June 5, 2011

Adobe released an emergency security update today to fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

The vulnerability — a cross-site scripting bug that could be used to take actions on a user’s behalf on any Web site or Webmail provider, exists in Flash Player version and earlier for Windows, Macintosh, Linux and Solaris. Adobe recommends users update to version (on Internet Explorer, the latest, patched version is  To find out what version of Flash you have, go here.

Google appears to have already pushed out an update that fixes this flaw in Chrome. Adobe says it will ship an update to fix this flaw on Android sometime this week.

Adobe said it is still investigating whether this is exploitable in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems, and that it is not aware of any attacks targeting Adobe Reader or Acrobat in the wild.

Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows are available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

16 thoughts on “Flash Player Patch Fixes Zero-Day Flaw

  1. JBV

    Thank you, Brian, for this very timely alert. You are an invaluable resource for your readers. I will certainly use the “Donate” button on the right to express my gratitude.

  2. WD

    Brian, your guidance of whether or not to upgrade the ActiveX version of Flash is slightly misleading. Even if you don’t use IE at all, you need to make sure that the ActiveX version is up to date. Other programs, such as Microsoft Office, use the ActiveX version of flash. And since Windows XP comes with the Flash ActiveX control, *all* Windows XP users need to install the new ActiveX version of Flash. (or disable/uninstall it if you don’t want it)

  3. EdJ

    @ WD: Now I’m confused; this update is just for Flash Player, not for all Adobe Flash products. And, are you saying that *only* Windows XP users need to download it?

    1. WD

      No, I did not imply that *only* XP users need to update. All Windows users who have an older version of the Flash ActiveX control need to install the update. And because Windows XP comes with the Flash ActiveX control, then *all* Windows XP users need to install the update if they have not already taken steps to remove or disable Flash.

  4. DeborahS

    On the infamous other hand, if you don’t want to wait for someone else to find another hole, and you don’t want to wait for Adobe to fix it and announce it (with all those other completely unidentified holes currently still in use), there is another strategy.

    Actually there are three other safe strategies. One is to never install Adobe Flash, and that’s 100% safe, at least so far as the Adobe Flash attack vector goes. Second is to uninstall it if you’ve already installed it, and that’s probably 99.9% safe. Third, you can disable Flash and only temporarily enable it when you absolutely need it, and disable it immediately after using it. I’d guess that this is probably about 90% safe.

    Fourth, it just occurs to me, is to patiently wait for HTML 5. It’s not in common use yet, so no safety projections can be made for it. But it’s likely to be a good bit safer than any version of Adobe Flash released to date.

  5. me

    Adobe reader uses activex flash or firefox flash, anybody has any idea?

    1. WD

      Neither. Like most Adobe products, Reader provides its own Flash runtime rather than using a systemwide-installed version, such as the ActiveX control. In other words, when a Flash vulnerability is fixed, nearly every Adobe product needs to be re-released with the fixed runtime.

      1. me

        is there a way to find out the flash version of the adobe reader?

        1. WD

          Find authplay.dll. Right-click it and click properties and then click the Version tab.

        2. Heron

          Adobe Flash and Adobe Reader are separate programs. There’s a link in this post by BK that lets you see which version of Flash you’re running. I don’t run the Reader program anymore, but I believe you can see if you need to update it by clicking on the “Help” menu, then scrolling down to “check for Updates.”

    1. Joe

      Hay Slim, I musta subscribed to something Adobe because at times update box is waiting for me when pc boots up. I find it easiest to just uninstall adobe when they call for update, and then go to utube and download from there. Never got stuck with anything extra. U think thats ok, or am I missing something?

  6. PaulJ

    @slim jim “Maybe Adobe could provide an auto-update feature like Java has and GET WITH THE PROGRAM!”

    Wasn’t the new 10.3 Control Panel / System Preferences item supposed to be the auto-update mechanism? Sadly (but happily), the news from KrebsonSecurity was FASTER than the built-in Adobe mechanism….

Comments are closed.