Critical Flash updates delivered early, be sure to update now

Filed Under: Adobe, Adobe Flash, Featured, Vulnerability

Flash Player logoTypically Adobe updates its ubiquitous Flash Player plugin quarterly in line with Microsoft's monthly Patch Tuesday updates. This week they have jumped the gun by one week, and so should you.

Adobe have fixed 7 critical remote execution vulnerabilities in Flash Player for not just Windows and Mac, but also Linux and Android.

Users of Flash Player for Windows and Mac should update to 11.5.502.110, Linux to 11.2.202.251, Android 4 to 11.1.115.27 and Android 3 to 11.1.111.24.

To determine which version of Flash you are running you can visit http://www.adobe.com/software/flash/about/.

This may sound easier than it really is for Windows users. There are separate downloads for Firefox/Safari and Internet Explorer 9 and earlier.

The easiest way, regardless of platform (except for Google Chrome users) is to visit http://get.adobe.com/flashplayer. If you use both Internet Explorer 9 or earlier and Firefox/Safari you will need to download it for each browser.

If you don't want to be annoyed by the "bloatware" addons that Adobe offers to install by default when downloading from get.adobe.com you can get the plain versions at http://www.adobe.com/products/flashplayer/distribution3.html (Thanks Brian Krebs for the tip!).

Google Chrome users were automatically updated by the latest Chrome update and should not need to take any action, other than acknowledging the restart of Chrome for the fix.

Flash Player remains one of the most exploited plugins used in drive by web attacks, so it is sensible to update as soon as possible.

IT administrators can consider this a dry run for next week's Patch Tuesday. Stay vigilant my friends...

, , ,

You might like

7 Responses to Critical Flash updates delivered early, be sure to update now

  1. Richard · 628 days ago

    So much for the automatic update service! This morning, it told me there was an update available, but when I clicked the "Update" button, it just launched Firefox and navigated to the "Update Flash" page. There wasn't even a link to download the IE version!

    • JimboC_Security · 628 days ago

      Hi Richard,

      As Adobe explained in the following forum post, since this update to Flash Player is a version upgrade i.e. 11.4 to 11.5, the update will be delivered within 7 days. This update is also a security update.
      http://forums.adobe.com/message/4827339

      What you encountered is expected behavior. As an Internet Explorer 9 user on Windows 7, I do not even receive an “Update Flash” page. When I read Adobe’s forum post linked to above, I simply downloaded the update as Chester mentioned from:
      http://www.adobe.com/products/flashplayer/distrib...

      and updated manually. I don’t consider waiting up to 7 days an appropriate course of action.

      The current update mechanism can be a little confusing since I would expect a security update to be installed within 24 hours. The current update process is explained/clarified in the forum thread linked to below:
      http://forums.adobe.com/message/4483381#4483381

      Adobe used to have a bug report open for this:
      https://bugbase.adobe.com/index.cfm?event=bug&amp...

      but it is now closed. An unverified related bug report is the following:
      https://bugbase.adobe.com/index.cfm?event=bug&amp...

      While many users including myself voted for the first bug report mentioned above, Adobe did not change how the update mechanism worked i.e. an update within 24 hours if it is a security update and regardless if it is also a version number upgrade e.g. 11.4 to 11.5.

      It seems their intended functionality is for a 24 hour update only when the version number does not change (as mentioned above) and the update is a security update. I have seen this method successfully work on my PCs.

      Today, I have already manually updated all of my PCs.
      I really can’t see this behavior changing. My only advice is to check this Sophos blog regularly to be notified about such updates and act as necessary. You can also check the Adobe security blogs if you wish:
      http://blogs.adobe.com/psirt/
      http://blogs.adobe.com/asset/

      I hope this helps. Thank you.

      • Richard · 627 days ago

        This is expected behaviour from Adobe's point of view, but not from an end-user's!

        Maybe I'm expecting too much, but I would expect an "automatic update service" to, at the very least, update something automatically. Waiting between 7 and 30 days to install a critical security update when I've already told it to install updates silently ASAP is not acceptable.

        I guess I'll have to stick to checking the Mozilla Plugin Check page daily: https://www.mozilla.org/en-US/plugincheck/

        • JimboC_Security · 627 days ago

          Hi Richard,

          I agree that it is expected behavior from Adobe’s perspective and not an end users. I wasn’t trying to defend their strategy. I was simply trying to show how Adobe’s update schedule works and how it is far from perfect.

          I also agree that security updates should be installed automatically and in a very short time. This was my reason for voting for the first bug report that I linked to above in order to accelerate the deployment of security updates. That report got a lot of votes and yet Adobe did not change this behavior.

          Yes, I think you are right checking with the Mozilla Plugin Check page as often as you wish.

          Thank you.

  2. it's just another organisation that wants to mess about with the population.

  3. Maybe it's just me, but the new version I just installed for Firefox and IE is 11.5.502.110 but the newest version I'm seeing on http://www.adobe.com/products/flashplayer/distrib... is 11.4.402.287.

    • JimboC_Security · 627 days ago

      Hi saturnjct,

      That’s strange when I visit that page, I see version 11.5.502.110 nearest the top.

      Try refreshing the page and also clearing the cache (browsing history) of your web browser.

      I am not trying to be patronizing by saying the above. I find the same thing happens to me on this blog when the number of comments does not update.

      I hope this helps. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.