Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Adobe Flash Player APSB12-07 - 28 March 2012 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Flash Player APSB12-07 - 28 March 2012

Adobe released a critical update today for Flash Player.  

The basic gist is that most of the platforms are exposed to a crash and a remote attacker can get potential control of your system.  Details elude to memory corruption as the cause, which are patched with this update.

Another, highlight is that this update comes with an auto-update feature for the Flash player.  The link below seems to only cite this feature for Window's users.  I've not had a chance to hit my OS X systems with this update, so I can not confirm whether it reaches the Mac.   Post a comment and tell us this new whistle.                                         
Get further details on this update here:

Flash Auto-update Feature
Adobe Security Bulletins

Many thanks to our readers Michael, Toby, Fred, Rene' and Mike for keeping on top of things and sending in links to us.  

Keep it coming!
ISC Handler on Duty
Kevin Shortt

85 Posts
ISC Handler
Mar 28th 2012
Two things: The background updater for Macs is still under development and will be released at a future date.

And, all indications are that the silent updater will not be used for all patches. They seem to be targeting zero days only.

Uhley cautioned that not every update would use the new mechanism.
I do want to note that we are not promising that all Flash Player updates going forward will be completely silent. We will be making the decision to silently install on a case-by-case basis. For instance, any update that changes the default settings of Flash Player will require confirmation from end-users even if they have already agreed to allowing background updates. Today’s update is an example of where confirmation would be required since we are changing how updates get applied to the user’s machine. However, we could apply a zero-day patch without requiring end-user confirmation, so long as the user has agreed to receiving background updates. Adobe will also continue to release feature-bearing releases that will trigger an update notification to users that highlight new and exciting features to the Flash Player.

19 Posts
So now we have a installer adding another scheduled task and service just to update a browser plugin?

BTW, both the sched' task and service remain even if you select the "never" option.

Here's a novel idea, maybe it's time for Adobe to spend some time doing code review and write some secure code. All these security flaws in a browser plugin? Come on folks.
13 Posts
The new version of the plugin crashes on my Kubuntu 10.04.4 LTS desktop when trying to use Google Streetview.

50 Posts

Sign Up for Free or Log In to start participating in the conversation!