Adobe is releasing a new version of Flash Player today. The update addresses a couple critical vulnerabilities, but the real news from Flash 11.2 are the changes Adobe has made to the background updating mechanics.
The Flash update should be applied as soon as possible from a security perspective. A post on the Adobe ASSET (Adobe Secure Software Engineering Team) blog cites recent studies like the September 2011 CSIS Report, and volume 11 of the Microsoft Security Intelligence Report to point out that known flaws left unpatched are a much higher risk than zero day exploits.
The flaws addressed are memory corruption vulnerabilities rated as Critical by Adobe. They could cause a crash or potentially allow an attacker to take control of the affected system, and they impact virtually all versions of Flash. Adobe claims that neither of the patched vulnerabilities is being actively exploited at this time, but that can change quickly so you should apply the update.
Within Flash 11.2, though, Adobe also tackles a larger issue, and one that contributes to a security risk of another kind. The ASSET blog post explains, “Attackers have been taking advantage of users trying to manually search for Flash Player updates by buying ads on search engines pretending to be legitimate Flash Player download sites.”
Adobe has improved the background updater tool to streamline the process of keeping Adobe Flash up to date. Users who install Flash 11.2 will be presented with a dialog box to indicate how future updates should be handled.
There are three choices, similar to the options available for Automatic Updates in the Windows operating system:
- Install updates automatically when available
- Notify me when updates are available
- Never check for updates
Unless you check “Never check for updates”, the background updater touches base with Adobe once per day to see if there are any updates available, and handles any updates according to your selection. The Adobe updater uses the Windows Task Manager rather than running as a separate service, so it isn’t consuming additional resources or opening up another potential attack vector.
The best part of the new background updater, though, is that it if there are multiple browsers on the PC, the updater will update Flash across all of them so users don’t have to apply the Flash update multiple times.
As a side note, Adobe is also officially dropping support for Internet Explorer 6. Flash can still be installed on IE6, and will probably work as it always has, but Adobe will no longer be testing or certifying updates on IE6, so users are on their own.