Now though Adobe have signalled the beginning of the end for Flash by announcing that they are to discontinue development of the Flash player for Blackberry and Android devices.  In a press release the company signalled their the future would be HTML5 and their existing AIR runtime environment.

Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores. We will no longer adapt Flash Player for mobile devices to new browser, OS version or device configurations. Some of our source code licensees may opt to continue working on and releasing their own implementations. We will continue to support the current Android and PlayBook configurations with critical bug fixes and security updates.

Over the past two years, we’ve delivered Flash Player for mobile browsers and brought the full expressiveness of the web to many mobile devices.

However, HTML5 is now universally supported on major mobile devices, in some cases exclusively. This makes HTML5 the best solution for creating and deploying content in the browser across mobile platforms.

We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations chipset, browser, OS version, etc.) following the upcoming release of Flash Player 11.1 for Android and BlackBerry PlayBook.

People’s feelings over this announcement will be mixed.  All of Adobe’s products have been criticised for having lax security over the years and Flash was no exception to this.  It was difficult to disagree with Apple’s decision not to allow Flash on their iOS operating system, no matter how much we might have liked the plug-in itself.

Flash, which was born FutureSplash, has become the bedrock of video and interactivity online.  Quite simply it is the only plug-in to have ever reached nearly 100% adoption.

Questions will also be raised over the future of Flash for OS X and Windows.  It is very likely that these too will be discontinued before too long, and probably before the launch of Windows 8.

What the future of the web will now look like with HTML5 and scripting replacing the compiled code of the SWF file format remians to be seen.  Many popular websites have been shying away from Flash in recent years to return to more traditional interface types.  It is possible that the withdrawal of Flash from the Internet won’t even be noticed as websites such as YouTube complete their transition to true HTML5.

This does mean that devices that have been waiting for the arrival of Flash, including Windows Phone, will now never see it and can begin the full move to HTML5 in earnest; Windows Phone now has an HTML5 browser with the latest update.

You can watch both videos below:

They both certainly look impressive. Another important feature of Flash Player 11 is native 64-bit support which previously was not available at all, if you discount the Flash Player 11 Beta phase that is. The release furthermore offers theater-quality HD video and high quality HD video conferencing.

Flash Online Installation

Users of supported operating systems and browsers can install Flash online from Adobe’s website. This installer should work for everyone except Chrome users who are automatically updated to the newest Flash version whenever it is released.

Flash 11 Offline Installers

Not every user can install Flash from Adobe’s website, for instance if the computer that Flash needs to be installed on has no direct Internet connection. Some users prefer offline installers as well.

The following links point to the Flash 11 offline installers on the Adobe website. You can download those to install them on one or multiple systems.

• Microsoft Windows: Internet Explorer 32-bit, 64-bit – Web browsers 32-bit, 64-bit
• Apple Macintosh: 32-bit, 64-bit
• Linux: 32-bit, 64-bit

Adobe Air users can download and install the latest version from the Adobe website.

Interested users find announcements of the new releases both on the Flash Player Team Blog and the Flash Platform Blog which are both hosted on the Adobe website.

Both announcements link to additional pages that offer details about some of the new technologies included in Flash Player 11 and Adobe Air 3.

You can check which version of Adobe Flash you have installed by visiting Adobe’s About page on their website. (via)

According to Adobe, attackers could use the vulnerabilities to exploit a crash to potentially take control of the attacked system. At least one of the vulnerabilities has already been detected in recent attacks, which makes the update mandatory and important on all systems. The attack is carried out over email, but Adobe points out that it can also be carried out on any website on the Internet.

The attacker basically tries to convince the user to click on a specifically prepared link to execute the attack on the user’s local computer system.

Adobe obviously recommends to update Adobe Flash Player as soon as possible to the latest version that fixes the discovered security issues.

Adobe Flash users can check their version of Adobe Flash Player on the about page over at Adobe.

Google Chrome users are the only ones who do not have to manually update Flash Player, as it is done automatically by Google Update.

Everyone else can download the most recent version of Adobe Flash Player from Adobe’s Download Center. Please note that you need to close your web browser during the installation process. Make sure that you uncheck the “Yes, install Google Chrome – optional” box on the download page unless you want to install Google Chrome as well.

You can alternatively download offline installers from the following links: for Microsoft’s Internet Explorer here, for Firefox, Opera and other browsers here.

You can access the changelog here. It lists all previous changes in Flash Player 10.3 and known issues among other things.

Adobe, the company behind popular technologies such as Flash Player, Shockwave or Adobe Reader released five security bulletins on the same day after teaming up with Microsoft to coordinate security releases.. Of the five, three may be affecting end users as they address vulnerabilities in Adobe Reader and Acrobat, Shockwave Player and Flash Player. All three have received a maximum severity rating of critical, the highest possible rating.

The bulletin APSB11-16 describes a critical vulnerability in Adobe Reader X 10.0.3 and earlier on Windows, and Adobe Reader X 10.0.3 and earlier on Macintosh, as well as earlier versions of Adobe Reader 9 and 8, and Adobe Acrobat 9 and 8. The vulnerability could be exploited by attackers to crash the application to take control of the computer system Adobe Reader X is running on.

Adobe recommends to update the software product to the latest available version. For Adobe Reader X that would mean to update to version 10.1, for users of Adobe Reader 9.4.4 and earlier to update to version 9.4.5.

Adobe Reader and Acrobat users can check for updates in the program interface. This is done via Help > Check for Updates. Updates can also be downloaded from the following locations.

• Adobe Reader Windows
• Adobe Reader Macintosh

You can also check out Adobe Reader X Offline Installers

Security Bulletin APSB11-17 describes vulnerabilities in Adobe Shockwave Player 11.5.9.620 and earlier on the Windows and Macintosh platform. Attackers who successfully exploit the vulnerabilities could run malicious code on the computer system. Adobe recommends to update Shockwave Player to version 11.6.0.626 to protect the system from possible exploits.

Windows and Mac users who run Shockwave Player on their system can download the latest version at the official download site.

Bulletin APSB11-18 finally describes a vulnerability in Adobe Flash Player that affects Adobe Flash Player 10.3.181.23 and earlier on Windows, Macintosh, Linux and Solaris, as well as Flash Player 10.3.185.23 and earlier for Android.

The vulnerability could be exploited to cause a crash which could allow the attacker to gain control over the affected system. Adobe has confirmed reports that the vulnerability is exploited in the wild in the form of targeted attacks on specifically prepared websites.

Adobe recommends to update Flash Player to Adobe Flash Player 10.3.181.26 on desktop operating systems. Android users will receive a patch before week’s end.

Users can verify their installed version of Flash Player by visiting the About Flash Player page at Adobe.

Adobe lists the latest version for all supported operating systems on the page, so that users only need to compare their installed version with the latest available version to see if they need to update.

The latest versions can be downloaded from Adobe’s Flash Player Download Center. Users who do not want to use the download manager can check out this guide Download Adobe Flash Without Adobe Download Manager.

Google Chrome users can check for updates in Chrome to get the latest version. This is done by clicking on the wrench icon and selecting About Google Chrome.

The vulnerability, according to Adobe’s information could be exploited to cause a crash on the user system that could allow the attacker to take control of the operating system. Reports that the vulnerability is actively exploited by embedding specifically prepared Flash files in Word and Excel documents have been confirmed by Adobe.

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform

Google Chrome users do not need to update Adobe Flash unless they have Flash installed separately on their system as well. This can for instance be the case if other web browsers are used or installed on the system as well.

The easiest way to find out if your Flash Player is up to date is to visit the About Flash page over at Adobe. The currently installed version and the latest version are displayed on that page.

Downloads are provided at the Flash Player Download page which automatically displays the correct download for the browser used to open the web page, or by manually downloading the Flash Player updates from the Flash Player Support Center.

Flash Player versions affected by the vulnerability are the following:

Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems
Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users
Adobe Flash Player 10.2.156.12 and earlier for Android
Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux

The now released update of Adobe Flash Player is version 10.2.159.1 on all supported operating systems, and 10.2.154.27 if the Flash version of the Google Chrome browser is checked.

Affected are more or less all Flash users. This includes Flash installations on Windows, Mac and Linux, the built-in Flash Player of the Google Chrome browser, Flash on Android and Flash in Adobe Reader and Acrobat.

• Flash Player 10.2.153.1 and earlier versions on Windows, Mac, Linux, Solaris
• Adobe Flash Player 10.2.154.25 and earlier for Chrome
• Adobe Flash Player 10.2.156.12 and earlier versions for Android
• Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

Adobe confirmed reports that the vulnerability is actively exploited. The vulnerability uses embedded Flash files in Microsoft Word documents to exploit the issue. According to Adobe’s information those are delivered as email attachments and targeting the Windows platform.

Adobe Reader and Acrobat do not appear to be targeted right now. Adobe Reader X users are protected from this exploit by the program’s Protected Mode.

Adobe is currently finalizing a schedule for delivering updates for all affected versions of Flash Player except for Adobe Reader X which will receive the update on the next quarterly security update on June 14, 2011.

How can users protect their system from these kind of attacks? You should be cautious when you receive document attachments, especially if they come from unknown senders. Probably the best option in this case is to save those attachments to the computer, and open them in an online viewer such as Google Docs.

You could alternatively use a third party document viewer that does not support Flash, but the safest bet is an online viewer.

Interested users find additional information about the newly discovered Flash vulnerability at the Adobe Security Bulletin.

You can get more information about Flash Cookies in a guide we have posted a few years ago. Adobe has now announced that they have plans to “LSO management with the browser UI” which would mean that users would be able to delete those cookies just like they are able to delete regular cookies.

Most recently, we’ve been collaborating with browser vendors to integrate LSO management with the browser UI. The first capability, one that we believe will have the greatest immediate impact, is to allow users to clear LSOs (and any local storage, such as that of HTML5 and other plugin technologies) from the browser settings interface—similar to how users can clear their browser cookies today. Representatives from several key companies, including Adobe, Mozilla and Google have been working together to define a new browser API (NPAPI ClearSiteData) for clearing local data, which was approved for implementation on January 5, 2011. Any browser that implements the API will be able to clear local storage for any plugin that also implements the API.

Adobe basically has created a new browser api which can be used by the browser to clear the local storage. This throws the ball to the browser developers who now need to evaluate if and how they can implement this new option in their browser.

Another interesting change is that Adobe wants to integrate Flash Player Settings Manager directly “Control Panels or System Preferences on Windows, Mac and Linux”. While that’s hopefully optional it will give users a direct easier way of accessing those settings.

The first browser to roll out with the new feature will be Google Chrome dev which may offer the feature in a few weeks.

Interested users find the full blog post over at the Adobe Blog.

User systems in the meantime were susceptible to those attacks. The latest critical vulnerability in Flash was revealed in a security advisory at the Adobe website.

The critical vulnerability in all Flash Player versions for all supported operating systems – yes even Android – impacts not only systems running Flash, but also systems running Adobe Reader 9.3.4 and Adobe Acrobat 9.3.4.

Adobe states that “this vulnerability could cause a crash and potentially allow an attacker to take control of the affected system” with reports that the vulnerability is already actively exploited in the wild “against Adobe Flash Player on Windows”.

Adobe expects to provide an update during the week of September 27 for Adobe Flash Player, and October 4 for Adobe Reader and Acrobat.

Until then, all users running Adobe Flash or Adobe Reader / Acrobat are vulnerable to the critical vulnerability. Make sure your security software detects the vulnerability and blocks it from execution.

One question that Chrome readers may have in mind: Is the build in Flash plugin also susceptible for attacks? In short, yes it is. The latest Chrome internal Flash Player plugin version is listed as 10.1.82.76, which is exactly the version that is vulnerable. The design of the browser may however mitigate the impact on the system, as may the out of process feature of the Firefox web browser.

We say may because we have no confirmation at this point.

The out-of-cycle update outlines the severity of the vulnerabilities that have been parched in the version, as Adobe usually releases updates in a three month cycle.

The updates address previously disclosed security vulnerabilities at the Black Hat USA 2010 conference on July 28, and furthermore incorporate the Adobe Flash Player update noted in the security bulletin released in July.

Adobe recommends users of Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.4, Adobe has provided the Adobe Reader 8.2.4 update.) Adobe recommends users of Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.4. Adobe recommends users of Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.4.

Adobe Reader and Acrobat users are asked to update their pdf reader as soon as possible to protect their computer system from exploits that can lead to remote code execution.

Adobe Reader
Users can utilize the product’s update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Note: Adobe Reader 9.3.4 for Windows, Macintosh and UNIX will be available from the Adobe Reader Download Center at http://get.adobe.com/reader/ by August 31, 2010.

Adobe Acrobat
Users can utilize the product’s update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat 3D users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

More information available at Adobe’s Security Bulletin.

The latest threat is another with Adobe’s name on it.  The company has already come under heavy criticism this year for major flaws in it’s Acrobat and Flash platforms, this new threat is more of the same with the Acrobat reader for the iPhone.

The BBC is reporting that experts are saying the threat has yet to be exploited and are urging Apple and Adobe to find a fix before it is.

The threat would affect all devices running Apple’s iOS operating system, the iPhone, ipod and iPad, none of which run anti-virus software.

Graham Cluley, a computer security expert with Sophos, told BBC News that the exploit used the same principle as Jailbreakme – a utility that lets iPhone 4 owners run non-Apple approved applications – although it uses the exploit in a benign way.

“It uses the same tricks as you do when jailbreaking,” said Mr Cluley.  “We always thought that Apple’s Mobile Safari would be the main vulnerability.  “At present, we have yet to see any of these exploits out in the wild, but it is only a matter of time,” he warned.

The method exploits a weakness in the Safari web browser to automatically open an infected PDF.  The irony of this being that so far the only way to secure yourself against it is to unlock your device and install unapproved software on it.

Neither Apple for Adobe have so far commented on the threat or said when a patch might be available.

The programme, launched in October 2008 allows sharing of information about security vulnerabilities with security software vendors.  So far 65 companies have signed up to the scheme.

In a statement, Microsoft said…

“Adobe products are relied on by individuals and organizations worldwide. Given the relative ubiquity and cross-platform reach of many of our products, as well as the continued shifts in the threat landscape, Adobe has attracted increasing attention from attackers,” said Brad Arkin, senior director of product security and privacy at Adobe. “We are committed to our customers’ security at every level and are excited to leverage MAPP as an important part of our overall product security initiative. MAPP is a great example of a tried and proven model giving an upper hand to a network of global defenders who all rally behind a shared purpose — protecting our mutual customers.”

“Microsoft acknowledges that the constantly changing threat landscape requires a new approach to security — collaboration and shared responsibility are key as past individual efforts are no longer enough,” said Mike Reavey, director of the Microsoft Security Response Center at Microsoft. “We’re excited about extending the benefits of MAPP to Adobe users as we’ve seen clear evidence of its impact in advancing customer protections. We continue to encourage the collective industry — from security researchers and vendors to customers— to recognize the responsibility we all share in fortifying the broader computing ecosystem against online crime.”

The PC ecosystem is so complex these days that closer co-operation between software and security vendors is essential to help maintain stability and consumer confidence.  While many people will directly blame Microsoft for having insecure software, most trained observers will point out that it’s just not that simple, as the recent security scares for Adobe’s Flash and Acrobat software proved.

Microsoft took the opportunity to call on the “broader community” from security researchers to vendors, to all move more towards a co-ordinated disclosure.

With luck, this move will also finally allow third-party vendors to release their patches through Windows Update with the forthcoming Windows 8 in 2012.

Last years leader, Oracle, dropped to second spot while Microsoft managed to retain the third spot firmly in the last five years.

Adobe made their first appearance in the top ten in 2008, and managed to climb to position five in this report. Lastly, Google is now ranking on position nine in the listing, displacing Mozilla, which now ranks on ten.

security vulnerabilities

To gain more insight into the security ecosystem we identify the group of the ten vendors with the most vulnerabilities (in all their products) in any given year. Since 2005 these Top-10 vendors are responsible for about 38% of the total vulnerabilities representing 16% of the Secunia Advisories per year. The composition of the Top-10 group varied only slightly in this period; seven of the Top-10 vendors with the highest vulnerability counts in 2005 are still in the Top-10 group in 2010.

The total amount of security vulnerabilities was used to create the report, with severity ratings playing no role in the rankings. This means that software from a company with more vulnerabilities does not necessarily have to be more insecure. The trend however is obvious. The graph shows a clear jump in rankings for Adobe, a company that is struggling to keep up with patching security vulnerabilities in its flagship products Adobe Reader and Adobe Flash.

Attackers have noticeable shifted attacks from operating systems to third party software, and Apple, along with Adobe and Oracle, happens to produce several popular programs, including iTunes, Quicktime and the Safari browser.

Speaking of Safari, an Autofill vulnerability has just been uncovered that allows websites to uncover private information.

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.

Attack vectors have been analysed by Secunia as well. Remote attacks are still on the rise while local network and system attacks slowly declining.

We observe that “From remote” is consistently and by far the most prevalent attack vector (81% in average), compared to “Local system” with 9.8% and “Local network” with 8.2% in average over the last five years. Thus, most of the vulnerabilities expose the user of the software to remote attacks. Based on the data available by mid 2010 we do not expect a change by the end of the year.

In every report, Secunia analyses a typical Windows PC environment (both Vista and XP) with a top-50 software portfolio consisting of 26 Microsoft and 24 non-Microsoft programs.

The analysis confirms the growing trend of exploiting third party software.

The vulnerabilities breakdown shows an overall increase in vulnerabilities on both systems. The vulnerabilities disclosed in Microsoft programs rose by about 50%, from 85 in 2009 to now 62 in the first half of 2010, with a projection to end at about 120 vulnerabilities.

The third part programs increase is earth shattering. From 286 vulnerabilities in 2009, to 275 in the first half of 2010 and a projected total of 550 at year end. That’s a 100% increase, and more than four times as many vulnerabilities as in Microsoft programs.

vulnerabilities

The next figure visualizes the increase in third party software vulnerabilities.

third party software

Mozilla Firefox tops the vulnerability listing with 96 reported vulnerabilities, followed by Safari with 84, Java and Google Chrome with 70, Adobe Reader with 69, Adobe Flash Player and Adobe AIR with 51, Apple iTunes with 48 and Mozilla Thunderbird with 36.

The top Microsoft programs are Internet Explorer with 49, Excel Viewer with 37 and Excel with 30.

Typically, a user can patch 35% of the vulnerabilities with one update mechanism (Microsoft’s), and needs to master another 13 or more different update-mechanisms to patch 65% of the 3rd party program vulnerabilities.

Interested users can access the full PDF report over at the Secunia website.

Instead they are still offering Adobe Reader 9.3 for download, a version that has been releases in January 2010, and updated three times since then to fix security vulnerabilities of which some are used in attacks.

adobe reader

This opens a can of worms and raises a question, how are Adobe Reader downloaders supposed to know that the version offered is not the latest? They apparently do not get that information on the Adobe Reader download page, nor are they informed about the insecure version on startup of the pdf reader.

Adobe seems to solely rely on the Adobe Reader and Acrobat Manager, Adobearm which is configured as a startup process to launch with the operating system. This in itself is problematic depending on the computer system. Adobe ARM does not get executed before the next startup, which means that systems that run 24/7 will be insecure for that time, unless the administrator updates the program manually.

It is also inefficient if the computer user decided to block the program from being started automatically with the operating system. That’s highly understandable considering that Adobe does not provide local information about the startup item. A quick search on the Internet confirms the confusion as many users thought that the process was for ARM processors only.

Lastly, users who do not allow automatic updates on their system will also be left with an insecure version of Adobe Reader.

How to update Adobe Reader

There are two possibilities to update Adobe Reader. The first is to use the Help > Check For Updates option in the program itself. That’s obviously only an option if the computer is connected to the Internet as it will query Adobe servers to retrieve the latest version.

adobe reader update

The second option is to download the patches for Adobe Reader directly from the Adobe website.

Adobe Reader 9.3.1 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.2 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.3 Windows, Mac (Intel), Mac, Unix

Product Update Pages: Windows, Mac, Unix

Do you have Adobe Reader installed on your system? If so, which version is it?

The security bulletin sheds some light on the security issues that have been fixed in the release. A total of 17 different vulnerabilities have been fixed in Adobe Reader 9.3.3. Adobe has categorized the update as critical and recommends that users apply the latest updates immediately to protect their computer systems.

Exploits of any security vulnerability that has been patched in the update can lead to code execution on the affected system.

Adobe confirmed that at least one of the security vulnerabilities is actively exploited in the wild.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1297).
Note: There are reports that this issue is being actively exploited in the wild.

This update mitigates a social engineering attack that could lead to code execution (CVE-2010-1240).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-1285).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1295).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2168).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2201).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2202).

This update resolves a UNIX-only memory corruption vulnerability that could lead to code execution (CVE-2010-2203).

This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-2204).

This update resolves an uninitialized memory vulnerability that could lead to code execution (CVE-2010-2205).

This update resolves an array-indexing error vulnerability that could lead to code execution (CVE-2010-2206).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2207).

This update resolves a dereference deleted heap object vulnerability that could lead to code execution (CVE-2010-2208).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2209).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2210).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2211).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2212).

Adobe Reader 9.3.3 and Acrobat 9.3.3 are available for download at the Adobe website. Also available are Adobe Reader 8.2.3 and Adobe Acrobat 8.2.3 which both fix the security issues as well.

The biggest change introduced in Flash 10.1 is hardware acceleration which is currently limited to Windows PCs with the prospect that it will be added at a later time to Mac and Linux versions of Flash.

But hardware acceleration is not the only new feature in Flash 10.1. Adobe has improved mobility support for instance by supporting multi-touch and gestures, mobile text input, accelerometer input, sleep mode or optimized SWF management for mobile devices.

Flash 10.1 has also been made compatible with the private browsing mode of Firefox, Internet Explorer and Google Chrome. This compatibility ensures that no data is recorded while the browser is in that mode.

Flash Player 10.1 Features

• Globalization support
• Multi-touch and gestures
• Graphics hardware acceleration
• H.264 video hardware decoding
• Out-of-memory management
• HTTP streaming
• Stream reconnect
• Dynamic frame rate

The Adobe Labs website contains additional information about the new features of Flash 10.1.

The Adobe Flash Player 10.1 download is offered at the official Adobe website. Just select the operating system in step 1 and pick one of the available versions of Flash Player in the second step to initiate the download.

adobe flash player 101 download

It will be interesting to see how fast the Google Chrome developers manage to upgrade the native Flash plugin of the web browser. Ever period other in the next few hours would be disappointing to say the least.

The vulnerabilities received a severity rating of highly critical, the highest possible rating, by Secunia since they were both actively exploited and would allow remote code execution on affected computer systems.

Adobe’s Response Team has updated the security vulnerability with the planned schedule for a patch to resolve the issue.

According to those information a patch for Flash Player 10 will be released on June 10 while Adobe Reader and Acrobat 9 users have to wait until June 29 for the patch.

The patches will be made available for all supported operating systems with the exception of Flash Player for Solaris.

The delay until the page becomes available is bad news for Adobe Reader and Acrobat users who have to find ways to protect their systems from the security vulnerability in the meantime.

Adobe is offering mitigation instructions on their website for Windows, Unix and Macintosh.

Adobe Reader and Acrobat – Windows

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader 9.x and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

The authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x – Macintosh

1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Acrobat Pro 9.x – Macintosh

1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Adobe Reader 9.x- UNIX

1) Go to installation location of Reader (typically a folder named Adobe)
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris)
3) Remove the library named “libauthplay.so.0.0.0″

It is recommended to either perform the operations on affected computer systems or switch to another pdf reader at least for the time until the vulnerability gets fixed.

The critical vulnerabilities are affecting all operating systems that Adobe Reader is compatible with (Microsoft Windows, Apple Macintosh and Unix based) and versions of Adobe Reader 9.3.1 and Adobe Acrobat 9.3.1 or earlier.

The critical nature of the vulnerabilities requires immediate attention from users who have affected software versions installed on their computer systems.

Adobe is offering the update through various channels. It is possible to check for updates from within the pdf readers by clicking on Help > Check for updates or to download the updates from the official Adobe website.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here:
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.3.2/.

The update is still separated from the full version of Adobe Reader that is offered on the Adobe homepage. There is still no full version of Adobe Reader 9.3.2 available on the Adobe homepage which still offers Adobe Reader 9.3.0 to visitors.

Users who want to find out more about the security vulnerabilities can check out the security bulletin that contains detailed information about the vulnerabilities that are closed with the new release.

System administrators still have the options to disable automatic updates complete in the Adobe Reader preferences.

Two programs are getting added to the Windows startup when Adobe Reader is installed on the computer system. The files are called adobearm.exe and reader_sl.exe, both are not essential for the software to function properly. Here is what these two programs are designed to do:

Adobearm.exe is the Adobe Reader and Acrobat Manager which seems to be directly linked to the new updater that Adobe plans to activate for all Windows and Macintosh users. Adobearm.exe will run as a system process after it has been processed by the system startup.

Adobe Reader and Acrobat Manager is not needed if users manage the update process of those products by themselves. It is for instance still possible to download and install the updates manually.

Even more interesting is the fact that it is also possible to use the Help > Check for Updates option in Adobe Reader to update the pdf reader. This will launch adobearm.exe for the updating process but will close it once the update has been installed.

The file location of the Adobe Reader Manager is C:\Program Files\Common Files\Adobe\ARM\1.0 in the Windows operating system. The directory contains the four following files:

Directory of C:\Program Files (x86)\Common Files\Adobe\ARM\1.0

326.056 AcrobatUpdater.exe
948.672 AdobeARM.exe
70.584 AdobeExtractFiles.dll
326.056 ReaderUpdater.exe
4 File(s) 1.671.368 bytes

Windows users who want to disable adobearm.exe from being executed during startup can do the following:

Press [Windows R], type msconfig.exe and hit [enter]. Now switch to the Startup tab in the window that opens and locate the startup item Adobe Reader and Acrobat Manager. Unchecking that item will ensure that adobearm.exe will not be launched during system startup and not run as a system process all the time.

The second program that gets started during system startup is Reader_sl.exe. The software is also known as Adobe Reader Speed Launch. Its function is to speed up the loading of pdf files on the computer system. It is not an essential process and can be removed from the Msconfig.exe program as well so that it is not launched during system boot.

It is not clear why Adobe is not updating the version offered for download on their website. That it is possible shows the release of Adobe Reader 9.3.1 Lite which is the – unofficial – lite version of Adobe Reader.

Adobe Reader 9.3.1 Lite is basically a version of Adobe Reader with several modules and features of the program removed. This in turn speeds up the pdf reader, especially its loading time.

Adobe Reader 9.3.1 Lite can be directly downloaded from Rapidshare. Executing that portable version will throw an error message as it does not include the Eula of the program. This can however be easily fixed by importing keys into the Registry that tell Adobe Reader that the Eula has been accepted.

Save the following file as adobe.reg and double-click it to add the information to the Windows Registry.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AdobeViewer]
“TrustedMode”=dword:00000000
“EULA”=dword:00000001
“Launched”=dword:00000001

Adobe Reader 9.3.1 Lite can be downloaded directly from Rapidshare.

It is therefor suggested to find a way to download Adobe Flash without the Adobe Download Manager. But that’s unfortunately not as easy as it sounds as Adobe seems to have cut off many other options to download Adobe Flash without the download manager.

There are basically two options to download Adobe Flash without the Adobe Download Manager. The fact that Adobe offers different versions of Flash depending on the web browser that is used to access the website makes the matter even more confusing.

The best option to download Adobe Flash directly is to use the direct links to the setup files. Those links point to the Windows Flash installers.

• Adobe Flash Player Internet Explorer download [link]
• Adobe Flash Player Other Browsers download [link]

Those two links always point to the latest official release version of Adobe Flash. The second option is to download a developer release of Adobe Flash from the Flash Labs website. Those are often pre-releases which can contain bugs. Versions for all operating systems are offered.

Both options allow the user to download Adobe Flash without the Adobe Download Manager.