Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.
In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google — was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.
Adobe is urging users of Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh, Linux and Solaris to update to Adobe Flash Player 188.8.131.52. Users of Adobe Flash Player 184.108.40.206 and earlier versions on Android 4.x devices should update to Adobe Flash Player 220.127.116.11. Users of Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and earlier versions should update to Flash Player 22.214.171.124.
To find out what version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted. Thankfully, Adobe no longer appears to make you first install its annoying Download Manager to grab the latest Flash version, or at least it didn’t when I fetched the update today.
Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome users should already have this update, as Chrome auto-installs Flash updates – often hours or days before the fixes are publicly released for download.
No mention of a separate Flash player update for IE8 (Active X). Is there one this time? My IE8 still shows 126.96.36.199 still running there following my update installation via Firefox.
Adobe hasn’t gotten rid of their download manager exactly, just provided it in a different form — the download from Adobe through that link above is simply a 750 Kb stub installer. After it initializes, it will download the full 7+Mb file required for the complete installation of whichever flavor (IE vs. other browser) was selected.
Here’s a link to a thread from mid-January on Adobe’s forums with the explicit direct-download links for all the different browser flavors and OS options:
A good while ago Adobe announced they were going to release all this stuff on Black Tuesday when Microsoft released their monthly scheduled updates to help avoid user confusion and extra work for IT types. Why couldn’t they have done this yesterday along with the Shockwave security update? Do we need to send them more Red Bull?
Hi. I was wondering if the patched security holes include what was briefly reported as 0-days sometime in December 2011?
The company which found them refused to tell Adobe about them without being paid a fee.
Since Secunia rated those flaws as “critical”, for last 2 months, I have been forced to keep Flash disabled at all times, unless its really necessary.
Mr. Brian, do you have any information on this?
It’s worth remembering that Flash has to be installed separately for each browser instance on your machine. Adobe’s successful confirmation of the update can be very misleading. If for example…..
– Firefox is your browser of choice and what you use all day.
– I.E. is your default browser for whatever reason (primarily work-related and possibly enforced by Group Policy)
– You update Flash for Firefox and the update succeeds
– The install routine culminates in launching the default browser (as above I.E.) stating that the update was successful and you are running the latest version.
This is wrong and misleading. Flash for I.E. will have to be updated separately!
Thanks, Tim. I usually include this information in my Flash stories, but somehow forgot this time. I’ve added a sentence to that end in the blog post above.
Hello, Mr. Krebs.
I have been posting about this on 2 other forums, but no one has any info. Here is the link to the Secunia advisory:
Hrm. Sid, I don’t think that Secunia advisory is related to this 0day. The CVEs in that Secunia write-up are cve-2011-4693 and cve-2011-4694 — the one above is CVE-2012-0767.
Ok. I did not observe that. But the point is, there may still be 0-days lurking for Flash Player as Adobe is determined not to pay the “fee” to access what Intevydis has found out.
A “bad guy” may also “purchase” it from them & use it for their nefarious activities. Since the CVEs listed by Secunia DO NOT specify anything [“Unspecified Vulnerability” in both cases], I was only wondering if above CVEs actually fix the CVEs which list “unspecified” risks in Flash Player.
But, it now seems that it may be impossible to know this, till Adobe & Intevydis agree to collaborate.
In summary, there may be positives & negatives in the stances taken by Intevydis [by charging fees for their “hard work”] and Adobe [by not “purchasing”] – but at the end, the end-user suffers.
Mr. Krebs, just imagine if all security research companies decide to be like Intevydis & affected product’s vendor also shows no interest, we may soon be running lots of vulnerable software which can be exploited by the “bad guys”.
For now, it seems I have to continue “using” Flash in disabled mode & only enable it on trusted sites and/or when absolutely essential.
Brian, or anyone else still trying the Adobe sandboxed flashplayer beta version: Take a look at your flash player versioon in IE and seeif the version 11.202… beta version is running. I found the sandboxed flashplayer overrides the regular version but I doubt very much if IE sandboxes it. BTW removing the sandboxed beta version requirees the special uninstaller; the normal one doesn’t kill it.
I find the Flash Update v. 188.8.131.52 does not support Vista OS 64-bit version…
so, we 64-bit users remain vulnerable with v. 184.108.40.206 ??
this is not good.
What is with Adobe not supporting XP and Vista 64-bit OS ??
Try this page:
It has the 64bit installers. 🙂
I am running XP Pro SP3 32 bit and FF 3.6.26 with Flash 220.127.116.11. Adobe download center continually wants to give me 10.3.183.15 instead of 18.104.22.168. Does anyone know whats up with that? The dist3 listed above shows both but doesnt explain.
Did you uninstall the old version before trying to upgrade to this one? That might be the best way to handle it.
Thanks Brian, Adobe has certainly got this messed up. After using the uninstaller to remove the Flash, their site http://www.adobe.com/products/flash/about/ confirmed but wanted to give me 22.214.171.124 so I linked to the download center at http://get.adobe.com/flashplayer/, it still wanted to give me 10.3.183.15. I ended up downloading 126.96.36.199 from dist3 as above http://www.adobe.com/products/flashplayer/distribution3.html and all is well. I suppose all options to disallow flash cookies, sound. camera etc need to be rest.
For Mac OSX users who haven’t upgraded to Lion or Snow Leopard, Flash version 11 doesn’t work with older systems. But Adobe has released a recent upgrade to version 10 — it’s 10,3,183,15.