September Adobe Flash update patches critical vulnerabilities

Filed Under: Adobe, Adobe Flash, Featured, Malware, Mobile, Vulnerability

Adobe Flash logoAdobe has just released an update (APSB11-26) to its ubiquitous Flash software, revving it to version 10.3.183.10 for Windows, Mac, Solaris and Linux, and to version 10.3.186.7 for Android.

Today's release fixes six vulnerabilities in Flash Player, one of which was being used in targeted attacks (CVE-2011-2444). This bug is a cross-site scripting flaw which could allow malicious web pages to take actions on behalf of the logged in user.

Adobe has rated this update as Critical. SophosLabs has assigned it a High rating.

SophosLabs has yet to see any samples in the wild, and notes that CVE-2011-2444 is not straightforward to exploit. Nevertheless, as Adobe reports, this vulnerability has been exploited, albeit only in targeted attacks so far.

Windows, Mac, Solaris and Linux users can download the latest Flash player from http://get.adobe.com/flashplayer.

Do watch out though. If adding the bloat of Flash to your browsing experience isn't enough for you, Adobe has decided to default to bundling it with the Google Toolbar or McAfee trialware for Windows users.

Adobe Flash Player download page

You can untick the box before downloading if you don't want these options.

Maybe that's why Apple won't support Flash on iDevices. No portable versions of Google Toolbar or McAfee?

Android users can download the latest Flash Player from the Android Marketplace and Google Chrome users were automatically updated on September 20, 2011 with protection against these flaws.

, , , , , ,

You might like

4 Responses to September Adobe Flash update patches critical vulnerabilities

  1. Alex Van Schuylen · 1127 days ago

    ...thx, once again for your tidy info, mate!...as always, you guys are FABULOUS -- and I don't use the F word lightly!...lol...:-)...

  2. Deb · 1127 days ago

    I would love to be able to get a Flash update or even clear my Flash Cache but every time i go to do it i don't get a web page for Adobe i just get a white screen with a 'list' down the left side of screen of what i should be able to do but if you click on something it gives you another list! Has anyone got any ideas why this is happening??

  3. paul · 1126 days ago

    when I go to the adobe web site and run the download (install_flashplayer10ax_gtbp_chrd_aih.exe) it pops up a box asking for authenticating proxy credentials - this isn't referenced in the guidance notes. I've never had this before with an update and it doesn't seem to be appropriate behaviour as I'm already authenticated and able to browse. I don't want to give these details as they are my domain credentials. Any idea why this is happening?

  4. Richard · 1126 days ago

    They've been bundling bloat-ware with Flash for years. Every time I've gone to download an update, I've had to un-tick the option to add McAfee/Chrome/Google Toolbar/whatever.

    Thankfully, they seem to have stopped pushing the Adobe Download Manager, which was a worthless piece of junk.

    On some PCs, the latest installers don't work. They copy themselves to the temp directory, delete the original file, and launch the copy from the temp directory, which then hangs. (Very suspicious behaviour, which Sophos doesn't flag for some reason!)

    On those PCs, I've had to resort to the MSI installers, which aren't available from the main download page. It took quite a bit of searching to find them: http://www.adobe.com/products/flashplayer/fp_dist...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.