Adobe today announced the release of a set of security updates for its Flash Player software on "all platforms." But the list as initially published this morning was notably missing any discussion of the Flash Player software included in Internet Explorer 10 on Windows 8.
An hour or so later, the reason for that omission became clear, as Microsoft announced the availability of a corresponding update for IE 10.
Adobe's updates are described in Security Bulletin APSB12-22. The fixes cover 25 separate vulnerability disclosures.
The Microsoft update is Security Advisory 2755801, which in turn references a support document covering "vulnerabilities in Adobe Flash Player in Internet Explorer 10 (KB2758994)."
Microsoft's announcements appeared unexpectedly on its Security updates and tools page, where the Flash Player update for Windows 8 for x64-based systems is now available (the x86 version is here). Additional updates are available for Windows Server 2012. For the Windows 8 Release Preview an x86 update and x64 update are available
The IE 10 announcement appeared on the Microsoft Security Response Center Blog, in a blog post by Yunsun Wee, director of Microsoft Trustworthy Computing:
Today we revised Security Advisory 2755801 to address issues in Adobe Flash Player in Internet Explorer 10, in conjunction with Adobe’s update process. Customers who have automatic updates enabled will not need to take any action because protections will be downloaded and installed automatically. Customers who do not use automatic updates should apply the guidance in the advisory immediately using update management software, or by checking the Microsoft Update service, to help ensure protection.
We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.
Adobe's bulletin lists supported platforms individually. Adobe recommens that Windows and Mac users check the Flash version (bookmark this test page). If you are running the following versions or earlier you are vulnerable and need to update:
After applying this security update, the correct version for both platforms should be Adobe Flash Player 11.4.402.287.
Adobe has since updated its security bulletin to include this line: "Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.375.10 for Windows." (Yes, that number is correct; it's out of sync with the other Windows versions.)
Adobe also recommends that users of Adobe AIR 126.96.36.1990 for Windows and Macintosh update to Adobe AIR 188.8.131.5210.
Adobe’s notes specifically cover Google Chrome, which includes Flash as a component. The latest Google Chrome version, which will be available through Google’s auto-updater, will include Adobe Flash Player 184.108.40.206 for Windows and Linux, and Flash Player 11.4.402.287 for Macintosh. (Yes, that’s correct; the Chrome version number also doesn’t sync with the Adobe-released version.)
As of this morning, the current stable version of Chrome included the outdated and insecure Flash Player 220.127.116.111. Likewise, the most recently announced version in the dev channel includes Flash Player includes Flash Player 18.104.22.168, which also needs to be updated.
Update: A post this morning on the Google Chrome Releases blog announced the release to the Stable channel of Chrome 22.0.1229.92, which includes the necessary security fixes.
The bulletin also includes details on Flash updates for Linux and Android-based devices.
Internet Explorer 10 in Windows 8 resembles Chrome in that it includes Flash Player as a built-in component. In fact, Adobe's security bulletin should include an asterisk in its discussion of Windows, because that version number only applies to the ActiveX component and plugin version for Internet Explorer 9 and earlier versions.
Vulnerabilities in Adobe's nearly ubiquitous Flash Player have long been a serious security problem for Windows users. This type of third-party plugin can attack Macs as well, as illustrated by this year's Flashback outbreak (which used Java exploits).
Microsoft took an uncharacteristically long time—exactly one month—to incorporate Adobe’s last Flash security fixes into IE 10. And even that schedule was accelerated.
After that embarrassing delay, Microsoft said it intended to do much better next time:
We recognize there has been some discussion about our update process as it relates to Adobe Flash Player. Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.
Microsoft’s commitment in that announcement was that customers could “expect the following … with respect to Adobe Flash Player in Internet Explorer 10”:
- On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing.
- When the threat landscape requires action outside of Adobe’s normal update cadence, we will also work to align our release schedules. For example, this may mean that in some cases we will issue updates outside of our regular monthly security bulletin release.
Today’s announcement from Adobe comes one day before Microsoft’s regularly scheduled Patch Tuesday, when it releases security updates. The advance notification list published last week did not appear to include this update. This Flash update will be installed automatically using the default Windows Update settings on Windows 8.