One problem with bundling of Flash Player is that users cannot easily address these vulnerabilities simply by installing a new Flash Player version.
9:32 CET on the 12th August 2010 Entry written by Carsten Eiram.
It seems to become popular for software vendors to bundle Flash Player in their products. Adobe has been doing it for a while with Adobe Acrobat and Adobe Reader and lately Google also started bundling Flash Player with Chrome.
One problem with bundling of Flash Player is that users cannot easily address vulnerabilities simply by installing a new Flash Player version when available, but instead have to wait until a new version of the product bundling Flash Player is released.
Two days ago, Adobe issued a security update for Flash Player, fixing a number of memory corruption vulnerabilities, which could allow execution of arbitrary code when viewing specially crafted Flash content.
Google were quick to issue an updated version of Chrome, bundling the latest version of Flash Player to protect their users. They should definitely have kudos for the fast response time, but it would be more helpful to inform users that it is a security update instead of just stating that it "contains an updated version of the Flash plugin" without mentioning the security impact.
Ironically, while Google were fast to issue an updated version, then Adobe has still not issued updated versions of Adobe Acrobat and Adobe Reader even though it can hardly come as a surprise to them that an update for Flash Player was issued.
Fortunately, since Charlie Miller disclosed a vulnerability at Black Hat in Adobe Acrobat/Reader, then Adobe is scheduling an out-of-band release for next week instead of waiting until the next scheduled quarterly update on October 12th. According to Adobe, this also includes an updated version of the bundled Flash Player, but one has to wonder how long we would have had to wait if they weren't forced to issue the out-of-band release.
In the meantime, users should rename or prevent access to authplay.dll in Adobe Reader/Acrobat to disable support for Flash content in PDF files.
Carsten Eiram, Chief Security Specialist
Discuss this blog entry
A new thread in our forum is created. Activate the thread by
Subject: Bundling of Flash Player and a bit of irony
Score: 1 Posts: 1 User Since: 9th Jul 2009 System Score: N/A Location: N/A Last edited on 12th Aug, 2010 17:29
I attempted to install the updates (as I was not smart enough to think they would cause any problem) and in so doing made it impossible to be able to play Yahoo games (i.e. Bridge). The system would not load the required applets. Fortunately restoring to an earlier checkpoint solved the problem (after several hours of trial and error reinstalling Adobe Flash. Now that I have read this article I see why I had the problem...thanks.
Score: 4 Posts: 19 User Since: 14th May 2009 System Score: 100% Location: US Last edited on 25th Aug, 2010 19:32
I have found:
1 The GOOD in that the better installers of flash enabled applications will check your version for equal to or greater than some arbitrary version number, then give you the choice of taking the downgrade or not.
2 The BAD apps just ASSUME they know best and force install of the downgrade version.
3 The UGLY application installers HAVE to have a SPECIFIC and often insecure version of flash. - If I wind up with these, and have no choice, I try to make sure that the app will function when I hit the hardware disable switch for my net connection. Also try to use Sandboxie or orther virtual machine, if possible.
-- :: PSI 188.8.131.5203 == 0 Insecure, 0 End of Life & 273 patched programs, with 9 directories and 6 executables ignored.
Win7Ult32(x1), XPProSP3(X2+1 VM), System Suite 11, PSI, Firefox5.0+add-ons
Prog count hist: 1.5.xx ~600; 1st PSI2.0B ~300+; PSI184.108.40.2063 ~280;
Was this reply relevant?
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.