November 6, 2012

Adobe has released a critical security update for its Flash Player and Adobe AIR software that fixes at least seven dangerous vulnerabilities in these products. Updates are available for Windows, Mac, Linux and Android systems.

Today’s update, part of Adobe’s regularly scheduled patch cycle for Flash, brings Flash Player to version 11.5.502.110 on Windows and Mac systems (other OS users see graphic below). Adobe urges users to grab the latest updates from its Flash Player Download Center, but that option pushes junk add-ons like McAfee VirusScan. Instead, download the appropriate version for your system from Adobe’s Flash Player Distribution page. Most users can find out what version of Flash they have installed by visiting this link.

The Flash Player installed with Google Chrome should soon be automatically updated to the latest Google Chrome version, which will include Flash Player 11.5.31.2 for Windows, Macintosh and Linux. Note that Windows users who browse the Web with Internet Explorer and another browser will need to apply the Flash update twice, once using IE and again with the other browser. Internet Explorer 10 users on Windows 8 can grab the update via Windows Update or from Microsoft’s site, or wait for the browser to auto-update the plugin.

Adobe’s advisory about this update is available here, including links to update AIR if you have that installed. An Adobe spokesperson said the company is not aware of any active attacks or exploits in the wild for any of the issues patched in this release. Nevertheless, it’s a bad idea to delay Flash updates; the software’s ubiquity makes it a primary target of malware and miscreants alike.


13 thoughts on “Adobe Ships Election Day Security Update for Flash

  1. Neil Schwartzman

    You know what’s really nice? I’ve got auto-update set for Flash, and when I check my prefs, it notes that Plug-in version 11.4.402.287 is installed. However, asking for a manual update comes back empty.

  2. Old School

    As of 2:00 PM CST the Flash Auto Update program has done nothing. BTW, I used Flash for over an hour this morning so if Flash Player has a release check function, it was given ample opportunity to update. Another commenter had mentioned using Firefox Plugin Check ( https://www.mozilla.org/en-US/plugincheck/ ) which correctly identified the obsolete Flash plugin. Clicking on Plugin Check’s Action button took me to https://get.adobe.com/flashplayer/ , the page that also installs install McAfee Security Scan Plus by default. I avoided that bullet by going to http://www.adobe.com/products/flashplayer/distribution3.html and downloading the EXE for the Firefox plugin. The following system works:
    Current Flash Player version for all OS
    https://www.adobe.com/software/flash/about/
    Flash Player downloads for all OS
    http://www.adobe.com/products/flashplayer/distribution3.html
    My OS is Windows 7. The Flash Player ran in a User account.

    1. JimboC

      Hi OldSchool,

      The updater of Adobe Flash has a known issue that it does not auto update you in 24 hours when a version update has also been released with the security update.

      As Adobe explained in the following forum post, since this update to Flash Player is a version upgrade i.e. 11.4 to 11.5, the update will be delivered within 7 days. This update is also a security update.

      http://forums.adobe.com/message/4827339

      I simply downloaded the update from:

      http://www.adobe.com/products/flashplayer/distribution3.html

      and updated manually. I don’t consider waiting up to 7 days an appropriate course of action.

      The current update mechanism can be a little confusing since I would expect a security update to be installed within 24 hours. The current update process is explained/clarified in the forum thread linked to below:

      http://forums.adobe.com/message/4483381#4483381

      Adobe used to have a bug report open for this:

      https://bugbase.adobe.com/index.cfm?event=bug&id=3211239

      but it is now closed. An unverified related bug report is the following:

      https://bugbase.adobe.com/index.cfm?event=bug&id=3329868

      While many users including myself voted for the first bug report mentioned above, Adobe did not change how the update mechanism worked i.e. an update within 24 hours if it is a security update and regardless if it is also a version number upgrade e.g. 11.4 to 11.5. It seems their intended functionality is for a 24 hour update only when the version number does not change (as mentioned above) and the update is a security update. I have seen this method successfully work on my PCs.

      Today, I have already manually updated all of my PCs.

      I really can’t see this behaviour changing. My only advice is to check this blog regularly to be notified about such updates and act as necessary. You can also check the following Adobe security blogs if you wish:

      http://blogs.adobe.com/psirt/
      http://blogs.adobe.com/asset/

      I hope this helps. Thank you.

  3. Harry Johnston

    Does anyone understand why there is an update for Adobe AIR as well as for Flash Player? Does AIR contain an embedded Flash Player of some kind? What risks are involved if you update Flash Player but not AIR – what sort of attack vectors might we be looking at?

    1. JimboC

      Hi Harry,

      Yes, Adobe AIR (Adobe Integrated Runtime) contains Flash Player 11 (hence the word Integrated) and thus is vulnerable to the same issues as Flash Player itself. All 7 CVEs (i.e. vulnerabilities) mentioned in the Adobe Security Bulletin APS12-24 also affect AIR.

      Attack vectors for AIR would be via any application that uses AIR e.g. some e-reader software uses it, older versions of TweetDeck used AIR, the old EA Download Manager used it too and many other applications do too. Any content that these applications parse or download could potentially exploit these flaws, most likely by downloading and running a specifically crafted Flash file (swf (Flash animation ) or .flv (Flash Video)).

      Since the Flash update is a Priority 1 by Adobe standards i.e. it should be deployed within 72 hours of release and are at higher risk of being exploited in the wild:

      Please see the following link for more information:

      http://www.adobe.com/support/security/severity_ratings.html

      My advice would be to update AIR right now. It is very simple, visit:

      http://get.adobe.com/air/

      Click Download. Scan the file with your anti-virus software and then run it. It will detect your existing version of Adobe AIR and ask you if you want to update. Click “Yes” and you are now updated.

      I hope this helps. Thank you.

      1. Harry Johnston

        It’s very simple to update AIR if you only look after your own machine. If you’re looking after lots of other peoples machines, and particularly other people’s laptops, not so much. 🙁

        (Annoyingly enough, I was busy installing 3.4.0.2710, about half-way through the list, when 3.5.0.600 was released. It’s hard enough to get people to bring their laptops in once, never mind two weeks in a row.)

        In our case, the only AIR-based software we run is Adobe CS. I *think* that’s *relatively* low risk, an attacker would need to get the victim to open a malicious file, or to be able to inject malicious content into Adobe’s help pages. So I think I’ll wait until next week, when the MS updates will also be ready, before calling in the laptops again.

        Thanks for the clarification, though.

  4. GeorgeG

    “Adobe urges users to grab the latest updates from its Flash Player Download Center, but that option pushes junk add-ons like McAfee VirusScan. Instead, download the appropriate version for your system from Adobe’s Flash Player Distribution page. ”

    Even going to the Distribution page I had to uncheck the McAfee installation

  5. GrayAnalyst

    Question regarding “Note that Windows users who browse the Web with Internet Explorer and another browser will need to apply the Flash update twice, once using IE and again with the other browser.” I use both Firefox and IE.

    Secunia PSI flagged three patches (Adobe AIR 3.x, Adobe Flash Player 11.x (ActiveX), Adobe Flash Player 11.x (NPAPI)) and I installed them via Secunia. While in Firefox I used the link above to test the Flash Player version which was 11,5,502,110. I repeated the test in IE and got the same version. I only installed each Flash Player program once. Do the 2 Flash Player programs account for the 2 browsers or am I missing something?

    1. JimboC

      Hi GrayAnalyst,

      No you are not missing something. Firefox, Safari and Opera requite the plugin version of Flash while IE needs the ActiveX version of Flash.

      This accounts for the 2 versions. As you correctly point out they must be updated separately.

      It can be a bit of a pain to keep them both updated but it is good practice to keep your plugins up to date.

      The auto-updater of Flash does help but as I explain above, for version updates it takes longer for the auto-updater to work correctly.

      I hope this helps. Thank you.

    2. Brian Krebs

      Hard to tell without knowing which version of Secunia you’re using. Secunia PSI 3.x auto-installs your updates.

    3. BoonD0x

      “Secunia PSI flagged three patches (Adobe AIR 3.x, Adobe Flash Player 11.x (ActiveX), Adobe Flash Player 11.x (NPAPI)) and I installed them via Secunia.”

      The ActiveX install updated IE. The NPAPI install updated Firefox.

      You also probably use a product that runs with Adobe AIR, (e.g. twhirl or TweetDeck). This accounts for Secunia flagging Adobe AIR 3.x for you.

Comments are closed.