April 15, 2011

If it seems like you just updated your Flash Player software to plug a security hole that attackers were using to break into computers, you’re probably not imagining things: Three weeks ago, Adobe rushed out a new version to sew up a critical new security flaw. Today, Adobe issued a critical Flash update to eliminate another dangerous security hole that criminals are actively exploiting.

This new update addresses a vulnerability first detailed here at KrebsOnSecurity.com on Tuesday, and Adobe deserves credit for responding quickly with a patch. But there are few things that are simple about updating Flash, which ships in a dizzying array of version numbers and for many users must be deployed at least twice to cover all browsers. In addition, users may have to uninstall the existing version before updating to guarantee a trouble-free install. Also, Adobe Air will need to be updated if that software also is already installed. Finally, fixing this same vulnerability in Adobe Reader and Acrobat will require installing another patch, which won’t be out for at least another 10 days.

The new version fixes a flaw that exists in Flash v. 10.2.153.1 (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.2.156.12 and earlier versions for Android.

Adobe recommends that users of Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.159.1 (Adobe Flash Player 10.2.154.27 for Chrome users). Adobe recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140. Adobe expects to make available an update for Adobe Flash Player 10.2.156.12 and earlier versions for Android no later than the week of April 25, 2011.

Not sure which version of Flash you have? Visit this version checker link to find out. Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows should be available at this link.

If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

For those who are manually updating Flash without the download manager, the link to the Adobe Air updater (version 2.6) is here.

Keeping up with Flash and other security updates for plug-ins is one area where Google Chrome really shines. Google automatically updates Chrome with the newest version of Flash, and it typically does this at least one or two days before Adobe officially releases Flash updates (it looks like Google updated Chrome to fix this flaw on Thursday). According to Google’s Eric Davis, Chrome also sandboxes Flash for Chrome browsers running on Windows Vista and Windows 7. In addition, Chrome updates other out-of-date extensions automatically, and automatically updates its built-in PDF viewer, which also is sandboxed.

Speaking of PDF viewers, Adobe said in its advisory issued Tuesday that the same flaw that bedevils Flash also exists in the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. The company says it plans to make an update available for Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh no later than the week of April 25, 2011. As it said in the case of the previous Flash flaw three weeks ago, “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.”


47 thoughts on “Time to Patch Your Flash

  1. Marc

    There’s nothing like using an iPad, where all apps self-update using a system built into the OS, to make as drastic a contrast as is humanly possible from the ugly mess that is Flash updates.

  2. Chris

    The direct download link sourced in the article takes you to an “Uninstall Flash Player” webpage.

  3. finack

    This might be a good time to remind people about Secunia’s PSI software offering, which regularly scans for programs that you have installed that have known security updates, and even will automatically install updated versions for a certain number of participating programs – including Adobe Flash and Reader. It’s available for Windows, and the firm is a trusted player in the security industry.

    https://secunia.com/vulnerability_scanning/personal/

    1. Dirgster

      Secunia PSI is a great program! Although I am cautiously updating regularly, it’s good to know that Secunia makes sure that all is well and relatively safe on my computer.

    2. Al Mac

      Maybe I am missing something with PSI Secunia.

      After getting to 100% Secure score, I got me a Secunia Community Profile, with user-id AlMac99, then I got the e-mail verification taken care of.

      To log-in, I need to register a password, but it won’t let me register AlMac99 because I am already registered, without a password, I assume. I tried that, fortunately it won’t let ANYONE use my id, without a password. I can’t use their forum etc. until I resolve this … I am wondering if maybe AlMac99 is an invalid user-id for their site.

      The specific error message is:
      This username is unavailable

      I got to the “my profile” place by following the link provided in the Secunia Community Profile e-mail confirmation

      Maybe someone else before me is using that.

  4. Mike

    I updated Flash after reading your article, and then scanned with the Qualys BrowserCheck you recommended a few articles ago. It confirmed that Flash was indeed now up to date, but my Real Player was out of date. The fix it button soon solved that problem. Thanks for the tips on keeping up to date. Great stuff.

  5. JimV

    Among the more irritating things that occurs with Adobe’s manual installer is the normal failure to uninstall the previous version’s OCX file from the \Windows\system32\Macromedia\Flash folder. It seems I always have to delete that *.ocx file manually after the installation process completes. However, since that’s now part of the routine, it’s less irritating than putting up with their truly obnoxious downloader and the junk that seems to come along with it.

    As always, thanks for the heads-up!

    1. Al Mac

      I just installed the PSI solution, thanks to suggestion here. I previously have Belarc Advisor to perform same function … exception with Belarc I have to remember to manually run the check, and I can forget, for too long. With PSI it is going in background, let’s me know sooner, but I wonder if I have too large a load of stuff in background.

      Each finding alleged problems not found by the other, provide links to try to fix those problems.

      A very nice feature of PSI is that after I do a fix, it cleans up the unwanted files associated with the earlier version of whatever I got updated.

      In case you not familiar with Belarc, start here:
      http://www.belarc.com/

      1. Heron

        If you’re concerned about Secunia running in the background, just let it load when you start up your computer, then close the program when you’ve verified that there’s nothing to update.

  6. JimV

    Just discovered that the reason that OCX file doesn’t get uninstalled with the installation of the newer version is because Secunia’s PSI has ahold of it and won’t allow deletion. I started running the OSI (online version) long ago when Brian first described it and then installed PSI after my rural home finally got wireless broadband and I could ditch dial-up a couple of years ago, and I hadn’t realized that it was the culprit — so, guess I should apologize (a little) to Adobe….

  7. Joe

    When is it time to stop using flash? This is ridiculous.

    1. Charlie Griffith

      Joe….Thank you.

      I’m the hapless Lay-Man-At-The Keyboard who has just read this dizzingly complex set of recommended do-this-do-that-in-this-sequence…set of recommedations so very much reminiscent of those thankfully days past of programming one’s VCR……

      ……maybe none of the readers here are old enough to recall that exercise, or they have sent that memory swishing in a circle down Orwell’s aptly named “Memory Hole”.

      Because this information provided here by Krebs is in fact so critical for those apparently in need of all of this inherent complexity, I’d say that a certain number of computer application manufacturers are laughing all the way to the bank.

      Just waiting for the next ring’s act in this tented circus.

      1. Martin

        For non techies, Chrome is the best browser because it updates itself, along with Flash and does not use the Adobe Reader but has its own PDF viewer. You should use a PDF reader other than Adobe’s.

      2. JCitizen

        Hi Charlie;

        Most of my clients are empathetic with you. This is why I put PSI and File Hippo on the PC for them, and it pretty well takes care of itself. I just get occasional questions; but not much more.

        Now Win7 operating systems updates are another story!!

    2. Al Mac

      Flash is used by many many Internet sites.

      If you want to use the Internet, you are stuck with Flash, until some Adobe competitor comes along with something competitively superior for the web designers to use. It also might have problems.

      I really hate Flash
      (a) Our security settings are on THEIR site, not under our control on OUR computer.
      (b) Their web site for updating this is worse than Facebook on user-hostility scale.
      (c) Like Yahoo, you need to revisit from time to time, to fix the security, because they sometimes do mass updates without informing the users.

      If you were unaware of this dimension, start here:
      http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html

    3. Kyle Jones

      > When is it time to stop using flash? This is ridiculous.

      For PowerPC Mac users, that time is now, since Adobe has just now dropped Flash support for PowerPC CPUs.

      1. Chad

        I think that happened a while ago. But I may be mistaken since that PowerPC is on Linux now.

      2. JCitizen

        PowerPC? What does outdated circuit architecture got to do with Flash or not. If you don’t like Flash, simply uninstall it and avoid it.

        Me personally, I’d like to see SilverLight take that position. Adobe has been abusing it long enough!

  8. Moike

    I always remove the useless and buggy AuthPlay.dll now right after every Adobe Reader update. I’m ahead of the curve, and have already blocked the next security hole!

  9. Chad

    So now that we have had an article on the Mac getting infected and the get a Mac is starting to fade, we now have

    “There’s nothing like using an iPad, where all apps self-update using a system built into the OS, to make as drastic a contrast as is humanly possible from the ugly mess that is Flash updates.

    These Mac people I swear to God, that Ipad and iphone is probably small enough to shove up edit edit edit.

    Hot debate. What do you think” LOL

  10. brucerealtor

    Secunia PSI does seem to do the trick, but my question is how quickly does it do the trick?

    1. JCitizen

      Not as quick as it used to just a month ago! Microsoft has hosed Vista x64 so badly with their latest updates, I’ve had to repair/reinstall every program on my PC. Even File Hippo stopped informing me of updates on the standard account.

      Looks like I’m back to logging on the Admin side at least once a week to do my update checks.

  11. F-3000

    Hah, updated flash on Ubuntu before Update Manager even realized on it’s own that it should fire. Thanks, Krebs.

  12. Uzzi

    Dear Brian (or should I say “Dear #1 world heads-up on Adobe flash updates”? ;-)), thanks for the good work.

    As imho Adobe flash is a persistent security risk I only enable flash for sites with a 24/7 security monitoring. (Websites I don’t know or that are not trustworthy run sandboxed anyway if I have to visit them.)

    But mind those folks running older machines (schools, seniors, youngsters, small offices etc.), regulary without any idea of updates. Wouldn’t it be interesting to report why microsoft update and security software companies don’t warn their users on flash security issues or how Adobe thinks about the usability of their flash updates?

    .oO(Someone else wondering why most AV-software installs on outdated windows machines? – I guess they know they’re worth nothing if OS and browser are outdated.)

  13. Chad

    Oh come on there can’t be that many mac users on this column that I got voted down that quickly. Lol The ipad might be to big.

    1. F-3000

      My guess is because your comment’s rudeness was very unnecessary, especially to a comment which point was to praise the simplicity of updating. The platform just happened to be something that you seem to hate.

      As an example, people who get utterly pissed just because they see something Apple related should shove up their attitude edit edit edit.

      1. BrianKrebs Post author

        Oh no you don’t. It’s true I am a Mac user (MB Pro, iPhone and iPad), but also have at least one full time Linux box in addition to several virtual installations of non-Windows OSes.

        1. Troy

          Ahhh, yes, Brian, you are well-rounded I am sure from reading your columns. But I was simply replying to Chad’s comment: “Oh come on there can’t be that many mac users on this column that I got voted down that quickly…”

          Just thought he should know the author of the column happens to use a Mac and so do a bunch of the rest of us. 🙂

  14. Chad

    I would say bad guess since that comment is also hidden for being disliked. Whatever

    1. EdJ

      It isn’t just the content of the comments. Sometimes comments are disliked because they are potty-mouth or vulgar, sound immature, or are OT. Commenters (not just you, Chad) should try posting opinions using reasonable language and arguments. Otherwise, Brian might be inclined to hire a moderator.

      FYI: The topic of this thread is updating Flash.

  15. brian martin

    For those who have not tried it and are concerned about flash adverts on web pages I suggest trying the FlashBlock extension for Firefox. I only allow flash to run for a limited set of sites, the principal one being the BBC iPlayer.

    Brian

    PS. Thanks for suggesting the Qualys scan. It detected I had the old version of flash.

  16. Bob Mahaney

    I don’t know why nobody is mentioning using FileHippo
    for getting these updates. I do, and it’s a breeze. There are no signs of unwanted crapware that I’ve noticed. Thanks for all of this Brian,you’re the best!

    1. pwojdat

      Agree with you Bob. FileHippo is great! I have been using it for couple of months now. It scans your computer really fast and provide you with download link to update whatever is out dated.

      +1

    2. Maureen

      I also use FileHippo for checking updates daily. I love it, but to keep good habits, I still make myself go out to the manufacturer’s website to download.

  17. Mike

    The bad guys seemed to hit these vulnerabilities hard. I run a small IT shop and have been absolutely buried with systems infected with XP Security 2011 and friends in the past two weeks to the point I’ve had to bring in additional staff to handle it. And unlike many of the scareware infections we usually see, these have been pretty heavy handed – breaking windows update, exe associations, and more. My guess is these guys got into some pretty high traffic sites at the right time…

    Right before the tax deadline too – led to some fun discussions with customers about turnaround time and overload…

  18. DiSTANTX

    Hello,

    I’m a 20-year-old german programmer and would like to introduce one of my applications, “Alternative Flash Player Auto-Updater” to you.
    It works on all Windows systems that got Microsoft’s .NET Framework installed. It can check for the latest version of Flash Player once your system is started or regularly (e.g. all 2 hours).
    Many sites have already covered this tool, I’d be glad if it would help you.

    Download it here: http://www.wecode.biz/p/alternative-flash-player-auto-updater.html

    [I hope this post is okay for you]

    1. JCitizen

      Very well DiSTANTX; however, I always send my clients to trusted sites like download.com(CNET), Major Geeks, or File Hippo, to name a few. Most of them have your alternative flash player auto updater, and they trust those sites.

      Web-of-Trust gives your site an excellent rating though. I try to keep it simple for newbies and use few trusted sources until they get used to using a good site adviser. Out here, some the other sites don’t down load well either.

  19. DiSTANTX

    @JCitizen:
    The link I posted directs to my own homepage and I think we can call that one “trusted” since I upload the applications there, other sites just mirror them.
    I am really glad that the application helps you and your clients!
    Feedback is always appreciated.

  20. Paula

    I’ll be real happy when someone comes out with a replacement for Adobe Flash! I dumped Adobe Reader long ago. Whada ya know, no more problems with a PDF Reader, lol.

Comments are closed.