Flash 11.2 Adds Silent Updates

[nsane.forums]

Adobe is releasing a security update for Flash Player today, but aside from patching a couple Critical vulnerabilities, the update also includes a new and improved background updater tool.

Adobe is releasing a new version of Flash Player today. The update addresses a couple critical vulnerabilities, but the real news from Flash 11.2 are the changes Adobe has made to the background updating mechanics.

The Flash update should be applied as soon as possible from a security perspective. A post on the Adobe ASSET (Adobe Secure Software Engineering Team) blog cites recent studies like the September 2011 CSIS Report, and volume 11 of the Microsoft Security Intelligence Report to point out that known flaws left unpatched are a much higher risk than zero day exploits.

Adobe is making some proactive moves to improve security for Flash Player with new background updater.

The flaws addressed are memory corruption vulnerabilities rated as Critical by Adobe. They could cause a crash or potentially allow an attacker to take control of the affected system, and they impact virtually all versions of Flash. Adobe claims that neither of the patched vulnerabilities is being actively exploited at this time, but that can change quickly so you should apply the update.

Within Flash 11.2, though, Adobe also tackles a larger issue, and one that contributes to a security risk of another kind. The ASSET blog post explains, “Attackers have been taking advantage of users trying to manually search for Flash Player updates by buying ads on search engines pretending to be legitimate Flash Player download sites.”

Adobe has improved the background updater tool to streamline the process of keeping Adobe Flash up to date. Users who install Flash 11.2 will be presented with a dialog box to indicate how future updates should be handled.

There are three choices, similar to the options available for Automatic Updates in the Windows operating system:

• Install updates automatically when available
• Notify me when updates are available
• Never check for updates

Unless you check “Never check for updates”, the background updater touches base with Adobe once per day to see if there are any updates available, and handles any updates according to your selection. The Adobe updater uses the Windows Task Manager rather than running as a separate service, so it isn’t consuming additional resources or opening up another potential attack vector.

The best part of the new background updater, though, is that it if there are multiple browsers on the PC, the updater will update Flash across all of them so users don’t have to apply the Flash update multiple times.

As a side note, Adobe is also officially dropping support for Internet Explorer 6. Flash can still be installed on IE6, and will probably work as it always has, but Adobe will no longer be testing or certifying updates on IE6, so users are on their own.

View: Original Article

[anuseems]

Adobe released Flash Player version 11.2.202.228 for Windows, OS X and Linux today. In my view this is a milestone release as it finally introduces an automatic, silent updating mechanism to help users stay current with the latest releases from here forward.

Google Chrome users may consider themselves spoiled, as they have been enjoying the worry-free joy of automatic updating of both their browser and integrated plugins like Flash Player for quite some time.

To obtain the latest Flash Player you should visit http://get.adobe.com/flashplayer. Windows users will be presented with a new dialog box during installation prompting them to enable automatic updating.

I highly recommend choosing the option "Install updates automatically when available (recommended)" as there is nearly no downside with keeping your Flash Player up to date.

In addition to the new updater, this Flash update fixes two critical Flash vulnerabilities. The fix for CVE-2012-0772 addresses a memory corruption vulnerability that could lead to remote code execution on Windows 7 and Vista computers.

CVE-2012-0773 is also fixed in this release and addresses another memory corruption bug that can result in remote code execution on all Flash Player platforms. SophosLabs rates this update as high priority considering the history of exploitation of flaws in Flash Player.

I asked my wife to update her Flash Player this evening and she said "I just did that a couple of weeks ago". Yes, Flash updates have been fast and furious lately, but it is better than the alternative. We could be waiting three months for the next Java update.

source: http://nakedsecurity.sophos.com/2012/03/29/adobe-flash-enables-auto-updating-while-patching-two-critical-flaws/