recent posts

Citibank Phish Spoofs 2-Factor Authentication
Macromedia Flash Update Prompts an SF Rant
Seven Security Updates From Microsoft Next Week
Microsoft to End Patches for Windows 98 & WinME
Exploit Out for Newly-Patched Mac OS X Flaw

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Macromedia Flash Update Prompts an SF Rant

A newly released version of Adobe's Macromedia Flash Player fixes at least two security flaws in the program that more than 200 million people have installed on their computers.

Security vendor Fortinet released two advisories calling attention to the vulnerabilities, one of which it said could let bad guys hijack your browser and possibly your computer if you were to merely browse a Web site that took advantage of the flaw.

The flaws are present in Macromedia Flash Player v8.0.24.0 and earlier versions. The new version, released on June 28, is v9.0.16.0, downloadable here. You can check which version you have installed by visiting this page. The patch should update Internet Explorer, Firefox, Netscape or Opera, depending on which one is set to your default browser.

Soap box alert: Adobe needs to get its act in gear and ship an auto-updater for its Flash and Shockwave media players. Most people have some version of Flash installed in their Web browser, mainly because it is used to display visual content on so many Web sites.

Putting aside its ongoing tussle with Microsoft over the fate of Acrobat Reader in future versions of Windows, Adobe recently teamed with Microsoft to have a previous update that fixed a bundle of security flaws shipped with as a security update from Microsoft.

Both companies are to be commended for cooperating to keep customers protected from flaws that bad guys have been quick to exploit in the past, but this should be the rule, not the exception, and it should come from Adobe, not Microsoft. Adobe has the brains and the infrastructure in place to make auto-updating a reality, and it is long overdue. Heck, even Mozilla is now working to develop its own auto-updater to check and see whether users have the latest version of Flash installed.

Adobe Reader already has (a sometimes kludgy) mechanism that checks for updates when the user starts the program, and Adobe Flash Product Manager Emmy Huang recently commented on Security Fix that Adobe was working on making that a reality for Flash and Shockwave. It's a good idea we're still waiting for the company to implement. Emmy, any updates?

By Brian Krebs |  July 7, 2006; 11:35 AM ET  | Category:  New Patches
Previous: Seven Security Updates From Microsoft Next Week | Next: Citibank Phish Spoofs 2-Factor Authentication

Blogs That Reference This Entry

TrackBack URL for this entry:
http://blog.washingtonpost.com/cgi-bin/mt/mtb.cgi/8545

Comments

Please email us to report offensive comments.



Thanks, Brian.

I understand this product is necessary for YouTube. I have the 8.0.24 version and with my Opera browser YouTube does not display videos. Do I need to update for this to work as well?

Posted by: Bartolo | July 7, 2006 01:24 PM

Bartolo, No idea what YouTube's requirements are: my guess is it will run w/ any recent version of Flash. However, you are running 8.0.24, which is outdated. You should upgrade, as the Flash upgrade will update your Opera browser, if you have it set as the default browser on your machine.

Posted by: Bk | July 7, 2006 02:05 PM

What about Safari on OS X?

Posted by: EJ | July 7, 2006 04:56 PM

Adobe has a long and unfortunate history of attempting to hide security fixes. This gives us the worst of both worlds. Binary diffs across the updates point attackers right at exploits, while we busy sysadmins don't know we've a security update to apply. Ouch.

Also, past discussion, including the PR blats about automatic updates from Adobe spokespeople, misses the boat. Users increasingly aren't going to have admin privs to install updates, and the Adobe software won't be installed suid. Sysadmins thus need to be notified about which updates are security fixes so they can build and push the MSI via WSUS or group policy on Windows, push the install on Macs using remote desktop or ssh, etc.

Finally, what's the idea with including security updates in unrelated (and major) feature upgrades? Security updates must instead to be specific to security issues. They need to be small and efficient to apply without the extra headache of the feature misses that come with entirely new versions of a package.

I hope Adobe will get their act together on 1) disclosing security updates and 2) providing security fixes that don't also blang us with major feature changes. Moreover, I hope they do so soon, before we have to throw in the towel and ban their products as demonstrably unsecurable and therefore too dangerous to use.

Posted by: Richard Johnson | July 7, 2006 07:18 PM

I vaguely recall a very early version of Flash having an auto-update feature... or maybe it was the Shockwave plug-in. Either way...

Posted by: Jake Barlow | July 7, 2006 07:54 PM

I don't know if I would trust the updater at all. For the 4th time i have tried to upgrade to the newest version and it still only says I have version 8. Does anyone have any ideas or suggestions that will work to correct the problem?

Posted by: DB | July 7, 2006 10:28 PM

Well I'm not sure what happened but it finally updated to the newest version.

Posted by: DB | July 8, 2006 12:48 AM

How does the update work for the non-default browser? Firefox updated fine, but not IE, Opera, or Netscape. (Yes we use them all to check things at work).

Thanks!

Posted by: jon | July 8, 2006 09:38 AM

Jon, Just open up each browser and visit the install link. Then check your version to see if it updated by clicking on the version link above. If you updated but it doesn't say so, try closing out all browser windows and restarting the browser.

Be aware that if you try to install this update on IE, it will prompt you to also install the Yahoo! toolbar. You can uncheck that before installing, as the Yahoo thing isn't necessary for this update.

Posted by: Bk | July 8, 2006 11:01 AM

brian,
thanks for covering our backs.

i went to the link in your blog/column and it says Flash Version 9 is a 'beta' for Macs.

i usually avoid betas. is it worth taking the chance here?

tom rusch

Posted by: ValleyDriver | July 8, 2006 03:46 PM

I recently installed WinSP2, and see that it has a Permanently Block Flash Update Downloads function. I have tried downloading it about a dozen times, with no results. On the rare occassion that a gold security bar appears, authorizing the download has no effect. Thanks SP2, for making me _less_ secure.

Posted by: John Johnson | July 8, 2006 09:46 PM

I take back my previous outburst , because I finally got the Flash update to download and install.

Posted by: John Johnson | July 8, 2006 10:33 PM

I find your blog having interesting contents. Hope you will visit my site. http://www.theacne.info

Posted by: acne | July 10, 2006 08:34 AM

Thanks so much for posting this and giving the link to download the newest version. I actually have been having trouble with my Microsoft Update on this particular update. I was able to successfully install the new Flash Player (finally!). Thank you!

Posted by: Kelly | July 10, 2006 11:24 AM

I can't seem to upgrade to v9.0 (without the Yahoo toolbar) having attempted numerous times...even tried with the Yahoo toolbar...guess what?...the toolbar installed but not v9.0!

Posted by: george | July 10, 2006 03:52 PM

Thanks Brian, I had a really old V6 of Flash Player on IE. Firefox had a V8. Both are now updated to V9. Thanks again. I don't know where else I would get security information about these 3rd party programs that run "under the covers" and can leave security holes open.
Rich B.

Posted by: dbm1rxb | July 10, 2006 05:13 PM

Hello Brian...Don't waste your time trying to give yourself a headache on trying to find where did the contents of my articles in my word document came from. They did not come from [WireTap] or buggy bugs in hotel rooms or whatever you're thinking about it. What are they and who are they? They are real "Aliens in human disguised" who visits me and talk to me according to their own time and space. Do you believe in what I'm saying is true? You have to experience it yourself to find out the facts and amazing discovery that they came from the [Dark Matter] of the Universe. They split themselves into multiple identities and marked their chosen at the back of their heads. Their problem is how to see me in person to see that mark.

Posted by: carolina | July 10, 2006 10:01 PM

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




 
 

© 2006 The Washington Post Company