Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Bundling of Flash Player and a bit of irony

Get this blog as an RSS Feed
One problem with bundling of Flash Player is that users cannot easily address these vulnerabilities simply by installing a new Flash Player version.
9:32 CET on the 12th August 2010
Entry written by Carsten Eiram.

It seems to become popular for software vendors to bundle Flash Player in their products. Adobe has been doing it for a while with Adobe Acrobat and Adobe Reader and lately Google also started bundling Flash Player with Chrome.

One problem with bundling of Flash Player is that users cannot easily address vulnerabilities simply by installing a new Flash Player version when available, but instead have to wait until a new version of the product bundling Flash Player is released.

Two days ago, Adobe issued a security update for Flash Player, fixing a number of memory corruption vulnerabilities, which could allow execution of arbitrary code when viewing specially crafted Flash content.

Google were quick to issue an updated version of Chrome, bundling the latest version of Flash Player to protect their users. They should definitely have kudos for the fast response time, but it would be more helpful to inform users that it is a security update instead of just stating that it "contains an updated version of the Flash plugin" without mentioning the security impact.

Ironically, while Google were fast to issue an updated version, then Adobe has still not issued updated versions of Adobe Acrobat and Adobe Reader even though it can hardly come as a surprise to them that an update for Flash Player was issued.

Fortunately, since Charlie Miller disclosed a vulnerability at Black Hat in Adobe Acrobat/Reader, then Adobe is scheduling an out-of-band release for next week instead of waiting until the next scheduled quarterly update on October 12th. According to Adobe, this also includes an updated version of the bundled Flash Player, but one has to wonder how long we would have had to wait if they weren't forced to issue the out-of-band release.

In the meantime, users should rename or prevent access to authplay.dll in Adobe Reader/Acrobat to disable support for Flash content in PDF files.

Stay Secure,


Carsten Eiram,
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Bundling of Flash Player and a bit of irony
 
User Message
Billyboy960 RE: Bundling of Flash Player and a bit of irony
Member 12th Aug, 2010 17:29
Score: 1
Posts: 1
User Since: 9th Jul 2009
System Score: N/A
Location: N/A
Last edited on 12th Aug, 2010 17:29
I attempted to install the updates (as I was not smart enough to think they would cause any problem) and in so doing made it impossible to be able to play Yahoo games (i.e. Bridge). The system would not load the required applets. Fortunately restoring to an earlier checkpoint solved the problem (after several hours of trial and error reinstalling Adobe Flash. Now that I have read this article I see why I had the problem...thanks.
Was this reply relevant?
+1
-0
F_BIG RE: Bundling of Flash Player and a bit of irony
Member 25th Aug, 2010 19:32
Score: 4
Posts: 19
User Since: 14th May 2009
System Score: 100%
Location: US
Last edited on 25th Aug, 2010 19:32
I have found:
1 The GOOD in that the better installers of flash enabled applications will check your version for equal to or greater than some arbitrary version number, then give you the choice of taking the downgrade or not.
2 The BAD apps just ASSUME they know best and force install of the downgrade version.
3 The UGLY application installers HAVE to have a SPECIFIC and often insecure version of flash. - If I wind up with these, and have no choice, I try to make sure that the app will function when I hit the hardware disable switch for my net connection. Also try to use Sandboxie or orther virtual machine, if possible.
T
Was this reply relevant?
+2
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability