Category Archives: Adobe

Windows 8 Internet Explorer shipping with vulnerable Flash

Update 2012Sep22: A Security Advisory published yesterday by Microsoft announced the availability of a patch for Flash in Internet Explorer 10. A related post on the Microsoft Security Response Center blog explains how security updates for Flash in Internet Explorer will be handled in the future. Anyone using Internet Explorer 10 or Windows 8 should install the Flash update as soon as possible.

Update 2012Sep11: Given the negative reaction to Microsoft’s previous announcement that recent Flash vulnerabilities would not be fixed in Internet Explorer 10 until after Windows 8 is released, today’s announcement is perhaps not much of a surprise. Microsoft is now saying that the Flash holes in IE10 will be plugged much sooner than originally announced. However, there will still be an easily-exploited delay between the launch of Windows 8 and the point at which all Windows 8 systems are patched.

Recently, Google switched to an integrated version of Flash in the Chrome web browser. They did this to simplify the update process: Chrome users no longer have to worry about keeping their browser’s Flash plugin up to date.

Microsoft has apparently done something similar with Internet Explorer 10, which is included with Windows 8. Unfortunately, the recent Flash vulnerabilities were not addressed in Internet Explorer 10 when Windows 8 was finalized recently. Which means Windows 8 has at least two very serious security holes in its integrated web browser, out of the box.

Microsoft says that the Flash vulnerabilities in Windows 8’s IE10 will be fixed during the regular patch cycle, but it’s not known exactly when the updates will appear.

Nefarious hackers are no doubt preparing for a surge of new Windows 8 systems to appear on the Internet, all with these rather large holes, ready to exploit.

If you are using Windows 8 or plan to start using it soon, your options are:

  • Stop using Internet Explorer. This isn’t really a viable option, since the browser is integrated into the O/S.
  • Disable Flash in Internet Explorer 10, assuming this is even possible.
  • Avoid all Flash content while using Internet Explorer 10. This is increasingly difficult to accomplish, given the prevalence of Flash content on the web.

Another new version of Adobe Flash

Yesterday, in yet another attempt to finally get it right, Adobe announced a new minor release of its ubiquitous (and problematic) Flash player for all platforms. The new release takes us from the 10.3 series to 10.4.

Additional details are available in the in the related Security Bulletin.

As usual, the new version addresses security issues that could lead to attacks on systems running older versions. It also includes a few new features; the release notes cover all the changes.

Windows and Mac users should update to the new version (11.4.402.265) as soon as possible. Attacks based on this vulnerability are spreading fast on the Internet.

More evidence of shoddy programming by Adobe

Apparently some Google employees decided to test Adobe Reader after they found several security-related bugs in the PDF reader code used in Google Chrome. They found sixty issues that cause crashes, about forty of which could provide attack vectors.

Bugs, crashes and security issues in Adobe software are nothing new. But given the frequency and number of updates for Reader, one might assume that Adobe had a handle on these issues. The ongoing crashing problems with Flash on Windows 7 indicate otherwise, as does this new revelation from Google.

Updates for Adobe Flash, Shockwave and Acrobat Reader

Adobe issued several new bulletins today.

First up is Adobe Acrobat and Acrobat Reader. Adobe security bulletin APSB12-16 announces Reader and Acrobat versions 10.1.4 and 9.5.2, which address a specific crashing problem that could allow an attacker to gain control of affected computers.

Next is Adobe security bulletin APSB12-17. This bulletin announces version 11.6.6.636 of Shockwave. Once again, the new version addresses a security issue.

Finally, a new version of the Flash player is announced in Adobe security bulletin APSB12-18. The new version is 11.3.300.271, and it addresses yet another crash-leading-to-possible-exploit security problem. As mentioned previously here, Google Chrome users will receive the new version of Flash for Chrome with the latest version of that browser. It remains to be seen whether this latest fix will resolve the long-standing crashing problems with the Flash player on Windows 7 systems.

Latest Chrome browser includes more stable Flash

According to Google’s Chromium blog, the most recent version of the Chrome web browser (21.0.1180.60) includes a new version of Flash that uses a more stable technology for integration into the browser.

According to Google:

Beyond the security benefits, PPAPI has allowed us to move plug-ins forward in numerous other ways. By eliminating the complexity and legacy code associated with NPAPI, we’ve reduced Flash crashes by about 20%.

That sounds promising. Given the massive, ongoing problems with Flash in all browsers, it’s encouraging to see any kind of progress. Of course, this only affects Chrome. Also, it would be nice to see crashes reduced by a number approaching 100%. Oh well.

Update for Flash Player Update Service

If you use Adobe Flash Player on Windows (and who doesn’t, really?) you may have noticed that recent versions include an auto-update system. This software runs on your computer in the background, checks for new versions of Flash, and optionally updates Flash automatically. It’s called the Flash Player Update Service.

Yesterday, Adobe released an update for the Update Service to address a crashing problem in the service. The Flash player itself was not changed, and no other changes were made to the Update Service.

So, despite the fact that this update to the Update Service does not affect Flash itself, Adobe packaged the update in a ‘new’ version of Flash: 11.3.300.270. Confusingly, this ‘new’ version of Flash will not appear on the Product Download Center, although it will appear on various other pages on the Adobe web site. At the time of this posting, the Download Center still shows version 11.3.300.268. Apparently the Update Service crashing issue was so serious that Adobe didn’t have time to get everything right.

Note that this crashing problem is totally unrelated to the ongoing crashing problems of the Flash player itself. In the 11.3.300.270 announcement, Adobe refers to the Flash player crashing problem, asking users to provide crash reports to assist in diagnosing it. A previous Flash player update (11.3.300.268, released July 26, 2012) was Adobe’s most recent attempt to resolve the player’s crashing problems.

Flash is crashing most browsers on Windows 7

Since I originally posted this, I learned that Adobe released version 11.3.300.268 to address this problem. It remains to be seen whether the problem has actually been resolved.

The latest version (11.3.300.265) of the ubiquitous Flash plugin found in most web browsers seems to be causing web browsers running on Windows 7 and Vista to crash. A quick search of Google shows that there are reports of this happening in Firefox, Chrome and Opera. Internet Explorer seems unaffected so far, possibly due to the fact that IE uses a separate (ActiveX) version of the Flash player.

Reports indicate that Mozilla is working with Adobe to resolve this problem, and presumably the other browser developers are doing the same. Meanwhile, if you’re running Windows 7 and you watch video on the web, you may run into this problem. As awful as it sounds, the only useful workaround at this point is to switch – temporarily – to Internet Explorer.

Update 2012Jul31:
I’ve been digging through reports from all over the web, and it looks like this problem has actually been going on since as far back as 2009 and Flash 10.0.42.34. Internet Explorer may also be affected, although recent reports seem to exclude IE. Some reports imply that only 64 bit versions of Windows are affected. There are even reports that Windows XP and Mac OSX are affected. But it seems clear that something happened to Flash in version 10 that made it unstable in web browsers on Windows 7 and Vista, and the problem still exists in the most recent version of Flash, 11.3.300.265. It’s possible we’re looking at more than one problem, or one that has morphed somewhat as the Adobe developers try to fix it. An old problem that was previously fixed may have reappeared when Adobe changed something in a later version. Clearly, not all Windows 7 users are affected; if everyone who uses Youtube (the highest-profile Flash video source) on Windows 7 was having this problem, we would have heard more about it by now.

The problem seems to take slightly different forms: it may crash the browser; the plugin itself may crash, leaving the browser running; and in some cases Windows may crash. The web browser may freeze for a few minutes before any crash occurs, and Windows may become unresponsive. In most cases, the problem occurs after two or three minutes of Flash video, but it make take up to fifteen minutes. The most common scenarios involve long Youtube videos and Facebook games (both use Flash).

Here are some of the more interesting problem reports I’ve found:

Possible solutions:

  • Try Internet Explorer. I know, yuck. But it’s only temporary.
  • Uninstall all Flash software, then install Flash 9. This ancient version is apparently the last one that didn’t have these crashing problems. Again, this is temporary. You should upgrade to the latest version once Adobe finally fixes this problem.
  • Adobe recommends uninstalling both Flash and Shockwave, then rebooting your PC, then installing the latest versions of Flash and Shockwave.
  • Disable your anti-virus software. This is not recommended, although it may be useful as a test.
  • Disable all non-Microsoft startup programs using MSCONFIG. If that works, re-enable each startup program one at a time until the problem recurs.
  • Disable hardware acceleration in the Flash settings.
  • Disable “Enable Web Download & Recording for these installed browsers” in RealPlayer (yes, in Realplayer). Some recent Flash installers include a link to a page on the Adobe support site about an incompatibility between Flash and RealPlayer, and this is the recommended solution.
  • Revert to Flash version 10.3.183.20.

Prediction: if Adobe doesn’t figure this out, and Google has heard enough complaints about it, Google might be inclined to switch Youtube from Flash to HTML5. Everyone else in the world will follow Youtube, and then Flash will disappear forever and not be missed.

Update 2012Aug03: Adobe snuck a Flash update past me on July 26. Version 11.3.300.268 attempts to address crashing problems that occur on Windows and Mac computers when playing Flash content. Adobe doesn’t seem to be convinced that the problem is resolved, however: in the version announcement, they ask users for assistance in troubleshooting the problem.