Security → Security updates: Adobe Shockwave, Reader/Acro, Flash Player

quote:

---

Adobe Security Bulletins Posted

Today, we released the following Security Bulletins:

• APSB12-16 – Security updates available for Adobe Reader and Acrobat

• APSB12-17 – Security update available for Adobe Shockwave Player

• APSB12-18 – Security update available for Adobe Flash Player

Customers of the affected products should consult the relevant Security Bulletin(s) for details.

---

»blogs.adobe.com/psirt/20 ··· d-2.html

The Release notes for Flash Player 11.3.300.271 are here: »helpx.adobe.com/flash-pl ··· 1_3.html

Downloads (.exe and .msi (no bundled extras): »www.adobe.com/products/f ··· on3.html

---------------------------------

The Release notes for Adobe Reader/Acrobat are available here: »helpx.adobe.com/acrobat/ ··· der.html

»Adobe Flash Player 11.3.300.271

Looks like the security fix may only be for the ActiveX player only:

Adobe - Security Bulletins: APSB12-18 - Security update available for Adobe Flash Player
»www.adobe.com/support/se ··· -18.html

Adobe has released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux. These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system.

There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

The MSI installer for the 11.3.300.271 version plugin is exactly the same size as the 11.3.300.270 MSI installer. Might only be a change in version numbers.

08/06/2012  06:14 AM        10,895,872 install_flash_player_11_plugin_11.3.300.270.msi
08/12/2012  03:39 AM        10,895,872 install_flash_player_11_plugin_11.3.300.271.msi
 

Thanks chazzy.

Argh! Today is updates day! MS and Adobe. Argh. I hope Oracle and others don't release theirs today! :P

The only link I use.

Let's see-6 updates from Microsoft on each of 3 XP computers, Adobe Flash update, Adobe reader update, and Adobe Shockwave update. Well, I did not feel like doing anything else with my day anyway.

Reader X adds: AdobeARM.exe to MSCONFIG not required to run and update normally.
Javascript is also re-started via preferences for those not wanting Reader X running JS.

Oracle released Java 7 update 6 today with others.

Oracle released Java 7 update 6 today and others.

you should create a new thread for this..

Neither of the new Java JREs released today (7u6, 6u34) appears to have any security fixes.

Java™ SE Development Kit 7 Update 6 Release Notes
»www.oracle.com/technetwo ··· 681.html
Java™ SE Development Kit 6 Update 34 Release Notes
»www.oracle.com/technetwo ··· 733.html

i was disappointed to not see an update for "flash player 10"..

the security-advisory didn't mention anything about "flash player 10".. they could have said that "flash player 10" wasn't vulnerable and so it wasn't being updated or that they were discontinuing support for it and so it wasn't being updated..

Of course size means nothing.
They are physically different (I looked at the dll's) though that could certainly be attributable to recompile changes accounting for the version number & digital certificate alone - or not?

A binary compare wasn't too fruitful, & a strings compare while still different, revealed nothing nothing notable, for as far as you can go with that.

Indeed. ever since Adobe released Flash 11.3 it's been video/audio sync issues and lag when running full screen hence why I still use 10.3.183.20.

Install issues here for the first time ever:
I had to turn off KIS A/V protection to install it for Opera.
I didn't bother checking the processes to see if it was web or file related. But did check other possibilities till it was confirmed as an A/V issue.

Did anyone else see this?

adobe says the vulnerability that was patched only effects the activex version of flash player, for IE, so, since there isn't an update for "flash player 10" (i don't know if it needs to be updated or not), i just disabled "flash player" in IE.. no problems..

i hardly ever use IE.. i only use IE for "windows updates" and at two websites that require an activex-control to run, and i don't have any problems with using any of the websites with "flash player" disabled..

For the record it wasn't the full installer, it was via the stub installer.
Certification authentication failed / Invalid certificate would be an issue with rights when KIS "Scan SSL connections" is set then.

I have not tested that though and is speculation, but seems the most plausible reason as I do not always have this checked for on and it is the first time from memory I have had this failure.

I got the AdobeARM.exe startup, but not the Javascript reenabling in Preferences after updating Reader X to 10.1.4.

Flash Player 10.3.183.20 was not impacted by this security issue and was not updated.

This is good ! Thanks for the screenshot, everyone should use this as a guuide not to allow JS in Reader X.

i got a reply from adobe saying that the reason "flash player 10" was not updated, with this newest release of updates, was because it did not have the same vulnerability that was patched with the latest version of "flash player 11", and that "flash player 10" is still supported..

p.s. chachaz, i see your post, above, now, about flash player 10's not having the vulnerability that was patched with the newest version of "flash player 11"..

Concerning Flash...Yep, same here. No nonsense installers.
I also use the latest Flash Uninstaller first, which will always have the same version number as the latest Flash release. (Just a creature of habit).
»helpx.adobe.com/flash-pl ··· nstaller

Something else I've noticed. (Especially if you install Flash fresh like I do).
Even though Flash has Control panel settings now, I've often found that even when I un-tick "do not check for updates" (or whatever it is), during installation, it's often still configured to auto-update.
If not in the control panel app, there are also often conflicting settings in the On-line settings manager:
»www.macromedia.com/suppo ··· r02.html
Many people don't even check that anymore, but many times I've found conflicting settings between that, and the control panel applet, so I always check both. Just sayin'

Oh, and thanks Chazz...got this a couple of days ago...just thought I'd add a little bit more boring reading to the thread.