome today (22.0.1229.92) that addresses these vulnerabilities on Windows, Mac and Linux; to find out what version of Chrome you have and if updates are available, click the icon with three lines to the right of the browser address bar and select “About Google Chrome.”

Adobe spokeswoman Wiebke Lips said the company was not aware of any exploits in the wild for any of the issues patched in this release. Nevertheless, if you have Flash on your system (and most readers will) it’s a good idea to take of this update soon.

26 comments

  1. Thank you for the heads-up Brian, as always.

    This patch is rated by Adobe as “Critical” and “Priority 1” for Windows Operating Systems. Critical and Priority 1 definitions provided by Adobe are, respectively:
    • “A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.”
    • “This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).”
    (https://www.adobe.com/support/security/severity_ratings.html)

  2. I imagine that the reason one can’t find a direct link to download an offline installer (for AcitveX and Firefox) is Adobe wants to push their crapware. Theirs is not the most efficient way to patch more than one machine.
    Then again, they’re the company that requires 12 separate patches with the prior version’s dependency to update Acrobat 9 from 9.0 (CD) to 9.5x. Even Microsoft mastered the service pack 15 years ago…

  3. I prefer this link for checking your version, as it tells you that alongside the latest one available. http://www.adobe.com/software/flash/about/

  4. The easiest way to check your Flash version is to right-click any Flash ad or video (such as the Flash ads on Brian’s site). The version number is provided at the bottom of the Flash menu.

    http://dl.dropbox.com/u/828705/Flash_version_check.png

  5. anyone experiencing slow site loads and unresponsive script warnings after installing this update? it was so bad for me that i rolled back to the prior version…..

  6. Hi M,

    Everything is fine for me. Websites with Flash work fine. YouTube is perfect as well. I am using IE 9.0.10 64 bit on Windows 7 SP1 64 bit.

    I also use Google Chrome v23.0.1271.22 (Beta) as a secondary browser (Pepper Flash 11.4.31.200).

  7. It is not a security issue, but Firefox and Vista/Windows 7 do not play well together on some machines. This is caused by the protected mode which Adobe has introduced to promote security.
    So if you experience 1/10 speed downloads just in Firefox it not a virus, but protected mode instead. It can be fixed by editing a configuration file.
    Also, though it may be old news to some, failure to work in internet explorer may be due to Active X filtering, which can be turned off under tools safety. Once you see it, there is a button next to the address box which shows this, but it is not obvious (to me).

    • Hi Mike,

      Thanks for the information on this compatibility issue (which causes a reduction in rendering speed). Would you care to elaborate on the configuration file for Adobe Flash Protected mode for Firefox?

      I am always interested to learn more. Thanks.

  8. thanks for the replies. I’m using firefox on Windows 7, and had not encountered any prior issues with firefox and Windows 7 re: an Adobe protected mode prior to the new Flash update, and I had been current with all prior updates thanks to regularly checking Krebs & Flash auto update. will do further research and post any info I find for anyone else who might be encountering the same issue…..

    • Hi M,

      I would also be interested to learn what is causing this, just in case I have to troubleshoot this in my professional or personal life.

      Thanks for researching this.

  9. - http://h-online.com/-1726163
    09 Oct 2012 – “… It is very likely that the “day-before-patch-tuesday” release of the fixes was due in part to the Pwnium 2 security competition* which will take place on Wednesday 10 October where security researchers will attempt to break the security provisions of popular browsers…”
    * http://blog.chromium.org/2012/08/announcing-pwnium-2.html
    .

    • Thanks for the link PC Tech. That makes a lot of sense, actually. I pinged Adobe about the strange timing of this update, and asked why they didn’t just wait until today (Patch Tuesday for Microsoft) as they do with quarterly releases of Adobe Reader and Acrobat. Here was their cryptic response.

      “At this time, only Adobe Reader and Acrobat are officially on a “Patch Tuesday” release schedule. That said, we try to schedule security updates for other Adobe products on Patch Tuesdays as much as possible. In some instances, however, there are factors (such as engineering schedules) that require us to release updates on different dates.”

  10. Has Adobe Flash 10 been officially abandoned? I have seen no notice from Adobe.

    • No, Adobe has not abandoned Flash 10. Go to this link to find and download the latest secure version(s) of Flash 10:

      http://forums.adobe.com/message/3854689#3854689

      I gave up on Flash 11x after it caused chronic video malfunctions on my XP/SP3 system, particularly with YouTube. No update of Flash 11 ever corrected this problem, at least none that I have tried. As I said, I gave up a few updates ago.

      • Right, but that does mean those versions of 10 from August don’t have any of the security fixes since August or does it mean they aren’t vulnerable?

        • The date on the Adobe Forum page whose link I wrote in, above, is the date of the posting of the original question. The links on the page have been changed several times since then to connect to the latest, secure version of Flash 10. I have also personally corresponded with Chris Campbell, Adobe’s staff moderator of this page, who sent to me links via private email– and verified the security of–several previous (now updated) Flash 10 releases. I check this page periodically to see if the Flash 10 version that I have matches with the latest version linked on this page. Hope this clarifies for you.

          • Thanks for explaining. Adobe should be made aware that not changing the date on that page is confusing, because no other version or date information is visible. Also, none of the announcements reference 10.x, further leading to confusion.

  11. The Flash Auto Update only installed the ActiveX module. Below are sections of FlashInstall.log:
    11.4.402.287 2012-10-08+23-04-43.255 ========
    InstallFlashPlayer.exe” -install -skipARPEntry -iv 9 -au 4294967
    Flash\FlashUtil64_11_4_402_287_ActiveX.exe
    Flash\FlashUtil64_11_4_402_287_ActiveX.dll
    FlashPlayerCPLApp.cpl

    The Flash Auto Update did not update the Adobe Flash Player Plugin used in FireFox. When I checked the Flash level this morning I used my trusty shortcut to: https://www.adobe.com/software/flash/about/ which showed the discrepancy. I used a shortcut to https://www.adobe.com/products/flashplayer/distribution3.html to download the plugin for FireFox. This link is the same link mentioned by JimboC. I have used these two links together for a long time and am quite happy with their usefulness.

  12. 25 security holes?

    Most (but not all) usages of Flash are one of the following:

    1. Replaceable (eg HTML5 video or youtube-dl or wget)
    2. Content that’s equivalent to daytime television
    3. Ads

    Consider the possibility that Flash’s value is overstated. Uninstall it for a week, then reinstall the newest version, and use it. See if you still view it the same way.

  13. Firefox’s “plugin check” alerted me to this update on October 4.

  14. Hey Brian,
    A question about another subject.
    Have you some informations about this news : http://reason.com/24-7/2012/10/05/us-attempting-to-shut-down-canada-drug-s ?

    It seems some Russian illegal pharmacy have stopped their spamming campaign. Do you know if some of them have been shut down ?
    Maybe it can be a good subject for one of your next posts ? :)

  15. FYI, for those who browse with Flash disabled in Google Chrome:

    Chrome re-enables Flash after each browser update of the built-in Flash plug-in. It doesn’t stay disabled.

    So, if your next session is full of Flash ads, re-check your plug-in settings.