Adobe released Flash Player 11.2 on Tuesday, addressing two critical arbitrary code execution vulnerabilities and introducing a silent update option.
One of the patched vulnerabilities stems from how older versions of Flash Player checks URL security domains, and only affects the Flash Player ActiveX plug-in for Internet Explorer on Windows 7 or Vista.
Both vulnerabilities can trigger memory corruptions and can be exploited to execute arbitrary code remotely. However, Adobe is not aware of any exploits for these flaws being used in online attacks at this time, said Wiebke Lips, Adobe’s senior manager of corporate communications.
Users of Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris are advised to update to the new Adobe Flash Player 11.2 for their respective platforms. Users of Adobe Flash Player 11.1.111.7 for Android are advised to update to Flash Player 11.1.111.8.
Flash Player 11.2 also introduces a new updating mechanism that can be configured to check for and deploy updates in the background automatically, without requiring user interaction. The feature has been in Adobe’s plans for a long time and is expected to decrease the number of outdated Flash Player installations that attackers can target.
“The new background updater will provide a better experience for our customers, and it will allow us to more rapidly respond to zero-day attacks,” said Peleus Uhley, platform security strategist at Adobe, in a blog post on Tuesday. “This model for updating users is similar to the Google Chrome update experience, and Google has had great success with this approach. We are hoping to have similar success.”
The move was welcomed by Thomas Kristensen, chief security officer at Secunia, which develops the popular Personal Software Inspector (PSI) patch management program.
“A silent and automatic updating mechanism for Flash would help the majority of users. A more consistent and rapid updating of the user base is likely to impact the attackers’ preferences for Flash,” he said.
Of course, this will only happen after the vast majority of users upgrade to Flash Player 11.2 or a later version using the old method that requires explicit approval.
When Adobe Flash Player 11.2 is installed, users are asked to choose an update method. The available choices are: install updates automatically when available (recommended), notify me when updates are available, and never check for updates (not recommended).
The silent updater will try to contact Adobe’s update server every hour until it succeeds. If it receives a valid response from the server that no update is available, it will wait 24 hours before checking again.
For now, the automatic update option is only available for Flash Player on Windows, but Adobe is working on implementing it for Mac versions as well, Uhley said.
However, even if the automatic update option is enabled, Adobe will decide on a case-by-case basis which updates will be deployed silently and which won’t. Those that change the Flash Player default settings will require user interaction.
The new updater will update all Flash Player browser plug-ins installed on the system at the same time. “This will solve the problem of end-users having to update Flash Player for Internet Explorer separately from Flash Player for their other open-source browsers,” Uhley said.
In addition to keeping the Flash Player install base up to date more easily and reducing the time required to effectively respond to zero-day attacks — attacks that exploit previously unknown vulnerabilities — the new silent updater could also reduce the number of scams that distribute malware as Flash Player updates.
“The pretext of a Flash Player update has been intensively used by cyber-crooks to lure users into downloading malicious content,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender. “By eliminating the update wizard, users will likely get more difficult to con on the pretext of a legitimate update required by an application they trust.”
Unfortunately, this silent update model can’t be applied to all applications, Botezatu said. He gave the example of Internet Explorer 6, which Microsoft is trying to phase out, but that companies still widely use because their business applications are dependent on it and don’t work on newer versions.
Adobe is doing its part to convince users to move away from Internet Explorer 6 by dropping support for the browser from upcoming Flash Player versions. “We will no longer include testing on Internet Explorer 6 in our certification process and strongly encourage users to upgrade to the newest version of Internet Explorer,” Uhley said.