Flash Adds Silent Security Updates
The latest version of Flash introduces an automated process for installing security updates -- and patches a security flaw demonstrated at Pwn2Own.
Adobe's Flash Player has long been one of the juiciest targets for hackers and malware on the web. And although Adobe has moved quickly to patch security vulnerabilities, many users haven't kept pace with the updates -- which, until now, have required manual intervention to install. The result: Plenty of unpatched machines for hackers to exploit.
But with the release today of a new version of the Adobe Flash Player, that situation is about to change. The new Adobe Flash Player 126.96.36.199 fixes a number of vulnerabilities and also provides a revised software updater that will turn many future Flash patches into silent, hands-off updates.
It's no secret that attackers go after unpatched systems. Back in 2009, a report claimed that 80 percent of users were running unpatched version of Flash. It's a situation that Adobe is well aware of.
"Improving the update process is probably the single most important challenge we can tackle for our customers at this time," said Wiebke Lips, Senior Manager of Corporate Communications at Adobe. Lips noted that the majority of attacks that Adobe is seeing involve exploits of software installations that are not up-to-date with the latest security patches.
"Also, attackers have been taking advantage of users trying to manually search for Flash Player updates by buying ads on search engines pretending to be legitimate Flash Player download sites," Lips said.
To address these issues, the silent updating mechanism will automatically install updates to a user's system for all installed browsers, when available. Furthermore, the silent updater will not require a browser or system restart -- thereby avoiding any interruption of user activity.
Adobe isn't forcing silent updates on everyone, however. When Flash Player 188.8.131.52 is installed, users can choose to opt out of automatic updates and simply be notified when updates are available. Those updates can then be installed at the user's convenience.
The new Flash updater is currently only available for Windows users. Lips noted that a Macintosh version of the new Flash Player silent updater is currently under development and should be available soon.
"We also recently made available a prerelease version of Adobe Flash Player with Protected Mode ('sandboxing') for Firefox (Windows), which users can download from AdobeLabs," Lips said. The beta Flash Player with Protected Mode for Firefox brings additional security to Firefox users with process sandboxing, and a final version is expected to be available later this year. A similar feature is already available for Google Chrome users.
"Additionally, we are currently in the process of researching the best path to provide Flash Player sandbox protection for Internet Explorer," Lips said. "Because Internet Explorer works on ActiveX, which is significantly different from the Netscape Plugin Application Programming Interface (NPAPI), sandboxing Flash Player for Internet Explorer requires a different approach."
Pwn2Own Flaw Fixed
The new Flash Player 184.108.40.206 release includes several security fixes, including a patch for the critical vulnerability known as CVE-2012-0773, which was first demonstrated at the recent Pwn2Own security competition. That vulnerability could potentially allow an attacker to take control of an affected system, according to Adobe.
"This particular issue was part of the Google Chrome exploit demonstrated at Pwn2Own," Lips said.
The annual Pwn2Own event is organized by HP TippingPoint's ZDI (Zero Day Initiative) in an effort to help find and patch security vulnerabilities in web browsers. At the event, French security firm VUPEN hacked Chrome with a zero-day attack. The Adobe Flash Player is directly integrated with Google Chrome.
Flash Player 220.127.116.11 also fixes an additional flaw known as CVE-2012-0772, which was reported by Microsoft Vulnerability Research (MSVR).
To benefit from the latest release, users need to manually install the Flash Player 18.104.22.168 update for both Firefox and Microsoft Internet Explorer browsers when prompted. But subsequent updates will become simpler for users -- and a whole lot more silent.