13
May 11

Critical Flash Player Update Plugs 11 Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

Adobe has released another batch of security updates for its ubiquitous Flash Player software. This “critical” patch fixes at least 11 vulnerabilities, including one that reports suggest is being exploited in targeted email attacks.

In the advisory that accompanies this update, Adobe said “there are reports of malware attempting to exploit one of the vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. However, to date, Adobe has not obtained a sample that successfully completes an attack.”

The vulnerabilities exist in Flash versions 10.2.159.1 and earlier for Windows, Mac, Linux and Solaris. To learn which version of Flash you have, visit this link. The new version for most platforms is 10.3.181.14; Android users should upgrade to Flash Player 10.3.185.21 available by browsing to the Android Marketplace on an Android phone; Google appears to have updated Chrome users automatically with this version of Flash back on May 6 (Chrome versions 11.0.696.68 and later have the newest Flash version).

Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows should be available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

Adobe says Flash Player 10.3 includes a new auto-update notification mechanism for the Macintosh platform, which should alert Mac users to new Flash updates (this feature has been available on the Windows platform for a while now).

Tags: , , , , , , , , , ,

48 comments

  1. Thanks for the heads-up.

    Speaking of update notifications, I wish you could set the check frequency to daily. That’s up to 7 days I’m needlessly exposed.

    The last time the auto updater found an update before me was at some point in 2010.

    • Dear lun;

      If you use File Hippo’s update checker you will get it immediately. However, if you rarely turn/(log) off you PC, you should right click the FH icon and select [Rescan for updates], at least once a day.

      • Would be useful if the FH checker would work. On my Win7 it just stops working when I try to run it.

        • You could always try CNET email notifications, or download other updaters – I think SoftPedia has one now, but I’m not sure. I can’t recommend Software Informer, I don’t trust it.

          • Where you can find info regarding your suggestion from CNET?

            • @F-3000;

              CNET pretty well reminds their readers of the service. If you go to the review page for a favorite download, their is a “add this to my list” in the CNET community section. You may have to allow scripting to get that.

          • Not to beat this to death, but the notification from CNET arrived in my Inbox a short time ago, time stamped 5/15/2011, 0323 PDT; Softpedia’s notification arrived on 5/13 at 0300 PDT – fully two days earlier (which has pretty much been my experience with their service). Next time, I’ll also perform an on-demand scan with FileHippo’s Update Checker to see whether they had updated their database; either way, they are also faster at updating than CNET are.

            • Thanks AJ!!

              If that utility from Softpedia gives notifications on standard accounts, I may use it instead of File Hippo! If not I still may download that today.

  2. Thanks, Brian.

    For those who’d like to be notified ASAP of new versions of Adobe Flash Player (and their Shockwave Player, along with a slew of other commonly-installed applications, such as the Java RTE), one can subscribe to the individual apps (after a free registration) at http://softpedia.com/ – they update their software list very soon after an update is released (often before it’s even listed at the vendor’s own site!); they’ll send you an e-mail alert with download links.

  3. Will a company ever challenge the dominance of Adobe Flash and create something compatiable, yet more secure? I hate the fact that it is at the center of 0-day after 0-day with little recourse due to heavy dependence for web functionality

    • “something compatiable, yet more secure”? The better question to ask is when HTML5, SVG, etc. gets mature enough to remove Flash once and for all and get better security, browser performance and stability in one fell swoop.

      After we get that done, can we please work on re-architecting PDF into a stripped-down “Secure Document Format” with just enough functionality to render documents and all of the multimedia and JavaScript security holes removed as well? Please?

      • Rabid Howler Monkey

        @Joshua
        There are plenty of options for dealing with Flash 0-days:
        o operate your OS as a non-admin user (and not the default user)
        o whitelist your favorite Flash sites in your browser (which blocks everything else) or use the Firefox add-on FlashBlock (which blocks everything until you click to allow)
        o use Google’s Chrome browser which includes Flash and automatically receives Flash updates (don’t let Vupen’s recently-announced Chrome exploit scare you away)
        o use an alternative OS such as Mac OS X, Linux or RIM’s QNX-based Playbook (just be aware that Flash 0-days also apply to these OSs, but have yet to be massively exploited as they are on Windows)

        @eCurmudgeon
        Adobe Reader X is sandboxed on Windows and includes configuration options for disabling JavaScript and executable launching. Or consider using an alternative PDF Reader such as FoxIt (also configurable), SumatraPDF or the PDF Reader included in Google’s Chrome browser. Default PDF Readers on alternate OSs are not Adobe’s.

        • Adobe Reader X is sandboxed on Windows and includes configuration options for disabling JavaScript and executable launching.

          True. However, I’d still like to see these features along with other security vulnerabilities excised from the PDF standard altogether. This way, it becomes easier to validate PDF documents (via mail/web security gateways) for potential threats. In addition, a Secure Document Format spec would allow for “SDF Readers” that don’t even contain code to parse JavaScript, multimedia extensions, etc. and subsequently present a dramatically smaller attack surface.

          • Rabid Howler Monkey

            @eCurmudgeon

            Understood, but until then …

            You did pique my interest though. Here’s a link to a free site (an experimental online service) that attempts to sanitize individual PDF documents of exploits via conversion of pdf to postscript and back to pdf:

            http://ossbox.com/pdfcleaner.htm

            Some users might be interested in this service if they want to take precautions for an individual pdf document they have received.

            And a link to using squid and python to do similarly in an automated manner:

            http://www.sans.edu/student-files/presentations/animalFarm_rev3.ppt
            “Animal Farm: Protection From Client-sideAttacks by Rendering Content With Python and Squid

            This looks like a lot of work. No wonder you want a secure document format. :)

  4. FileHippo.com
    is also a good source
    for the latest Flash Updates,
    (“manual updates” = no extra ad bars/nagware).

    • True; I also use their little Update Checker – http://update.filehippo.com/updatechecker/ (a useful compliment to the Secunia PSI), but it only scans on restarts (and, of course, manually).

      Still, Softpedia.com consistently update their software list with impressive rapidity. A case in point was this morning; when I got their e-mail that Adobe Flash had updated (and the Adobe Flash Uninstaller, to which I also subscribe) and visited Adobe’s site, they were still listing the previous version – even scanning it as current. It was not until about an hour later that they updated their system.

  5. FileHippo alerted me to the new Flash versions when I booted up this morning, so I downloaded and installed the updates on all the office machines before Brian’s notice arrived. I didn’t know the uninstaller had been updated, though — will grab the new version, so thanks to AJ for mentioning that.

    Note to Brian: I’m not sure if this happened to others, but I received 5 separate copies of the e-mail notice with identical time stamps that all arrived at the same time. Not a big problem for me to delete the extras and it might be the fault of my ISP, but thought I’d post it in case something was glitched in your system’s mail server that needed debugging.

    Here are the header bits (with the e-mail address domain names obscured) FYI:

    Received: from krebsonsecurity.com (mc-web10.prolocation.net [94.228.133.163])
    by mtain-mc02.r1001.mx.aol.com (Internet Inbound) with ESMTP id A28D038000084
    for ; Fri, 13 May 2011 15:01:34 -0400 (EDT)
    Received: from apache by krebsonsecurity.com with local (Exim 4.63)
    (envelope-from ) id 1QKwgC-0007tt-SB; Fri, 13 May
    2011 20:01:37 +0200

    • Clarification — the time stamps for none of the 5 messages were identical, and after the first the others lagged by 3, 6, 10 and 28 seconds. I think this was probably just a hiccup in the originating e-mail server.

    • My apologies for the spam. I had a pretty major server outage for about an hour today, right after I published a blog post. When the server came back online, it burped out several copies of the same email. I think what happened was the mail server was trying to send out the new post notification but couldn’t because the Web server was down, and so it kept trying at some interval and for some reason the messages queued up.

      • Several of my forums quadruple the emails like this oncet and a while. You’re not the only one Brian. I just ignored it – I’m used to it.

        You gotta great page here, and I recommend you to everyone I meet on the other discussions. I even recommended your page today to my banker! He was very appreciative, as I scare the dickens out of him regularly!!

      • Brian, not a problem — I don’t consider anything you send out as spam, even having 5 duplicates of the same message appear simultaneously. The wonky server was just trying to follow its marching orders…

    • The Adobe Flash Player Uninstaller is updated with each new release of the Flash Player. In fact, the download links themselves for the players (all) and the uninstaller don’t change from release to release, so if you bookmark them you’ll be good-to-go every time.

      Another small tip: if you’re keeping tabs on the Java RTE and manually updating it, its automatic update can be deselected, thus reducing the Services that load with Windows by one. (This is especially helpful on older, more modest rigs and netbooks.)

      • Tsk Tsk AJN. Are you running with Local Administrator privileges. ;)

        For over a year now, the Update tab has been missing from the Java Control Panel, when logged on as a Power User or as a (Restricted) User. Disabling the “Check for Updates Automatically” option when logged on as a Local Administrator does not carry over to non-admin users on the same machine.

        This is based on my experience with Win7 Pro and WinXP Pro. This may not apply to other flavors of these OSs.

  6. Also – if you are a CNET subscriber – you can sign-up for email notifications of new versions of a wide variety of applications. I should think they cover flash also.

    • Yes, I also subscribe to their notification service and they do (their library is far more extensive than FileHippo’s, as is Softpedia’s); however, it’s been my experience that they tend to lag both of the other sites. (For example, about two years ago, Sun brought out a new version of their Java RTE to patch several critical security holes, and it took CNET over a week to list it.)

  7. Thanks again for this critical heads up.

  8. A great place to download flash without any of the junk is http://www.ninite.com many other programs too.

    • @ Steven

      Brian frequently has said: “Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.”

      Don’t know anything about the site you are recommending, but I think it’s worthwhile to go to the vendor and get the real thing without any spurious extras.

    • The http://ninite.com folks also produce the site http://updateflash.org/ for a quick, single-purpose verification of your browser’s Flash status.

      –Bob.

  9. I’ve been using the Qualys browser checker that you recommended in one of your emails recently, you have to get it to scan manually, but it seems to do the job. https://browsercheck.qualys.com/

  10. Сорцы Zeus v.2.0.8.9 в паблике третий день.
    http://www.wasm.ru/forum/viewtopic.php?id=41224&p=1

  11. According to MaxPC, the new Adobe update’s chief feature is its ability to delete flash cookies. This would be very nice, assuming it works effectively. Currently I use Better Privacy, a Firefox add-on, to accomplish this. It appears to work well.

  12. The Flash Player Preference Pane on the Mac fails to truly delete all site data. LSO. The same issues that existed in the Settings Manager for Mac OSX exist in the Pane. Seems like the updater will work and the new controls are nice but very inconstant. Not sure if the same problems exist in Windows, but the Preference Pane in Mac OSX is a privacy fail.

    http://www.magmatic.com/currents/2011/5/13/new-flash-preference-pane-still-struggles-to-help-protect-pr.html

  13. The OSX preference pane is a start, but I can’t believe they still don’t know how to sort columns! With machines that haven’t been cleaned up in a long time (due to the pain of the old web-based Settings pane), it is really obnoxious trying to remove most of the LSO’s while keeping those few that serve a purpose.

  14. Many programs like Super AntiSpyware allow complete auto-updates to the program without manually uninstalling and reinstallation, why can’t Adobe provide this feature with their Flash plugin?

    Even Java has an update check which you may set by number of days and an auto update feature, surely by now Adobe should be considering something of this nature.

  15. Best source for software update notifications, not to mention other important security info?

    It’s listed right in Brian’s Blogroll! :)

    http://isc.sans.edu

    Keep your ear to the ground and visit several times a day! ;)

    After all, security starts with awareness!

    • Where on SANS would one find upgrade notifications? I wandered through the site without finding anything of that sort.

      • If not on the home page, then scroll down to the bottom to see the Diary Archive. Or click “Complete Archive” to see more. You’ll see various posts about software updates. As I said, if you visit the site frequently, you’ll always stay abreast of not only software updates, but other current security news. It’s the first place I found out about the recent Flash Player updates. :)

  16. The update notes include the addition of a Flash Settings Panel manager under the users computer “Control Panel” (ie, like Java?)

    I’m running XP — but so far the Setting Panel does not appear in my Control Panel

    >>> From Adobe >>>
    Beginning with Flash Player 10.3, the Local Settings Manager supersedes this Online Settings Manager for managing global settings on Windows, Mac, and Linux computers. The Local Settings Manager can be accessed in the Control Panel on Windows and in System Preferences on Mac. Users of other operating systems and earlier versions of Flash Player can continue to use the Online Settings Manager described here.

    To access the local Flash Player Settings Manager that is native to your operating system:

    * Windows: click Start > Settings > Control Panel > Flash Player
    * Macintosh: System Preferences (under Other) click Flash Player
    * Linux Gnome: System > Preferences > Adobe Flash Player
    * Linux KDE: System Settings > Adobe Flash Player
    <<< end <<<

    So — if you can't access the local Settings Manager you left with all the Flash defaults on storage, P2P, etc.

    What Now???

    • For Greybeard: If you follow the trail you noted in your post–namely, “Windows: click Start > Settings > Control Panel > Flash Player”–you may find the new “Flash Player” icon at the bottom of the list out of alphabetical order, if you have not rebooted your XP box in a while. That’s where I found it on my old PC.

      • Sarah,

        Thank you for the info — searched the list — and rebooted, but no joy — think I’ll re-install.

        Curious if you checked settings — and if so, did they retain your Setting Panel preferences.

        Again, Thank You

        • You can try using the Flash Player Uninstaller (links below). Be sure to close all open programs first. Then download the manual installers (plural if you need to up multiple browsers, I just use IE8). Then go to the “About” page to confirm the version.

          Uninstaller:
          http://kb2.adobe.com/cps/141/tn_14157.html

          Manual Installers:
          http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller

          About page:
          http://www.adobe.com/software/flash/about/

          I’m running Windows XP (w SP3) and use this process. It always works flawlessly. As to the new settings manager or Flash cookies, I just leave the defaults and instead use the commands listed below in a batch file that I run after every browser session. It deletes the Flash Player directories where any cookies are stored (they get re-created next time Flash is used) and clears everything in Internet Explorer (ex. cookies, history, temporary Internet files, etc.)

          @rem Removes Adobe Flash Player cache directories
          rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Adobe”
          rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Macromedia”
          @rem Clears IE Temporary Internet Files, Cookies, History, Form Data, and Stored passwords (Applies only to IE7 and newer)
          rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

          (hopefully this goes through without the commenting system flagging it) :)

          • Revise that first command as follows if you also have Adobe Reader, so the command ONLY removes Flash Player stuff (I don’t use Adobe Reader, Foxit instead, so I just delete the entire Adobe directory):

            rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Adobe\Flash Player”

      • Simply hit the F5 key to refresh your Control Panel icons. Likewise, F5 can refresh your Add/Remove Programs list.

    • Late reply to Greybeard…

      I am finding that the new Flash Player Settings Manager applet appears in WinXP Pro’s Control Panel, but not in Win7 Pro’s Control Panel.

      You can access the new F.P.S.M. by right-clicking any Flash content in your browser and selecting “Global Settings…”. (Same method as with previous versions) Your Flash Player does not need a re-install.

      Btw, I am changing the Playback>Peer-assisted Networking from the default “Ask me when a site wants to use peer-assisted networking” option to the “Block all sites…” option on all our employee systems. Sends up a P2P red flag for me. Any thoughts on this ‘feature’?

      http://help.adobe.com/en_US/FlashPlayer/LSM/WS6aa5ec234ff3f285139dc56112e3786b68c-7ff5.html#WS6aa5ec234ff3f285139dc56112e3786b68c-7ff3