March 21, 2011

Adobe today released a software update to plug a critical security hole in its Flash Player, Adobe Acrobat and PDF Reader products. The patch comes a week after the software maker warned that miscreants were exploiting the Flash vulnerability to launch targeted attacks on users.

The Flash update addresses a critical vulnerability in Adobe Flash Player version 10.2.152.33 and earlier; versions (Adobe Flash Player version 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems; and Adobe Flash Player 10.1.106.16 and earlier versions for Android.

Adobe is urging all users to upgrade to the latest version — Flash v. 10.2.153.1 (Chrome users want v. 10.2.154.25, although Google is likely to auto-update it soon, given their past speediness in applying Flash updates). Update: According to The Register’s Dan Goodin, Google updated Chrome to patch this Flash flaw a full three days ago!

Original post: Click this link to find out what version of Flash you have installed. If something goes wrong in your update, or if you’re just a stickler for following directions, Adobe recommends uninstalling the current version of Flash before proceeding with the update (Mac users see this link).

As always, if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing to the Flash Player Download Center. A manual installer for Windows should be available at this link.

If you have Adobe Reader or Acrobat installed, you are going to have to update these programs, too, because they contain the same vulnerability Adobe said attackers have been using against Flash users. For users of Adobe Reader 9.4.2 for Windows and Macintosh, Adobe has made available Adobe Reader 9.4.3. Adobe says the “protected mode” built into its Adobe Reader X version would prevent an exploit of this kind from working, so the company doesn’t play to address the issue in Reader X until the next quarterly update, due out June 14, 2011. In the meantime, Adobe X users on Windows and Mac should make sure they have the latest version installed (10.0.2). If you want to check your version of Reader, open the program and click the “Help” menu, and the look for an entry that says “About Adobe Reader.”

Reader users on Windows and Mac can use the software’s built-in update mechanism, by choosing “Help,” then “Check for Updates.” Alternatively, the download page is here (note that updating via the Web site may pre-check the option for installing other software, such as security scanners: If you don’t want those extras, pay close attention during the install process).

More details on these updates are available at the advisory Adobe re-released today.


33 thoughts on “Critical Security Updates for Adobe Acrobat, Flash, Reader

  1. Al

    I am so tired of updating the multiple versions of Flash Player, Adobe Reader and whatever else there is.

    Adobe makes this process as painful as possible. I finally just uninstalled every version of flash that I have, since Chrome is my main browser now and everyone in the household is using it.

    Why in the world can’t Adobe make a simple adobe updater that keeps track of all of the Adobe software on your PC and keeps it updated. Microsoft does it, Apple does it, Why can’t Adobe?

    1. xAdmin

      I feel the pain as well, although I have simplified the process as follows:

      Have two browser bookmarks for Flash (don’t use Reader, Foxit instead), one for the Flash uninstaller which is typically updated with every Flash update and one for the manual download. Both of these Brian links to. I then save these files to my network attached storage, login to each PC as administrator, run them, log back in as non-admin and go to the about Flash Player page to confirm the version. It’s straight forward and only takes about five minutes tops on the three systems in the house. (No reboot needed) 🙂

      For an overall updater, you can try the latest version of Secunia’s PSI, which always runs in the background (if you leave it configured to do so, the default setting) and checks for any available updates to all software installed on the system. The only caveat is that it requires administrator privileges to work which is a problem as you should always be logged in as a non-admin for a better security defense. That’s why I prefer more control of the process by manually keeping up with patches, first by limiting the amount of software on my systems to minimize what needs patching and second by staying informed on computer security news by frequently visiting various websites (ex. this one, SANS ISC, Microsoft’s MSRC Blog, etc.). As the old saying goes, security starts with awareness! 🙂

      1. Marc

        I use a system very much like yours. Links to the Adobe tester page, the uninstaller and the new installers can all be found at flashtester.org. On Windows there is usually no need for the uninstaller however as recent versions of Flash can be removed from the Control Panel.

      2. Insert Real Name

        I use Secunia PSI 2.x on Windows 7.

        Even if the autostart tray icon component of the program runs in the current user’s security context, when PSI finds an out-of-date program for which it has an auto-update module available, then PSI does start an auto-update, and this is handled by the two services that Secunia installs, which run in the System security context: Secunia PSI Agent and Secunia Update Agent. Update installation is handled silently, with only a brief balloon from the tray icon to list the updates applied.

        As far as I can judge on limited experience, these PSI auto-updates are simply the original software updates wrapped in an executable that applies whatever options are needed to make them as silent as possible.

        When the PSI GUI is opened via the tray icon, it immediately wants UAC elevation. If you run a system scan and updates are available from PSI, then these will be run in the elevated context via the above-mentioned services, and you won’t see any UAC elevation prompts.

        Secunia indicates somewhere in the help or on its website that it only provides auto-updates for security-relevant program changes–not just for bugfix or feature updates.

        Overall, I’m very happy with the version 2.x of Secunia PSI, it really does do most security updates for popular programs in a completely automated way.

    2. drzauisapelord

      Maybe the other browser makers should follow the Chrome model and take responsibility for core add-ins like flash. We don’t need Yet Another Updater. Just do it in the application and auto-update. Power users can disable aut0-update as needed.

      Either this or integrate with Microsoft Update.

      Of course, this is all borderline useless if you’re running a local admin.

    3. Dirgster

      I feel the same way you do, Al! I just got through updating my Windows 7 and Windows XP machines, which took quite some time. I’m so thankful though that Brian Krebs is alerting us about these critical updates, so we can stay safe out there!

  2. TheGeezer

    Thanks for the info and the links,Brian. Made everything much simpler.

  3. SFdude

    Brian,
    thanks for the heads-up.

    I first uninstalled my current Flash Player.

    Then, I D/L from FileHippo.com,

    http://www.filehippo.com/download_flashplayer_firefox/

    the latest Flash Player (non-IE),
    for my FF 3.6.15 ( XP-SP3 ).

    The advantage of D/L from FileHippo.com,
    is you don’t get those pesky, unwanted add-ons f/Adobe.

    FileHippo.com didn’t have available for D/L,
    the Flash Player version you pointed out in your article:
    10.2.153.1

    The latest version of Flash Player (non-IE)
    @ FileHippo was:
    10.3.180.42 (beta 1).

    It installed & works fine.

    Just sharing my feedback. Thanks again!
    SFdude

    1. NotMe

      The beta version of Flash (10.3.180.42 beta 1) available on filehippo was last updated March 8, 2011. Do you think it fixes the security flaw that was only made known about a week ago?

      Filehippo is doing you no favors by making the beta versions of Flash available and promoting the beta versions over the official versions.

      1. CloudLiam

        You can set the updater to ignore all beta versions. That should be the default IMO but I still find the FileHippo Updater to be safe, reliable and quite useful.

        1. NotMe

          I use the FileHippo update checker myself and I find it quite useful.

          But… The problem demonstrated here is that SFdude went to FileHippo looking for a fixed version of Flash. He found a version with a higher version number than the vulnerable version of Flash. But that higher version one happens to be a beta released before the security flaw was announced/discovered. SFdude installed it thinking it would fix the security problem. It almost certainly does not (unless Adobe has a time machine or can see the future).

          That’s an example of a problem with sending people to a site like FileHippo for security updates. FileHippo doesn’t concern itself with flagging security updates. It doesn’t tell you that you’ve got a vulnerable piece of software installed that has active exploits in the wild. It keeps old versions around and doesn’t flag any of them as being vulnerable to known exploits. It has no mechanism for flagging important updates for security reasons. It makes it too easy to install old vulnerable programs. I could go on and on about flaws in the FileHippo model in terms of being a tool for security.

          SFdude installing the beta version of Flash is an example of why Brian does not, and should not, send people to sites like FileHippo for security updates. That doesn’t make FileHippo bad. It just means it’s not an appropriate site to send people for security updates. And if you use FileHippo yourself you need to be aware and choose your downloads wisely.

          1. xAdmin

            You express my concerns exactly with using third party tools. While they can be helpful, more often than not, they add complexity to an already complex environment. Thus, my preference and recommendation to go directly to the horse’s mouth (so t0 speak) for updates. I digress, while I do see the value of these third party services, one would be wise, no scratch that, very wise, to consider the source, confirm, and re-confirm, just where the update information is coming from. Nothing beats the direct source! Beta? Seriously, beta? I DON’T want BETA software. That is unless I really want to be part of the beta testing process! You really need to be VERY security savvy these days!!!!!

  4. Kevin Severud

    Adobe Reader X for Windows will not be updated until June 14. From http://www.adobe.com/support/security/bulletins/apsb11-06.html :
    “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.”

    1. Chris

      Thanks for finding that, I was just going to ask where the update for Reader X was. I was able to download and patch flash and our acrobat users yesterday but was still waiting on reader.

    1. John Ulster

      Seemed like all the buttons on Softpedia were trying to get you to use their product, “Driver Performer” and I’m not excited about using yet another download enhancer. FileHippo on the other hand simply lets you get the Adobe installers.

    2. BrianKrebs Post author

      I hear what you’re saying, AJ, but I would be very hesitant to recommend readers get in the habit of downloading vendor patches from anywhere but the vendor’s site. That’s a slippery slope that will wind up being bad advice at some point.

  5. mrmikel

    FWIW, having tinyspell active will cause internet explorer to jump the the wrong page and never to the download page.

  6. Jeremy

    i used secunia in the past for updating programs, but now i use cnet techtracker, i think its better for updates like these, because it automatically checks for updates on programs on start up, instead of me having to manually do the check with secunia. Is there any reason that secunia is preferable to tech tracker that i dont know about?

  7. Patrick C

    Just to clarify, only Adobe Acrobat X (Windows and Mac) and Adobe Reader X for Mac can be updated to 10.0.2. Adobe Reader X for Windows remains at 10.0.1.

    You discussed that Adobe is not issuing an update for Adobe Reader X for Windows until June, but the rest of the paragraph made it seem like the current version was 10.0.2.

  8. Ron Blackwell

    I wonder if anyone else is having the same problem I’m having. I uninstalled all Flash players, as recommended. Then I updated using the manual installers.

    The MS IE update went fine. But when I update my non-IE browsers, I always get version 10.2.152.32.

    Any suggestions?

    1. BrianKrebs Post author

      Hi Ron. Adobe likes to tweak its downloads around patch time and in the past, the pages for the downloaders weren’t actually serving the latest version at the time Adobe put up its advisories. You might try downloading the installer again and seeing if that fixes things.

      1. Ron Blackwell

        Thanks, Brian. It’s weird, but every method (manual installation, Adobe DLM, third party sites, etc.) I used over the past two days for non-IE browsers always resulted in Adobe Flash version 10.2.152.32.

        I did, however, find a workaround. After googling around, I found a bundled zip file of the latest version (for multiple browsers) at

        http://kb2.adobe.com/cps/142/tn_14266.html.

  9. jeff

    Please re-post the links to directly download Adobe Reader and Flash without the DLM. Thanks.

  10. Peter Mcleod

    what is the difference between flash and shockwave players? I’ve Googled this and I’m still none the wiser. Thanks Brian, love your column.

    Peter

    1. BrianKrebs Post author

      Thanks, Peter. Maybe this will help, from a previous blog post about Flash. The short answer is Shockwave is a separate player than regular Flash. But some browsers, like Firefox, merely relay what Adobe puts in the descriptor for the Mozilla version of Flash, so when you check your plugins in Firefox, you’ll see your Flash labeled as Shockwave Flash.

      http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/

      Not sure whether you even have Shockwave Player on your system? You’re not alone. Because of a long history of rebranding between Macromedia and Adobe, the various naming conventions used for this software are extremely confusing. Here’s Adobe’s effort to draw clearer distinctions between the Flash and Shockwave multimedia players:

      Both Flash and Shockwave are multimedia players. They can give you extended and predictable abilities across a range of browser brands, versions, and platforms.(Sometimes you might hear someone refer to “Shockwave Flash”, but these are actually two different multimedia players.)

      Flash has a small player which gives it a wider distribution. Flash is included in every Netscape download. Flash also has a very fast startup time. The way the Flash format interleaves media and instructions also helps it start quickly.

      Shockwave has a deeper player. It offers multiuser chat, XML parsing, HTML manipulation, an extensive and fast scripting language, distant file retrieval, programmatic control of vector shapes, and bitmap manipulation.

      Mozilla is one of those that refers to the regular Flash Player plugin as “Shockwave Flash.” Firefox users can find this under “Tools,” “Add-ons,” and then under the “Plugins” tab. By the way, the latest, most secure version of Flash is v. 10.0.42.34, so if your version of Flash is lower than that, it’s time to update your Flash Player as well. Adobe shipped an update in December that fixed at least seven critical vulnerabilities in Flash. Instructions on how to update the Flash Player to the latest version are available here.

  11. tom

    im having some problems since these chrome updates.
    1) i can’t upload photos on facebook. im always forced to use the “Simple Uploader” which is such a hassle when i got hundreds of photos to upload

    2) i can’t attach files in my emails! i had to use firefox to do it.

    not a computer savvy. any help will be much appreciated.

    best regards,
    Tom
    t0msky@yahoo.com

  12. Kevin Severud

    Brian,

    What’s your take on Adobe relying on the sandbox feature in Adobe Reader X for Windows to contain this vulnerability?

    As we all know, security in depth (i.e. layers) is important and thus it would seem in this case that it would still be wise for Adobe to fix the actual problem instead of relying on a “safety net”.

    1. BrianKrebs Post author

      It’s a nice show of confidence (hubris?) on Adobe’s part. But I think sooner or later this kind of response will bite them in the tail. At some point in the gap between a disclosure of a critical flaw in Reader and an official patch for the X version, some smart hacker will post a proof of concept or malicious hackers will just figure out a way to attack it.

      I’m guessing Adobe knows what’s at stake here and will adjust their schedule accordingly to the extent that it’s possible. But it does seem a little strange that they’d wait until later this summer to address it.

  13. David

    Why aren’t there more questions surrounding G*’s irresponsible release of their patch days ahead of Adobe, thereby leaving all non-Chrome users hanging out to dry while the criminals reverse engineered the G* patch and built exploits for the vulnerability? Do no evil, indeed.

    1. Dick Rider

      David.. Irresponible??! This was being actively exploited and Google release a patch 3 days before Adobe itself, Adobe obviously needed more time to test before rolling out, but they are the one that detailed the exploit to Google in the first place. I’m sure Google was aware of the time it would take for Adobe to issue a fix. hardly a cause for concern

      Anyway If you had the capability and desire to reverse engineer and actively exploit this vuln within 3 days and actually achieve something beneficial, then I’m sure you wouldn’t need to in the first place

Comments are closed.