August 10, 2011

Adobe has shipped patches to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.

The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flash versions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2.

To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

The same flaws exist in Adobe AIR for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here.

Adobe also shipped an update to its Shockwave Player that fixes at least seven critical vulnerabilities in the media player program. Adobe is urging users of Adobe Shockwave Player 11.6.0.626 and earlier  update to Adobe Shockwave Player 11.6.1.629.

I should note that you may not have or want Shockwave installed. I haven’t had it on my Firefox installation for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, it demands two separate installation procedures for IE and non-IE browsers.

To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

 


14 thoughts on “Updates for Adobe Flash, Shockwave, AIR

  1. William

    Is the current version of Flash 10.3.185.5 or 10.3.183.5? The latter number is what appears on Adobe’s version information page.

    1. BrianKrebs Post author

      The first edition of this blog post that got pushed out initially had the version numbers transposed; that should be corrected now. Thanks.

  2. qka

    And I just installed the last Flash update over the weekend!!

    At least deleting Flash completely from one of my systems makes life a little easier.

  3. Bill Long

    Lately I’ve been updating Flash through Secunia PSI.
    Seems to be working ok. But what do I know.
    I mostly use Chrome which updates itself but PSI shows
    two versions of Flash – Active X, which I assume is IE, and
    NPAPI, which I assume is FF.
    Is this a bad thing ?

    1. timeless

      You’re doing nothing wrong. NPAPI covers Firefox, Opera, Safari, and technically Chrome (but because Chrome bundles its own version of Flash, it doesn’t count in this case).

      Hopefully someday Adobe will fix their NPAPI installer so that it works even if it spots a Firefox instance running, after they do that, they could probably roll out a single installer which installs both the ActiveX and NPAPI plugins so that we could only download and run a single escalating installer instead of two.

      Yes, there are people who only want to install one or the other plugin, and yes, some people have limited bandwidth, but the reality is that if you’re on Windows and you normally don’t use IE, and you accidentally use it and have an old version of Flash, you could be *very* sorry. And similarly, if you don’t normally use Firefox and someone runs it (or installs and then runs it) and your version of Flash isn’t special enough to be blocked by Firefox, you could also be *very* sorry.

      WRT not using Flash, I’d suggest manually disabling it in browsers you use instead of simply not installing it. It’s relatively easy to accidentally have Flash installed, but your browser should do a reasonable job of remembering that you told it to disable the Flash Plug-in.

    1. TJ

      I love Tavis Ormandy’s Twitter response to Adobe’s spokeswoman:

      “I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”

      Classic!

    2. Clyde

      Wiebke Lips (Haha, sorry, just gotta chuckle at that) or some other Adobe shill must be the one that Disliked your post.

  4. Bart

    Thanks especially for that last paragraph, Brian.

    I was a little confused by the animation. It was not moving, and consisted of five diagonal lines superimposed over some tiny, impossible to read text. There was no prompt to install, but there was a tiny download button at the top of the page.

    Do I have Shockwave on my Mac?

  5. martin

    I gave up and uninstalled Flash and Shockwave. I do however have Chrome so I still can visit sites with flash. I truly hated managing the adobe software updates for all my browsers.

  6. whudiz

    Brian, the flash version on my droid now says 10.3.186.3. You mentioned that the latest version for Android should be 10.3.186.2, or did I miss something.

  7. anonymous A

    “Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice”

    Is this true? I don’t think I have Flash installed in IE at all, so I only update once, for Firefox. Is there a Windows need for me to have Flash in IE?

Comments are closed.