Adobe Systems Inc. today released an updated version of its Flash Player software to fix two critical security holes in the ubiquitous Web browser plugin. Adobe also issued a security update for its Air software, a central component of several widely-used Web applications, such as Tweetdeck.
The Flash update brings the newest, patched version of Flash to v. 10.0.45.2, and applies to all supported platforms, including Windows, Mac and Linux installations. Visit this link to find out what version of Flash you have. The latest update is available from this link.
Windows users will need to apply this update twice if they use another browser in addition to Internet Explorer. Those users will need to visit the Flash Player Download Page and install the update once with IE, and a second time while visiting that link with Firefox or Opera (the non-IE installer is designed to update Mozilla-based browsers).
Note also that Adobe’s installer typically pre-checks some third party software — such as Google Toolbar or a trial of some anti-virus product — so if you don’t want these “extras,” make sure to uncheck that option before agreeing to install the update.
The security update for Air brings that software to version 18.104.22.1680, available here. More detail about the vulnerabilities fixed in this update is available from the Adobe advisory, which is here.
Adobe today also issued an advisory saying that we can also expect another update bundle for its PDF Reader and Acrobat applications. The company said it plans to issue security updates for those programs next Tuesday, Feb. 16.
I was a little confused why Adobe was issuing these updates today, as Adobe said not long ago that it was moving to a quarterly update cycle, in which patches would be released in sync with Microsoft’s Patch Tuesday, the second Tuesday of the month. Figuring maybe Adobe was rushing out a fix to staunch the bleeding from a flaw that hackers were actively exploiting, I put the following questions to Adobe spokeswoman Wiebke Lips. Here was the gist of that e-mail Q&A:
BK: Can you tell me why these weren’t released on Tuesday? It would seem that this is out of sync with the quarterly schedule Adobe set up to coincide with MSFT’s Patch Tuesday.
WL: The quarterly update cycle is specific to Adobe Reader and Acrobat. (The last quarterly update for Adobe Reader and Acrobat was on January 12, 2010.) Other Adobe product teams work with Adobe’s Secure Software Engineering Team (ASSET) to deliver updates as appropriate—cycles may be different from the patch cycle for Adobe Reader and Acrobat. Today’s updates for Adobe Flash Player and BlazeDS were specifically scheduled to address vulnerabilities in Adobe Flash Player and Blaze DS.
The Flash Player vulnerability also affects Adobe Reader and Acrobat. Rather than waiting for the next quarterly update for Adobe Reader and Acrobat, which is scheduled for April, Adobe decided to make this fix available as an out-of-cycle update.
BK: Is Adobe aware of attackers exploiting any of the vulnerabilities patched in this Flash/Air update, or attacking the vulnerabilities that Adobe plans to patch with the Reader/Acrobat patch next Tuesday?
WL: No on both updates.