- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
IDG News Service - Adobe released Flash Player 11.2 on Tuesday, addressing two critical arbitrary code execution vulnerabilities and introducing a silent update option.
One of the patched vulnerabilities stems from how older versions of Flash Player checks URL security domains, and only affects the Flash Player ActiveX plug-in for Internet Explorer on Windows 7 or Vista.
Both vulnerabilities can trigger memory corruptions and can be exploited to execute arbitrary code remotely. However, Adobe is not aware of any exploits for these flaws being used in online attacks at this time, said Wiebke Lips, Adobe's senior manager of corporate communications.
Users of Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh, Linux and Solaris are advised to update to the new Adobe Flash Player 11.2 for their respective platforms. Users of Adobe Flash Player 188.8.131.52 for Android are advised to update to Flash Player 184.108.40.206.
Flash Player 11.2 also introduces a new updating mechanism that can be configured to check for and deploy updates in the background automatically, without requiring user interaction. The feature has been in Adobe's plans for a long time and is expected to decrease the number of outdated Flash Player installations that attackers can target.
"The new background updater will provide a better experience for our customers, and it will allow us to more rapidly respond to zero-day attacks," said Peleus Uhley, platform security strategist at Adobe, in a blog post on Tuesday. "This model for updating users is similar to the Google Chrome update experience, and Google has had great success with this approach. We are hoping to have similar success."
The move was welcomed by Thomas Kristensen, chief security officer at Secunia, which develops the popular Personal Software Inspector (PSI) patch management program.
"A silent and automatic updating mechanism for Flash would help the majority of users. A more consistent and rapid updating of the user base is likely to impact the attackers' preferences for Flash," he said.
Of course, this will only happen after the vast majority of users upgrade to Flash Player 11.2 or a later version using the old method that requires explicit approval.
When Adobe Flash Player 11.2 is installed, users are asked to choose an update method. The available choices are: install updates automatically when available (recommended), notify me when updates are available, and never check for updates (not recommended).
The silent updater will try to contact Adobe's update server every hour until it succeeds. If it receives a valid response from the server that no update is available, it will wait 24 hours before checking again.
For now, the automatic update option is only available for Flash Player on Windows, but Adobe is working on implementing it for Mac versions as well, Uhley said.
However, even if the automatic update option is enabled, Adobe will decide on a case-by-case basis which updates will be deployed silently and which won't. Those that change the Flash Player default settings will require user interaction.