Adobe updates Flash again in a Patch Tuesday of its own

Filed Under: Adobe, Adobe Flash, Featured, Vulnerability

Earlier this year, Adobe switched from a strictly quarterly patch cycle - updating on the second Tuesday of every third month - to a monthlyish cycle, or cadence, to borrow Adobe's own metaphor.

I say monthlyish, because the company doesn't necessarily patch every month, and doesn't necessarily patch only on the second Tuesday.

Speaking personally, I'd have avoided the word cadence to describe this approach. I'd simply have said, "We issue patches on the second Tuesday of most months, but also at any another time when it's important or urgent."

Anyway, it seems as though something urgent from a security point of view came up in the past few days.

Adobe Flash Player has been patched again just one week after the official Patch Tuesday release.

Just like the monthlyish update, this one addresses a bunch of RCE bugs.

RCE stands for Remote Code Execution, and because Flash objects are almost always embedded into untrusted web pages from outside your organisation, this means potential drive-by installs.

(A drive-by install is where you innocently load a deliberately-damaged data file and end up unknowingly running executable code buried inside it, without any of the usual system warnings.)

Incidentally, finding out whether you need the update or not isn't quite as intuitive as you might expect. I assumed that the Adobe Flash Player Install Manager application, which wins the prize for Longest Software App Name On My Mac by a quite considerable margin, might be the place to start:

It turns out you can use the Install Manager to sort out Flash Player vulnerabilities, but only by removing the software entirely, which seems to be the Install Manager software's main and only option:

That confused me, because I expected to find a Manage Your Adobe Flash Player Installation option somewhere in the Adobe Flash Player Install Manager software. I suspect - and here's some free consulting advice for Adobe - that others might have similar thoughts.

Adobe's own recommendation to check your version of Adobe Flash Player is:

Access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Personally, I'd prefer an off-line option. There's something intellectually unappealing about deliberately putting yourself in the way of a possible Flash-based drive-by attack in order to see if you need to patch against possible Flash-based drive-by attacks.

Nevertheless, the About Flash Player page is easy enough to check and tells you what you need to know.

These days, the default option for Flash Player updates is automatic, though I feel slightly happier with "Notify me":

Having said that, I have to admit that most of the time I respond to the notifications by updating straight away. Given that I now know how to remove Flash Player quickly and easily if something goes wrong (by using the Install Manager application), perhaps I'll switch to full-auto mode.

All I have to do now is to figure out how [*].

Let me see. The Adobe Flash Player Install Manager application sounds like a good place to start...


-

[*] It's more obvious than I'm letting on. There's a Flash applet in System Preferences on the Mac and in Control Panel on Windows.

, , , , , ,

You might like

12 Responses to Adobe updates Flash again in a Patch Tuesday of its own

  1. NerdyJo3 · 704 days ago

    Worth noting that that 11.4 is a security update but if you have 11.3 installed with "Allow Adobe to install updates" selected you won't get automatically updated. You do get prompted to manually update within 6 weeks of release according to Adobe. This was true of 11.2 > 11.3 and I believe it's still the same of 11.4. Bit of a headache as it means I have to go and manually do some work on my 22 desktop network now!

  2. JimboC · 704 days ago

    If you would like to see the update mechanism of Flash Player changed so that security updates that are also version updates i.e. 11.2 to 11.3 or more recently 11.3 to 11.4 are installed within 24 hours, please vote for the bug listed on Adobe’s website, linked to below:
    https://bugbase.adobe.com/index.cfm?event=bug&amp...

    I voted for this back in June 2012, after being infomred about it by an Adobe employee on their Support forum.

  3. JimboC · 704 days ago

    @Paul Ducklin:

    For Windows, you can also check the version of Flash Player installed within the Windows Control Panel.

    On Windows 7, go to System and Security->Flash Player or simply search for it in the search box in the upper right corner of the Control Panel. Then open the Advanced tab of the Flash Player Settings Manager (the window that opens after double clicking the Flash icon in the Windows Control Panel).

    In the Advanced tab you will the version number of the installed ActiveX (for Internet Explorer) and/or Plugin Version of Flash (for Firefox and Opera). Clicking the Check Now button launches the About Flash Player page that you have linked to.

    For Windows XP, this can be accessed simply by visiting the Control Panel and clicking the Flash Player icon.

    For Windows Vista, 64 bit, go to Control Panel->View Additional Options icon, 32 bit Control Panel applications->Flash Player 32 bit (searching for “Flash” gives no result).

    Other ways to view the version number of Flash:

    Open Programs and Features from the Windows Control Panel (Add/Remove Programs on Windows XP). Right click the bar containing column headings of this list (e.g. Name, Publisher, Installed On etc.) and choose Version. A new Version column appears that will list the version of Flash Player installed.

    Finally for, 32 bit Windows:

    Using Windows Explorer, navigate to:

    C:WindowsSystem32MacromedFlash

    If you have the ActiveX version of Flash installed, look for a file called Flash32 (version number).ocx e.g. Flash32_11_4_402_265.ocx

    For the Plugin version of Flash, this file is called:

    NPSWF32_version number.dll

    For a 64 bit version of Windows, the 64 bit version of Flash Player is installed in the above location but has different but obvious naming scheme:

    If you have the ActiveX version of Flash installed, look for a file called Flash64 (version number).ocx e.g. Flash64_11_4_402_265.ocx

    For the Plugin version of Flash, this file is called:
    NPSWF64_version number.dll

    The 32 bit version of Flash installed on a 64 bit version of Windows is located at the following location:

    C:WindowsSysWOW64MacromedFlash

    The naming scheme is the same as for the 32 bit version of Window mentioned above.

    I hope this information is of assistance.

    Thank you.

  4. Richard · 704 days ago

    Another option to check for updates: http://www.mozilla.org/en-US/plugincheck/

    It works in Firefox, IE, Chrome and Opera, and checks for updates to several other plugins as well.

  5. Dave · 704 days ago

    re "Personally, I'd prefer an off-line option. There's something intellectually unappealing about deliberately putting yourself in the way of a possible Flash-based drive-by attack "

    You think that worth noting .. well, recently I was given upgrade instructions by another AV software company, I was somewhat surprised to be told to download the update file, using a URL, AFTER I had rebooted with the current AV disabled, no danger there then.

    Perhaps you could start a competition for stupid/dangerous upgrade instructions, I win so far.

    And that wasn't the only problem - I now have to work out how one tells MSConfig that the Startup and Service stuff I was told to disable pre-reboot has now been removed - perhaps I should have been told to undo the MSConfig changes after the reboot, but before an uninstall, but actually there was no mention of undoing the MSConfig changes at all (some people must be having trouble I think). My fault for not thinking ahead I suppose as I should have spotted it coming.

    Like the blog,

    Cheers

    • JimboC · 703 days ago

      I hope the various offline methods of checking the version number of Flash Player that I posted above might be of assistance to you.

      I can explain or provide any clarification that you may need since I realize the explanation that I provided may be a little confusing to read.

  6. R Dale Barrow · 703 days ago

    A hat tip to JimboC on using XP's Control Panel -> 'Flash Player' to check for updates. Be sure 'Flash Player Settings Manager' is shut down before proceeding or the install will flop over and die. I'm not sure if that's the correct technical term ... ;-)

    • JimboC · 703 days ago

      Hi R Dale Barrow,

      Thanks for your compliment, much appreciated.

      The install crashes since the Flash Player Settings Manager (i.e. the Control Panel applet that you are using i.e. have open) is in use and cannot be overwritten by the new version that the installer is trying to install for that reason. This is the technical explanation. This is why closing it, fixes the issue.

      This is a coding mistake on Adobe’s part; they could easily close all relevant Flash Player files after presenting the initial dialog (window) of the new installer to you. They could also close the file handles associated with those in use files, but the file handle approach may cause instability.

      With all of files closed/not in use they could then update to the new version, but they didn’t take this approach.

      For your information, on Windows XP, the Flash Player Settings Manager that is updated when installing a new version is located at:

      C:WINDOWSsystem32FlashPlayerApp.exe

      If I can provide any further info/assistance, please let me know.

      Thank you.

      • JimboC · 703 days ago

        This file path should read:

        C:WINDOWSsystem32FlashPlayerApp.exe

        Apologies for the error.

  7. Jamie Jeff · 678 days ago

    remember when the non apple people used to say. " but iphones cant even have flash on them - they must be crap"

  8. Frank Artmiami · 678 days ago

    No wonder videos don't work in Chrome again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog