February 11, 2010

Adobe Systems Inc. today released an updated version of its Flash Player software to fix two critical security holes in  the ubiquitous Web browser plugin. Adobe also issued a security update for its Air software, a central component of several widely-used Web applications, such as Tweetdeck.

The Flash update brings the newest, patched version of Flash to v. 10.0.45.2, and applies to all supported platforms, including Windows, Mac and Linux installations. Visit this link to find out what version of Flash you have. The latest update is available from this link.

Windows users will need to apply this update twice if they use another browser in addition to Internet Explorer. Those users will need to visit the Flash Player Download Page and install the update once with IE, and a second time while visiting that link with Firefox or Opera (the non-IE installer is designed to update Mozilla-based browsers).

Note also that Adobe’s installer typically pre-checks some third party software — such as Google Toolbar or a trial of some anti-virus product — so if you don’t want these “extras,” make sure to uncheck that option before agreeing to install the update.

The security update for Air brings that software to version 1.5.3.1930, available here. More detail about the vulnerabilities fixed in this update is available from the Adobe advisory, which is here.

Adobe today also issued an advisory saying that we can also expect another update bundle for its PDF Reader and Acrobat applications. The company said it plans to issue security updates for those programs next Tuesday, Feb. 16.

I was a little confused why Adobe was issuing these updates today, as Adobe said not long ago that it was moving to a quarterly update cycle, in which patches would be released in sync with Microsoft’s Patch Tuesday, the second Tuesday of the month. Figuring maybe Adobe was rushing out a fix to staunch the bleeding from a flaw that hackers were actively exploiting, I put the following questions to Adobe spokeswoman Wiebke Lips. Here was the gist of that e-mail Q&A:

BK: Can you tell me why these weren’t released on Tuesday? It would seem that this is out of sync with the quarterly schedule Adobe set up to coincide with MSFT’s Patch Tuesday.

WL: The quarterly update cycle is specific to Adobe Reader and Acrobat. (The last quarterly update for Adobe Reader and Acrobat was on January 12, 2010.) Other Adobe product teams work with Adobe’s Secure Software Engineering Team (ASSET) to deliver updates as appropriate—cycles may be different from the patch cycle for Adobe Reader and Acrobat. Today’s updates for Adobe Flash Player and BlazeDS were specifically scheduled to address vulnerabilities in Adobe Flash Player and Blaze DS.

The Flash Player vulnerability also affects Adobe Reader and Acrobat. Rather than waiting for the next quarterly update for Adobe Reader and Acrobat, which is scheduled for April, Adobe decided to make this fix available as an out-of-cycle update.

BK: Is Adobe aware of attackers exploiting any of the vulnerabilities patched in this Flash/Air update, or attacking the vulnerabilities that Adobe plans to patch with the Reader/Acrobat patch next Tuesday?

WL: No on both updates.


36 thoughts on “Critical Security Update for Adobe Flash Player

  1. Gabriel Goldberg

    Clicking the Download link in your post got me Version 10,0,22,87 in IE and Version 10,0,42,34 in Firefox. Does Adobe have its links bollixed? Maybe they haven’t updated the links to match what they’re telling us to install?

  2. Gabriel Goldberg

    Rebooting (not mentioned in your post or on the Adobe Web page or by the installer) got me Version 10.0.45.2 in IE but not in Firefox.

  3. Gabriel Goldberg

    Installing it in Chrome got me a dialogue box to save the installer. The installer told me to close Chrome and Firefox; when it finished, both browsers were at the right level. Interesting differences between the three browsers!

    1. JBV

      Adobe makes it even more confusing – they don’t list Chrome among the “other browsers.”

  4. AlphaMack

    It’s high time for Adobe to get with the program and give us a decent updating mechanism to get both versions of the Flash plugin, Shockwave (if anyone actually uses it), and AIR seamlessly up-to-date instead of making us wallow through their web site and dealing with the DLM and cr@pware madness (e.g. Norton Security Scam).

    Or Flash could just die a painful death…

    1. Pete

      I think you’ll find the browsers are going to get involved in that process too.

  5. Sterling

    Seriously, if I didn’t check your site on a regular basis I would not know of updates to Flash.

    Thanks KB!

    1. r_m_l

      You’ll find all Adobe security-related messages at http://www.adobe.com/support/security/. I check it daily (it’s my job).

      The reason BK is bookmarked is that Adobe is pretty opaque when it comes to WHY a release is critical. BK gives me needed and valuable background and context.

  6. Pete

    I’m surprised the browsers don’t sandbox the crap out of Adobe’s exploitware & then Sue Adobe for damages to their reputation 😉 (A naked & up-to-date browser being pretty safe all in all)

  7. Cattleya

    Users of 64-bit IE8 will encounter a futile cycle (as I did on Win7 64bit Pro). From Brian’s page you will be asked if you want to install the updater, but it won’t install!
    Only from the main Adobe page will you get to
    http://kb2.adobe.com/cps/000/6b3af6c9.html which informs you (and me) that FlashPlayer does not currently function in IE8-64. Coming soon, it sez.

  8. TheGeezer

    An interesting side note:
    Just as Adobe released its update for flash player, the Zeus botnet is offering, today, free of course, a download of the most recent version of “Macromedia Flash Player”. Yes, really! Macromedia! You didn’t even know you still had it did you?! So if you’re dissatisfied with Adobe’s late response it was certainly faster than Zeus’ version update (they don’t indicate what the latest version is). I would recommend sticking with Adobe’s version as the Zeus version has features you may not want, like saving all your personal information offsite and recording your keystrokes… you know, just in case you forget what you typed. And these are not optional features.

  9. PJ

    If Adobe can manage flash cookies, then they should also create a user-managed blacklist for the program to block auto-run audio flash ads that are popping up everywhere.

  10. xAdmin

    Adobe needs to use opt-in for these third party software apps. Better yet, stop offering them to begin with.

    Second, to avoid the web install and the Download Manager (using IE), on http://get.adobe.com/flashplayer, I uncheck the third party software (ex. Google Toolbar), then click “Agree and install now”. The next page will prompt to run the Adobe DLM ActiveX control. Ignore it or cancel and scroll down to the bottom of the page where you’ll find, “Your download will start automatically. If it does not start, click here to download”, which goes to an exe installer (listed below).

    http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

  11. David Chasey

    Secunia PSI continues to say Adobe Flash is insecure AFTER I’VE INSTALLED AND REINSTALLED, and the version number is the number of the clean update.

    1. JCitizen

      For those using Secunia PSI, check your file path on the alert that shows you the vulnerability, you may find that the .ocx file is obsolete and can be removed manually.

      This is for older flash version which the new Adobe installer does NOT support. So you will have to manually delete the .ocx file yourself using system Explorer.

  12. David Chasey

    Open Office, critical flaw, update, but it installs Java, which I’ve dumped over a month ago. THUS QUESTION: Will Open Office work if I dump Java? I need a cup of coffee!

  13. Keith Warner

    Confused much? The Adobe updater install that failed twice in December made the cut after all. After clicking ‘install’ in this morning’s pop-up I looked in Add&Rem and found activex 42.34 and plug-in .45.2. IE updated with ‘manage add-ons’, and Fx ‘about:plug-ins’ shows Shockwave Flash .45.

    C’mon guys, is it Flashplayer or Shockwave? I thought they were different.

  14. Zube

    Thanks for asking the question about Adobe and their so-called quarterly updates. I had wondered the same thing. Someone needs to write a BBspot article titled _Adobe Announces Monthly Quarterly Updates_ with a bit about how their board of directors have also decided to hold their annual meeting twice a year.

    Zube

    1. Stratocaster

      I would agree about the quarterly update thing. And it makes sense for the Acrobat/Reader fixes, since they were off-cycle and being exploited. But I would ask since the Flash update came out only ONE DAY after Black Tuesday, what did Adobe gain by taking the extra day to release that update?

  15. AlphaCentauri

    I first tried to update using a Seamonkey nightly build, since the instructions say to do it with each different browser you use. After wading through the Adobe site to get to the page with the download, the button to actually start the download did not function. I tried going through the diagnostic for people with other browsers and operating systems, but halfway through, the “next” button wouldn’t work for that, either. I expect the flashplayer update problem will be fixed by the Mozilla developers in an upcoming Seamonkey build.

    So I tried Firefox next, which is almost the same as the browser portion of Seamonkey. I made sure to uncheck the box that said, “Also install: Free McAfee® Security Scan Plus (optional).” When I then clicked to start the download, a yellow bar appeared at the top of FF, saying “Firefox prevented this site (get.adobe.com) from asking you to intall software on your computer.” I naturally clicked to allow it to install. But the box that popped up from FF was not talking about the flashplayer update. It said,
    “You have asked to install the following item:
    Adobe DLM
    http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.xpi
    I had no idea what that was. I clicked cancel and went back to the original page. I clicked the link you’re supposed to use when your download fails to start. That put the download on my desktop. I had to right click the icon and give it permission to run, but it then launched and installed successfully. When I checked with both FF and SM, each says I now have the current update, but SM doesn’t display the flash content on the Adobe website home page. IE8 shows it is running the old version of flashplayer and crashes if you try to update, as mentioned above.

    Anyone have any idea what Adobe DLM is? Is it necessary?

    1. JCitizen

      DLM = Download Load Manager

      or download launch manager, I cant’ remember which.

      I prefer Free Download Manager to most other tools.

      But some times they leave you no choice. I believe DLM is what makes the auto updater service work.

    2. TheGeezer

      @Alpha I have DLM installed. As JCitizen said it just allows Adobe to check if you are current with your Adobe software, but as I recall you still are giving the option of whether you want to download/update the latest version. I’ve had no problem with it.

  16. Frank C

    As David Chasey reported, I too was troubled by Secunia PSI reporting Adobe Flash player down-level after I had updated it.

    The version test said that it was up to date:
    http://kb2.adobe.com/cps/155/tn_15507.html

    The solution from the Secunia forum:
    http://secunia.com/community/forum/thread/show/3472/adobe_flash_player_mismatch_10_0_vs_11_5

    was to use the Adobe Flash player un-installer:
    http://kb2.adobe.com/cps/141/tn_14157.html

    and then install it from the Adobe site:
    http://get.adobe.com/flashplayer/

    I thought all was well but when I used Fire Fox and Internet Explorer to show a video I was prompted to install flash player. I did so and it worked!

    1. JCitizen

      The older uninstaller will not work for even older versions. Those have to be deleted manually. Just check the file path reported by Secunia PSI

    2. JBV

      Thank you, Frank C, for some really helpful information. I had the same problem, but this solved it.

  17. JCitizen

    If you use Secunia PSI in advanced mode, and you have legacy Adobe products, the GUI will list an individual uninstaller in the alert for that particular Adobe product, if not then it is likely so old there was never such a utility developed for it; hence the manual delete method.

    Just adding to what hasn’t already been said in this thread.

  18. MAG

    After reading this post, I immediately updated. However, I am getting ‘freezes’ when online (use Firefox) and several times I get a warning prompt via a pop-up window, i.e.:
    ___________________
    ADOBE FLASH PLAYER SECURITY

    The following local application on your computer or network: about: blank
    is trying to communicate with this Internet-enabled location: images.video.msn.com

    To let this application communicate with the Internet, click Settings. You must restart this application after changing your settings.

    (Two button options are at the bottom of the window. OK and Settings…)
    __________________

    I am not trying to view anything except straight news pages. I am leery of either clicking on OK or Settings… Not trying to access any video or similar. There is no way to get out of this situation except by hitting the restart button on the CPU. I cannot simply close Firefox. I cannot access Force Quit. Does this have something to do with the new version of Adobe Flashplayer? This problem wasn’t happening before.

    1. JCitizen

      I was having the same thing a few versions ago, it could have been java, flash player, or the adobe reader plug-in; but updating FireFox cured the problem.

      Perhaps your updates are behind in general?

      Usually you can check the add-ons using the tools menu, that will tell you what plug-ins are working, and find updates for them – the add-on selection can show your extensions, and plug-ins for this.

    2. JCitizen

      Post Script – I forgot to mention, many newspaper sites require Apple Quicktime to view content on the newpaper site. This could also be the problem.

      I use QT on my favorite newpaper site, and it has an automatic updater now, if I’m remembering correctly.

      Secunia PSI or File Hippo update checker will remind you anyway, and provide the correct fix, with link.

      I don’t like QT’s reputation, but it isn’t any worse than Adobe, and it hasn’t been a problem at all.

    3. JCitizen

      PS-again, if you don’t want Adobe content, just use FireFox with no script, or AdBlock Plus. If you are a Windows Internet Explorer fan, use Spyware Blaster from CNET or MVPS to block malicious ad servers.

      This will block any Flash content that could be dangerous to your computer. Turinng scripting off can just get you in trouble with some newpaper sites, as they make revenue off adds, and don’t like it when the browser is obviously blocking ad content. With the solutions I gave you that won’t be a problem. And the legitimate ads can still get through, but you will hardly ever see one, because the ad companies refuse to cleanup their act!! Oh well! – LOL!

  19. MAG

    To JCitizen: I always try to keep current on all updates. Firefox is latest version. And added all the Adobe updates as soon as I became aware of the alert from this blog. I have all app updates scheduled monthly. Unless I spot something earlier about a patch or upgrade, then I get to it immediately.

    One bit of advice that I read in the post on Acrobat Reader and Acrobat(Pro) was to disable Javascript . This decision to try out lasted for about five minutes. I am a graphic designer (work on a Mac) and create, use, and view dozens of PDFs each day. Every time I opened a PDF document there was a ‘things may not display properly….’ So Javascript came back on.

    Adblock Plus sounds like something I need to try.
    (This Flashplayer problem started AFTER my updates with Firefox & the other Adobe apps). Thanks for the response and ideas.

    1. JCitizen

      If I’m mistaken Foxit Reader is cross platform, but if I’m wrong they have articles on TechRepublic that point to open source software that are good replacements for Adobe Reader.

      Many experts say you can disable java in Adobe Reader without any nagging alerts, but I just use Foxit, and I really like it better than Adobe.

      I was getting tired of all the constant security updates I had to put up with on Adobe products. Many folks are going to Gnash as a replacement for Adobe flash player. It is pretty much cross platform, but only works on XP for windows users. Drat! I’d like to get rid of Flash Player next!

      Gotta have it for news groups though!

  20. solitary traveler

    Shame on Adobe for underhanded tactics of even attempting installation of 3rd party software and being so secretive and manipulative about it. When will they ever learn.

  21. Sherry Prosser

    I purchased Adobe Flash Player and had to uninstall it as it behaved like a virus, taking over the execution of other software and creating blocks so that I could not initiate these softwares. Adobe has crashed my notebook once before and I am at a loss as to what to do about it, because I need that software on so many applications. Any advice?

Comments are closed.