10
Jun 10

Adobe Flash Update Plugs 32 Security Holes

As promised, Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version 10.0.45.2 and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.

Please take a moment to check if you have Flash installed and — if so — to update it: A working copy of the code used to exploit this vulnerability has been included in Metasploit, an open source penetration testing framework. Also note that Adobe likes to bundle all kinds of third party software — from security scanners to various browser toolbars — with its software, so if you don’t want these extras you will need to uncheck the box next to the added software before you click the download button.

The vulnerability that prompted Adobe to issue this interim update (the company had been slated to issue these and other security updates on July 13) also is present in Adobe Reader and Acrobat, although Adobe says it does not plan to fix the flaw in either of these products until June 29.

Now would be a great time for longtime users of Adobe’s free Reader software to consider removing Reader and switching to an alternative free reader, such as Foxit or Sumatra.

Note that Flash generally comes with Adobe Download manager, a package that in prior versions has been found to harbor its own security vulnerabilities. The download manager is designed to uninstall itself from machines after a reboot, so to be on the safe side, you may want to reboot your system after updating Flash.

http://www.adobe.com/support/security/bulletins/apsb10-08.html

Tags: , , ,

33 comments

  1. This is such a pain in the ass to install into Firefox, and I consider myself pretty tech savvy. Missing plugins are needed for the Flash installation, and their instructions for Firefox users link doesn’t go to an instructions page. So screw it, I’m just going to uninstall Flash and be done with it.

  2. Thanks yet again, Brian.

    Version 10.1.53.64 wouldn’t install in either IE or Chrome until I uninstalled the old version.

  3. That’s what I had to do as well. Once I uninstalled all the old versions, 10.1 finally installed.

  4. You can round the need to install Adobe Download Manager by downloading the .exe with Linux, by choosing “Different operating system or browser?”-link at http://get.adobe.com/flashplayer/, and from there picking the Win version you’re using.

    I hope Adobe will get rid of the annoying ADM.

    • Below are direct links (by TekFan) for the .exe-files, which most likely can be used to download installers without DLM, on Windows.

  5. I have version 10.1.53.64. Secunia reports this one has some vulnerabilities as well. Lists it as a CAT 3 threat.

    It appears only the 10.0.x.x version is available for Firefox plug-in.

    When is the HTML-5 standard coming out, so we can dump Flash?

    I’m getting very sick and tired of Adobe’s junkware.

    • “You have version 10,1,53,64 installed”, and I’m using Firefox.

      • @F-3000,

        Yes my FF reports the same version number; 10.1.53.64.

        The plug-in page animation works!

        I don’t know why they reported they only had a previous version available!?!?

    • Assuming HTML5 won’t bring a host of new security issues is naive. If a machine requires high security today, I can run it without Flash or Reader/Acrobat. That won’t work the same way in a world where everything you use is an HTML5 webapp.

      • I’m not saying HTML-5 will be perfect, but getting rid of Adobe, will make it seem like perfection from heaven. The patch cycle will go on, of course.

        I’m sure this is why Steve Jobs was trying to dump Adobe with his new products, as things are going quite well in HTML-5 development.

      • HTML5 will almost have implementation errors. It will also not be a monoculture (there will be competing implementations) so they will be easier to work around and hopefully less susceptible to catastrophic 0days.

  6. That’s weird! The page reported they only had version 10.0.45.x – or some older version like that, if I remember correctly; but when you install it, the same page reports the newer 10.1.53.64!

    Go figure!

  7. You can get around the need for the Adobe DLM (on Windows at least) by going to the download page and starting a download but canceling the DLM install. As soon as you do that you should see a link “if your download has not begun, click here” to trouble-shoot at the bottom of the page and it should link to a manual installer. Both ActiveX and non-AX installers should be available so you can cover IE + Firefox/Chrome/Opera/Whatever without having to worry about an extra Download Manager or extras.

    The only drawback is having to download and run two separate updates, but that’s a small price to pay. Afterward just point your browser to http://www.adobe.com/software/flash/about/ to make sure the update was successful and your version number is up to date.

  8. I made several uninstall/install attempts. The update Flash Player would not install. Had to do a previous day restore to get Flash going.

    Adobe should just go into the maleware business and stay there. What a hassle.

  9. I have had problems with the DLM Adobe uses, so now I update with direct downloads.

    Flash 10.1 for IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

    Flash 10.1 for other browsers (Chrome, Firefox, Safari, Opera): http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

    Verify installation: http://www.adobe.com/software/flash/about/

  10. Using the posted metasploit CVE-2010-1297 module code….

    good news: disabling Adobe Reader JavaScript blocks the malicious payload (at this time using this code).

    Bad News: Bypasses most AV detection and MS DEP

    http://www.virustotal.com/analisis/35c963eebd911028771914c553a0d2fc785715cb98ec414a2b6abe831582a362-1276217658

  11. As usual, when I go to the the Adobe Flash Player Installation Page with IE8-32, the web site falsely claims that I am using IE8-64, and refuses to make the Flash update available.

  12. Its no wonder people have unwanted issues on their computers. Adobe – which obviously doesn’t care – still can’t decide on a name for their Flash Player, hence a large portion of users aren’t sure if they have it on their systems or not.

    Hopefully, someone designs a half-a**ed alternative so we dump Flash just like I did with Reader years ago.

    (Dear Mozilla, I have yet to get Plugin Check to work. Does it work?)

    • Gnash has one (google “adobe flash alternative”). Have read that it works but lags behind in features and not Gnash’s fault as Adobe refuses to release info to 3rd-party developers.

  13. Here’s an appropriate cartoon from “User Friendly”

    http://ars.userfriendly.org/cartoons/?id=19981122

  14. JustMyThreeCents

    Is there a substitute for the Flash plug-in? I find having to download it multiple times for different browsers, having to remove older versions manually, having to install the Windows version twice (don’t know why but that’s what my PC requires), and having to manually remove the DLM each time I update a real pain.

    And, if it weren’t for this Blog, I wouldn’t know when to update the Flash plug-in at all potentially exposing my computer to who knows what mischief.

  15. Not sure what all the hullabaloo is about. I’ve updated multiple systems, some with multiple browsers and haven’t had an issue. I do the following:

    1. Download the uninstaller: http://kb2.adobe.com/cps/141/tn_14157.html
    (Note: it gets updated everytime the player is updated)

    2. Download the browser specific exe:
    For IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

    For other browsers (Chrome, Firefox, Safari, Opera): http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

    3. Put all files somewhere centrally accessible (ex. network storage, thumb drive, CD-R, etc.)

    4. Logged in as administrator, close all open programs (to minimize something holding Flash Player in use and requiring a reboot), run the uninstaller

    5. Run the installer (for each browser if needed)

    6. Verify installation (in each browser if multiple): http://www.adobe.com/software/flash/about

    Never needed a reboot. No Download Manager stuff, no toolbar offers. Done. Move on. :)

  16. Flash update is nagging me to update again. I went through the default uninstall/install, again, with the same can’t install results. Sooooooooooooooooo…..I’m stuck with the outdated bundle.

  17. I had no issues updating the Adobe Flash Player for both Firefox and IE8 using the Adobe DLM.

    However, updating all the instances of FlashPlayer and the Firefox/Netscape Plugin and the IE ActiveX controls located within the Flash app in CS4 was another case entirely.

    Currently, there is no global update available from Adobe for Flash CS4. All that is available are four files that must be renamed and copy/replace into the appropriate folders within the Flash CS4 Program Files folder. I found a total of 7 files that were affected. The file updates are available here:

    http://www.adobe.com/support/flashplayer/downloads.html

    Unfortunately there are no clear cut instructions regarding which files go where. I had to compare versions and size of the existing files before overwriting with the new file versions.

    While Secunia PSI helped to find the file locations for the insecure versions, its suggested fixes were inaccurate in many cases.

    For those interested in uninstalling Flash Player, and its related Firefox/Netscape Plugin and IE Active X control, an un-installer is available for both Windows and Mac. From the Adobe TechNote “tn_14157”:

    “You can uninstall the player only by using the Adobe Flash Player uninstaller. Follow these steps to download and run the appropriate uninstaller for your system:”

    http://kb2.adobe.com/cps/141/tn_14157.html

    • PSI has a new version now; they seem pretty good at updating and improving. When I use PSI for flash, I always click the hyperlink with the uninstaller for the previous version first – run it – then click the “fix-it” button to download the replacement. I never have to go chasing files after that.

      File locations seem to have become more accurate for XP now. I haven’t noticed for Vista x64 yet, as I never have to go looking for them anymore.