August 21, 2012

For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.

Updates are available for Windows, Mac, Linux and Android platforms. Windows and Mac users will need to update to v. 11.4.402.265 (Linux and Android users should see the advisory for their version numbers). The Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 11.3.31.230 for Windows and Linux, and Flash Player v. 11.4.402.265 for Macintosh. When I composed this post, however, the installation of Chrome on my Mac had not yet updated to the new version Google began pushing out today (a restart of the browser fixed that).

To find out what version of Flash is on your system, browse to this link. The latest version is available at this link, which should auto-detect the version of Flash your browser and operating system needs. Windows users take note: Unless you also want McAfee Security Scan Plus bundled with your Flash update, make sure to uncheck that box before clicking “download now.”

Adobe also has released an update that addresses these vulnerabilities in Adobe AIR. Windows and Mac users will want to update to Adobe AIR 3.4.0.2540. Windows users should be able to tell if they have this program installed and its version number from the Add/Remove Programs section of the Windows Control Panel. Determining the presence of AIR and its version number gets a bit more complicated for Mac users.


35 thoughts on “New Adobe Flash Player Update Fixes 6 Flaws

  1. Dirgster

    As always, thanks for keeping us safe out there, Brian!

  2. qka

    So I should be glad I didn’t go thru the hassle of the previous update? 😉

  3. Uzzi

    .oO(Someone else feeling Adobe’s flash is mutating more and more into scareware? (Auto-Update didn’t ring a bell…))

  4. JimV

    Filehippo flagged all three of them this morning when I booted up the office machines, so although it was a short cycle for Flash the AIR update had been in beta for awhile and I was sorta expecting it to show up soon. The update installations on all the machines were a bit tedious but no trouble otherwise, though I have noticed a couple of times later today that websites were convinced my Firefox browser wasn’t using the latest version of Flash their ads needed (which Ghostery, Adblock and a few other add-ons prevent anyway), and a popup header (which might be part of Firefox itself) kept trying to entice me to download and install the earlier version.

    I just clicked on its “X” and went on about my business, and it hasn’t reoccurred for the past few hours…

  5. sheen

    … just read this your post, need to update all on my network workstations manually, since they don’t have internet connection. Thanks Brian!

  6. rudy

    Thanks much for the speedy heads up on the latest Adobe flasher…
    appreciate it tc…

  7. bruce

    I wish Adobe would stop trying to sneak McAfee into their download without giving you a warning in advance. I get real tired of seeing both a download for Adobe and McAfee running simultaneously, so the only remedy is to abort.

  8. EJ

    In performing the updates for both FF and IE this morning, I noticed after updating that Secunia OSI (https://secunia.com/vulnerability_scanning/online/) still detected the vulnerable versions. In looking at the directories identified by OSI, sure enough the older vulnerable versions of both the .ocx and .dll files were still present – I manually deleted them out of C:\WINDOWS\SYSTEM32\Macromed\Flash directory. I’m wondering if those files themselves can be manipulated by a drive-by attack, or if the fact I’ve installed the newer version should negate the vulnerability?

    1. Brian Krebs

      Oh boy. Yeah, that’s not good. The installer should automagically remove the older version. I would imagine that yes an attacker could theoretically invoke the older components, but I don’t know the likelihood that such an exploit would work. I know it’s been shown to work against older versions of Java.

  9. Old School

    This morning I booted and did my beginning of day routine by going to my Windows 7 Admin authority account to check on the levels of my software. The Flash Player Settings Manager, Advanced option indicated that a new release was available. Since that action did not trigger the update function, I played a Youtube video in the event that using the player triggered a software level check. After the four minute video ran there was no message from Flash plus I checked the Flash Install Log (C:\Windows\System32\Macromed\Flash\FlashInstall.log) and there was no indication of an update. So I logged off my Admin account to begin my work day on my User account. I decided that the Admin account should be kept running so I logged back on to the Admin account and there was the Adobe Flash update panel waiting for me to reply. I proceeded with the update opting out of the additional update for the junkware. The Adobe update routine updated the plug-in version but did not update the ActiveX version. Here is the install log:
    =O====== M/11.4.402.265 2012-08-22+11-39-58.182 ========
    0000 [I] 00000010 “C:\Users\Home\AppData\Local\Temp\{236012BA-1FC2-413C-B800-83073322132D}\InstallFlashPlayer.exe” -install -skipARPEntry -iv 8 -au 4294967295
    0001 [I] 00000020 C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    0002 [W] 00001037 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin/ 2
    0003 [W] 00001036 Software\Mozilla\MaintenanceService\extensions/Plugins 2
    0004 [W] 00001036 Software\Opera Software/Last CommandLine 2
    0005 [W] 00001036 Software\Opera Software/Last CommandLine 2
    0006 [W] 00001036 Software\Opera Software/Plugin Path 2
    0007 [W] 00001036 Software\Opera Software/Plugin Path 2
    0008 [I] 00000014 C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_265.dll
    0009 [I] 00000015 C:\Windows\system32\Macromed\Flash\FlashUtil64_11_4_402_265_Plugin.exe
    0010 [I] 00000019 C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    0011 [I] 00000012
    =X====== M/11.4.402.265 2012-08-22+11-39-58.810 ========

    The Flash Player Settings Manager says the Plug-in is at the 11.4. level and the ActiveX is at the obsolete 11.3 level.

    Did anyone else have this problem? Did my fingers make a mistake, again?

    1. BrianKrebs Post author

      @OldSchool, Adobe’s new auto-updater should update both IE and non-IE versions of Flash, but it doesn’t sound like you waited for the auto-updater, which apparently can take several days depending on the settings you have in it.

      If you update manually, you will need to visit the update link with IE separately from the manual Flash install for Firefox/Opera.

      1. Old School

        @Brian: Thanks for the swift reply. I did not initiate any update process because I wanted to see how quickly the Adobe automatic update process would update my PC. I responded to the Adobe update box that was waiting on my Desktop image when I logged on to my Admin account for the second time. I was pleasantly surprised to see the Adobe Update box because I could now rely on Adobe to make the updates available in a timely fashion. You are absolutely correct when saying “Adobe’s new auto-updater should update both IE and non-IE versions of Flash” which is why I was trying to obtain other reader’s experiences. Either I made a mistake or the updater cannot detect multiple versions and do the update in one pass.

        1. PB

          In WinXP Pro SP3, when I use the Control Panel, Adobe Flash panel, Advanced tab to check for Flash updates, all that the check button appears to do is to open Internet Explorer to the Adobe web site page that displays the system’s current Flash installation version number for the running browser and that lists below this the current version numbers for various installation options. If I want to update from this point, apparently I have to do so using the “manual” process by navigating the usual Adobe web pages.

            1. PB

              Thank you particularly for the latter link! Somehow, I’d missed it or forgotten about it.

              With it, I’m back to manually downloading the full installers. Much preferred.

              P.S. I’m assuming these are still versions that do not including any McAfee nor other “promotion-ware”.

      2. jjjdavidson

        Brian, it appears that the “silent automatic” update only applies in some conditions, at least on Windows. Look at this discussion thread on the Adobe forums — http://forums.adobe.com/message/4487768 — and this feature request in the Adobe “bugbase” — https://bugbase.adobe.com/index.cfm?event=bug&id=3211239.

        It appears that automatic installation of quarterly updates (even security updates) may be delayed by as much as 30(!) days, particularly on workstations that are rarely rebooted.

  10. Kent England

    The real reason they issued another release this quickly is that someone botched the assembly of the last .msi installer for ActiveX. The .exe file updated Flash but the .msi installer just installed the old version, or flat-out failed, I don’t know which. Yes, the installer does remove earlier versions back to a certain point, at least it did up to this present release. Shockwave does not remove prior versions. Believe it or not, there are still web sites out there that demand to install Shockwave 10.4 in order to display their abandoned content.

  11. PB

    On Win32 XP Pro (SP3), both installer shims (IE and other browsers) as downloaded from …/getflashplayer/ without the McAfee troj^H^H^H^H… err, “utility”, throw Javascript errors upon attempting to download the full installers. I’ve attempted multiple times. The digitial signatures on the downloaded shims are ok.

    Separately, I’ve never once observed Adobe’s new-ish automatic updating feature to actually execute and update an installation.

    In the meantime, they seem to have abandoned the links I used previously to that provided access to direct downloads of the full installation programs (as opposed to the shims). Way to improve function and usability, Adobe, particularly for those who have to provide support to end users.

    Altogether, I must say that I find the Adobe Flash experience to be as crap as ever. If they think they’ve been improving, they seriously need to raise their standards.

    P.S. Brian, this page including this comment form was delivered HTTPS, but when I attempt to submit the form, I get an alert (per the browser settings on this machine) that the submission will occur via HTTP.

    1. PB

      Whoops. I meant as downloaded from get…./flashplayer/, i.e. the usual Adobe URL.

    2. BrianKrebs Post author

      Not sure why so many people are reading this site in https://. I bought that cert to secure my login for when I remotely administer the site. There is a reader-facing plugin (the voting plugin) that doesn’t play nice with https, hence the warning when you try to submit form data over https. I’m trying to get the developer to address this, but in the meantime there’s nothing wrong with viewing this site or any of its content in plain old http. If you have my site bookmarked as https://, one way to avoid these alerts in the future is to change that to http. Thanks.

      1. Andrew Z

        The Firefox extention HTTPS-Everywhere will force https:// if a valid cert’ is present. That may account for some of it

    3. PB

      I rebooted the WinXP Pro SP3 machine and tried the installation shims again. I’ve learned to make copies of them before running them, as they delete themselves while running.

      After this reboot, the same shims (both the IE and the other browsers versions) ran and initiated the full installations without error. Go figure.

      Brian: With respect to the HTTPS access, I pulled up the URL for your site from Firefox’s… “Awesome Bar”, I think they are still calling the enhanced address bar. For some reason, the URL that was found was an HTTPS version (https://krebsonsecurity.com/), and I didn’t notice this. I don’t normally view your site via HTTPS, so I’m not sure why my Awesome Bar database/history has it with that protocol.

      Once I was submitting the form, I wondered a bit but speculated you might possibly be in the course of switching the site to HTTPS. Since what I was submitting was not sensitive (I’ve not heard of Adobe sending out goons to rough up the masses), I went ahead and clicked through the alert to submit my comment.

      1. PB

        Brian: As long as I have your attention, did you ever hear of any sort of story or explanation for Adobe’s killing off (Adobe’s FTP access) and abandoning (under the macromedia.com domain) the direct downloads of the full installation programs for Flash Player?

        I can speculate fairly well on this, but was it ever acknowledged or explained?

        1. PB

          Never mind. Commenter Old School provides a working link to direct downloads, in another comment.

  12. Sterling

    I wish Adobe would push out new Flash versions as soon as it hits servers.

    The last auto-update went well, but now I just checked and I’m using the old version of Flash.

    Time for a manual update I guess.

    Thanks BK!

  13. Karen

    Thanks for the links to what flash player is installed.

    You’re providing consumers a fighting chance when dealing with the “jolly ‘green’ giants.”

  14. Charlie

    Any idea what Adobe AIR does, or if I need it? Checking as you directed, it appears to have been installed on my Mac when I bought it new from Apple, and has never been updated since then. Can I safely uninstall or disable it instead of upgrading it? This is the first I’ve heard of it.

    1. BrianKrebs Post author

      Charlie, it probably got downloaded when you grabbed an application that requires it to run, such as Tweetdeck or Pandora. My guess is that it’s one of those two, but if you don’t remember what app you installed it with, it’s the one that stops working after you uninstall AIR 🙂

  15. Charles

    Just wondering what happened to the RSS feed for this incredibly useful site. BTW, the last time I checked, the Flash player update was version 11.3.300.271.

      1. Charles

        Brian,

        Thanks for the reply. I was able to read the feed on the website you indicated, but it had not showing up recently in my Yahoo RSS reader. I tried “re-subscribing”, and it seems to be working there now.

      2. Charles

        The KrebsOnSecurity RSS feed has quit working again on My Yahoo page (“There is currently no content in this feed.”); trying to re-add it produces an error message. I’m sure that this is Yahoo’s problem, but I’m noting it because others may be encountering the same issue. (My other RSS feeds are working on Yahoo.)

        The feed is available at http://krebsonsecurity.com/feed/.

        Thanks.

          1. Charles

            Result: “Please enter a valid URL and try again.” Same thing now without the “s”. Tried to subscribe directly from http://krebsonsecurity.com/feed/, and received popup message on Yahoo page saying “There were some problems while loading your page: Sorry, we were unable to add this feed. Please try again later.”

            No problem subscribing via Firefox’s Live Bookmarks, so the issue seems to be with (My) Yahoo.

Comments are closed.