May 4, 2012

Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.

Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.

Nevertheless, there are updates available for Flash Player versions designed for all operating systems that Adobe supports, including Mac, Linux and Android devices.

Adobe is urging users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Windows users of Flash Player 11.2.x who have selected the silent update option will receive the update automatically. Flash Player installed with Google Chrome is updated automatically, so no user action should be required for Chrome users. Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.9.

To find out if you have Flash installed, or which version is on your system, visit this link. If you have trouble updating your Flash version, consider uninstalling the program using Adobe’s Flash removal tool, rebooting, and then reinstalling the latest version. Updates are available via the Adobe Flash Player Download Center. Direct links to the OS-specific downloads are here.


24 thoughts on “Critical Flash Update Fixes Zero-day Flaw

  1. Sterling

    I just checked the Flash site and it says that IE9 is still using the old version. I wonder how long it takes for the auto-date to trigger a check with the Adobe server?

    Chrome (beta), the other browser I use, already has the latest Flash.

    1. JimV

      Should have noted that the 8.4 Mb 64-bit installer files also include the 3.9 Mb 32-bit versions and should detect the OS flavor, so if you have several machines of both flavors you’ll only need to download the 64-bit versions.

  2. SFdude

    FF 11 , XP Pro 32 bit, here.

    My current FF Flash plugin version:
    11.2.202.228
    with option:
    [ X ] “Notify me when there is an update”.

    (I never got notified, but that’s another story…).

    So…
    I d/l the “new” FF plugin v. 11.2.202.235,
    directly from
    the Adobe Flash Player Download Center:
    http://get.adobe.com/flashplayer/

    UNchecking the option to install MacAfee’s crapware.

    Before installing of course,
    I first run the d/l .EXE file from Adobe
    through VIRUS TOTAL.

    Comodo AV sez:
    TrojWare.Win32.Trojan.Agent.Gen

    Here’s the direct link
    to the VIRUS TOTAL report:
    http://goo.gl/8KxGg

    So, I did not install it yet.

    What are the next steps?
    Any reliable source, method of updating?

    1. SFdude

      Quick positive follow-up
      to my long post (above):

      Virus Total reported zero problems,
      and the EXE updated just fine
      in FF11 32 bit, XP.

      See last paragraph in Brian’s post:
      “Direct links to the OS-specific downloads are _here_”.

      So, page to go for “clean” Flash update is:

      http://adobe.com/products/flashplayer/distribution3.html

      Thanks for the good link, Brian.
      This worked!

  3. Jay Wocky

    When it first became an option, I chose “notify-only” for future flash updates (I decided against fully-automatic updating). Since then, there have been, I believe, three flash updates. I received notification of not one of them. I found out about the updates as I always had: via Brian’s emails and blog.

    Does anyone actually receive notification-only of these updates? If so, how are the notifications transmitted? From my own experience, I have no idea.

      1. uzzi

        And that tells us:

        It still easier for a camel to go through the eye of a needle than for Adobe to perform an update check in time.

        .oO Interestingly still neither Adobe’s Flash Player site nor Flash Player Settings Manager start the update check… and Flash Player start doesn’t either. 🙁

      2. Bikebrains

        I had no luck with the Flash Player automatic update even after a 24 hour wait. I have been forced to go back to the old school routine of running through a daily, post boot up checklist which includes going to http://www.adobe.com/software/flash/about/ . @KrebsCommunity: Please forward any luck/ no luck stories about the Automatic Update saga.

        1. Seymour Butz

          I’m not sure about the new update method introduced in .233, but the older method only checked for updates once a week. If the update check, which only runs after rebooting a system, ran and detected that it had been run within the past week it immediately quit. I’m guessing Adobe didn’t want the millions of Flash installations hitting their server every time they reboot (and since we’re talking Windows, mostly in the hands of neophytes, that check could happen a lot).

          Given how fast .233 moved to .235 silently and automatically on all my systems (by Saturday morning they’d auto-updated w/o any prompting), I’m guessing that the new method checks more often… or I could’ve been lucky and caught it on whatever cutoff day was for checking.

  4. emv x man

    Another day, another critical Flash update… and people thought Apple were remiss for not including Flash on iPads.
    Before I get shot down – I’m platform agnostic… but when it comes to advising non-techie older family members of the best way of getting online to deal with finances I’m not so agnostic.
    And am I alone in not trusting Adobe just to update Flash if I go for the auto update?

  5. TJ

    I just experienced two disappointments related to this Flash update. I use the Ninite installer to update Flash Player (plug-in and IE) and all my browsers. After reading Brian’s story, I ran the Ninite installer and it successfully updated Flash, but only the non-IE plug-in version. I thought Flash may have updated itself, so I followed the link Brian provided – the IE version was still on 11.2.202.233.

    Second disappointment: I ran Secunia PSI 2.0 and it returned the following:

    CONGRATULATIONS!

    You have a perfect Secunia System Score of 100%, meaning that you have proactively secured your PC by successfully installing all missing security patches currently available for it!

  6. Nic

    What specific sites do you guys use Flash for?

    I don’t have Flash installed and can’t think of anything I’m missing.

    1. xAdmin

      Weather maps and videos: Intellicast, Weather Channel, http://www.alabamawx.com, etc.
      News videos: CNN, Fox News, etc.
      Sports clips: NFL, NHL, ESPN, etc.
      Movie trailers: IMDB, Rotten Tomatoes, Moviefone, etc.
      Speedtest.net
      Youtube

      You get the idea! 🙂

      1. Nic

        Half of those sites are available without flash 🙂

        How does krebs use it?

  7. Bob

    I just updated Adobe Flash and Flash Active x to version 11.2.202.235 form Brian’s Adobe download link. After the install, my Revo Unstaller Program recognizes both as being installed.

    Adobe’s site check also recognizes them both as installed.

    However, Secunia no longer shows either, but instead shows Adobe GetPlus DLM 1.x and Adobe GetPlus DLM Active X Control 1…..x.

    Can anyone clue me in to what is going on?

  8. Bob

    Brian Thanks for the response and the links. Actually, both 11.2.202.235 versions of Flash are in fact installed and working. I found some dialog on a Secunia form this evening that cites others having the same problem. A moderator seems to think the problem could be that Secunia PSI is not recognizing the Flash programs for some reason. He has forwarded the discussion to the tech group at Secunia.

    If that is the case, something changed as a result of the download because Secunia was displaying them both versions before I updated Flash. I will take a wait and see position for a couple of days to see if it is an issue Secunia needs to address. If they do not clear it up I will try your suggestion to use the links to uninstall and reinstall and see if that solves the problem of Secunia recognizing Flash.

    I will post again if I learn anything that might be helpful to others. Thanks again for your help and concern. I check your site everyday.

  9. Bob

    Brian, as of 7 PM this evening a re-scan with Secunia PSI now recognizes both 11.2.202.235 versions of Flash. Apparently, the fact that it was not recognizing them yesterday was an issue with Secunia PSI, which they have now addressed as stated yesterday.

    The Secunia scan is also showing the two Download Manager programs (GetPlus DLM’s) version 1.6.2.91 and cites them as patched – Up to date. Do these represent a vulnerability? And should try to delete them?

  10. Mr. C.F. van Egmond

    I do not seem to hear tapes which are sent even though I have
    Google Chrome and supposed to have the Adobe Flash Player
    I am at a loss why I cannot HEAR through my HEADSET
    i AM FROM 1930 AND NOT COMPUTER WISE
    pLEASE HELP

    1. Bob

      Make sure you do not have the “Mute” button set on whatever program or device you are using to listen. I have done that several times over the years.

      Sometimes its as simple as that.

Comments are closed.