FLASH Adobe Forward to v10.1

Consider immediately upgrading to Adobe Flash v10.1.Sharable Shortlink

June 10th, 2010 UPDATE:
Adobe dealt with the recent problems in v10.0.x.x of their always-troubled FLASH player by dropping it in favor of releasing v10.1 (Get v10.1 Here). Since this page had recommended doing exactly that four days earlier, anyone following this advice is already protected.
Note, also, that Adobe now says that the troubles with Reader and Acrobat will be allowed to persist until June 29th. So you should follow the recommendations below about Reader and Acrobat if you wish to protect yourself until those are updated.

Flash Broken AgainSECURITY ALERT: The threat posed by the new zero-day (no warning, discovered by its active exploitation “in the wild” against users) flaw in all released versions of Adobe’s FLASH player — on all OS platforms — which can also be vectored through malicious PDF files to invoke FLASH, appears to be growing rapidly.

The bad guys are jumping on this one hard and fast.

Given that Adobe first learned of this problem a little after 10 AM Friday morning, June 4th, and that their quickest previous response to a similar threat was 15 days, the world may be waiting several weeks for a fix from Adobe.

Two things must be done for you to be safe:

• First: The good news is that the next major release of FLASH, version 10.1, is reportedly NOT vulnerable to this attack. Although v10.1′s release is not yet official, it has had seven release candidates and is currently very stable and usable. Therefore, anyone whose Internet usage might subject their machines to malicious FLASH content (depending upon how widely you surf the web) would be well advised to install the next major release of Adobe’s FLASH player, version 10.1, immediately. You can find additional information, and everything you’ll need at the following Abode Labs link:
http://labs.adobe.com/technologies/flashplayer10/

• Second: (Windows ONLY) Both Adobe’s Reader and Acrobat contain their own built-in and equally vulnerable copies of FLASH in a file called “authplay.dll” (and most people have Adobe’s free Reader installed.) This allows PDF documents to contain and “play” embedded FLASH content — even though only malicious hackers ever do that. If by any chance you are still using version 8 of Reader or Acrobat, you are safe. But any 9.x and later versions are vulnerable. Therefore, the best thing to do would be to rename any copies of “authplay.dll” on your system to “authplay.xxx” so that your system won’t be able to find them. Once new versions of Reader and Acrobat are available they will bring a repaired copy of “authplay.dll” and all will be fine (at least until the next vulnerability is found). The “authplay.dll”s are typically found at:
C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
You may also wish to search your system drive for any files of that name and rename them. Adobe’s vulnerability advisory is available here:
http://www.adobe.com/support/security/advisories/apsa10-01.html

Steve's Sig

This entry was posted in Uncategorized. Bookmark the permalink.

120 Responses to FLASH Adobe Forward to v10.1

  1. Paul says:

    This is sooo not helping their case.

  2. Fausto says:

    I don use Flash any more, thats the best action we can take, don u think? :-)
    Thanks for the info Steve and nice weekend! @FaustoCepeda

    • Jack C. Holt says:

      Asking me not to use flash would be like asking me to give up my mobile phone; I’d be missing out on too much wonderfulness. Just because Steve Jobs says its possible doesn’t make it so.

      For instance, I listened to a radio station that I love just this morning on my Nexus One running Android 2.2 (and Flash 10.1 beta). This would not have been possible without Flash. Too much wonderful web content is in Flash.

      Have fun feeling deprived.

      • Always a bad seed in a batch of intelligent folk…. well, all but, ummm.. one!!! haha! Radio, vs trashware….. Geewiz Mr Wilson, I’ll do that too, can we call it the “deprived idiot club?” And Steve, i appologize over my choice over my choice of vocabulary…. But Gosh dernnit, that shoe fits “custom, tylor made with some people. Lets hold hands, and wish it doesnt breed anymore.

  3. Frank Garrett says:

    How do we know that we’ve not been stung by the exploit already?

    (on Mac OS X in my case).

    • Steve Gibson says:

      Exploits using this against Windows will likely be MUCH more prevalent than against ANY of the non-Windows platforms. Frankly, OS X users probably have very little to fear.

      • Frank Garrett says:

        Thanks. Regardless, I’m just going to delete the Flash plugin from my system.

        It’ll be a bummer not to be able to watch certain videos, but that can be a prompt to get back to work instead ;-)

      • barbara austin says:

        Thank you, Steve. (and Leo LaPorte).Download done; unknown if damage is done. I do no online banking/purchases, except though Apple, which, so far appears to be solvent. I check my bank stmnts—again, thanks – we’ll see what jells. Barbara Austin

  4. Pingback: Adobe Flash Update « Gulf States Conf IT Help

  5. DP - San Diego says:

    The Adobe security advisory also discusses how to mitigate the same vulnerability in Reader and Acrobat.

    http://www.adobe.com/support/security/advisories/apsa10-01.html

    “Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
    “The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.”

  6. Aaron says:

    $5 says Apple had something to do with this exploit. ;)

    j/k Thanks for the alert, Steve! All 3 of my PCs are up-to-date now.

  7. Demonsub says:

    Looks like I’ll be doing most of my surfing on my iPad. No flash worries there.

  8. Pingback: Planet mezZ » Flash Critical Flaw “Fix”

  9. Scott says:

    Oh, Steve, you missed your chance at a Sci Fi reference in this post – to FlashForward. ;)

  10. Jay Maines says:

    Thanks for the heads up on Flash 10.1. I have been having nothing but problems with Flash using FireFox after I installed Adobe CS3 on this machine. Tried everything I could think of short of removing CS3. I was forced to use IE8 but the beta 10.1 fixed the problem.
    Thanks again
    Jay
    Up the road in Irvine

  11. Barry K. Nathan says:

    (Excuse my use of all-caps below, but I’m starting to get frustrated.)

    As DP – San Diego mentioned, you have to take separate action for Adobe Reader (and Acrobat).

    In fact, updating Flash to 10.1 WILL NOT update the copy of Flash built into Adobe Reader (the one in authplay.dll). Try checking the version number of that file in Properties (in Windows Explorer) after updating to Flash 10.1, if you don’t believe me. :(

    Oh, by the way, Adobe Reader does have a preference setting for shutting off Flash — but that pref doesn’t really work, so Flash can compromise Reader EVEN WHEN IT’S SHUT OFF. (See the crossed-out text and the following paragraph or two on that page.) That’s why you have to mess with the authplay.dll file.

    And, AFAIK (I’ll double-check this later today), uninstalling Flash does nothing about Reader’s built-in (authplay.dll) copy.

    I feel kind of like making a small freeware utility, GRC-style, to deal with this. That’s not a commitment that I’ll make such a program, but I might in a day or two if I can find the time.

    • Steve Gibson says:

      Thanks for the great sleuthing Barry! It would sure be nice to have a benign proof-of-concept demo that safely exploits the vulnerability in order to know — and test — what’s going on. But I have confirmed that the “authplay.dll” is, in fact, the Adobe Flash Player… in my case it’s version 10.0.42.34. So it appears that in addition to updating to the pre-release FLASH player (in order to retain FLASH plug-in functionality), it will be necessary to follow the mitigation advice on Adobe’s site and rename the authplay.dll to keep it out of harm’s way. Then, once Adobe has an update, it ought to reinstall a new and hopefully safe(r) authplay.dll!

    • JPlumber says:

      I gather that Google Chrome now contains its own copy of the Flash plugin and uses that instead of the system one. What a mess.

  12. Kyle says:

    How concerned should NoScript/AdBlock Plus users be? I’m aware it’s probably a site-by-site case, but just as a hypothetical, this doesn’t make Youtube videos potentially malicious, since Youtube controls their Flash player, right? More likely, I would imagine we’d be seeing this exploit used through Flash ads or redirects to malicious sites using a Flash applet or a PDF with Flash content, wouldn’t we?

  13. Ozzy says:

    Steve, thank you for the timely warning but regarding auto play dll file problem is not mentioned in your article unless people read all of the comments. Please ad an update, so people will not just upgrade flash and think they are done.

    Thx

    Oz

  14. Philip says:

    How about the people using foxit reader

    • Steve Gibson says:

      Philip: I’ll bet that either the Foxit Reader doesn’t support embedded FLASH (which would be just fine with me — who wants to embed FLASH in a PDF document anyway?) or if it does, it would simply use the system’s FLASH plug-in, in which case upgrading to the v10.1 plug-in would fix Foxit too. :)

  15. Dan says:

    Steve,

    Is this exploit only through flash in PDFs, or can it be exploited through normal flash found on the web, as well (e.g., flash video)?

    • Steve Gibson says:

      Dan: DEFINITELY directly through web-page embedded FLASH. I would guess that that’s the #1 danger for the “drive by” case. The embedded PDF case would be #1 for targeted “weaponized eMail” style attacks.

      • Dan says:

        Ah, okay, thank you. I just uninstalled flash (I’m paranoid), and will wait for an update.

        • Steve Gibson says:

          That makes a lot of sense if you’re okay with losing FLASH for awhile. But don’t forget about Adobe Reader too! :)

          • Dan says:

            I’m running Ubuntu, and therefore don’t have to worry about Reader (I’m fairly sure evince doesn’t allow flash embedding). I’ll wait until the repos get whatever update Adobe releases for flash before installing it again.

            • Nir says:

              I’m using Ubuntu too, but I’m not taking chances.
              After reading Adobe’s alert it is my understanding that the vulnerability isn’t just in authplay.dll, but also in libflashplayer.so. So, I did what they suggested (deleted libflashplayer.so) and downloaded their updated lib-file (that’s all they give us Linux users).

              I think the alert should’ve been better phrased so that Linux users like me realize that they actually DO have something to worry about, and not stick their heads in the sand believing that they’re safe just because they’re not running DLLs. Maybe point that the Linux side is vulnerability is specifically in the lib file and not just generally in Flash.

  16. Paul says:

    Is it just Adobe Reader or are other pdf readers like Foxit vulnerable to this?

  17. SFdude says:

    Good post, Steve!

    Reason:
    you alert us of a problem,
    but you *also* tell us about the solution or mitigating steps.
    (I read other people alerting about this problem,
    but they did not mention what do about it = useless…).

    Thanks again, Steve!
    SFdude

  18. The Security Advisory says “…and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems.” but only gives the path for Windows. I found the file “AuthPlayLib” at the following path in my installation of Acrobat 9 Pro:

    /Applications/Adobe\ Acrobat\ 9\ Pro/Adobe\ Acrobat\ Pro.app/Contents/Frameworks/AuthPlayLib.bundle/Contents/MacOS/AuthPlayLib

  19. Pingback: Top Posts — WordPress.com

  20. You’re really reaffirming the purpose of your web presence both on Twitter & your blog. I wouldn’t have stumbled upon this issue otherwise (until the next SN).

    Thanks Steve!

  21. Penguintopia says:

    Just one more reason to keep blocking Flash, and to insist that Flash never, ever rear it’s ugly head on my iPad. Hopefully, I can block/disable it on my Nexus One when I upgrade to Froyo….

  22. Clinton Neal says:

    Thanks Steve,

    I just uninstalled Flash altogether, and opted in to HTML5 on YouTube http://www.youtube.com/html5 (not all video’s are available but it’s better than keeping Flash in my opinion, besides I can still watch YouTube on my iPod Touch).

    For anyone wondering if you can watch TWiT live without flash yes you can http://wiki.twit.tv/wiki/TWiT_Live#Watching_.2F_streaming_TWiT_Live_directly

    Clinton.

  23. Steven Korner says:

    Steve, thanks so much for your podcasts and all the info you provide. I’ve become a regular listener (and now reader).

    One thing I’d like to note: If anyone has any problems with flash video after the install of 10.1, doublecheck to make sure your video drivers are up to date. I was one version out on my ATI video driver, and getting some instability while viewing a flash video on my personal family blog. Updated to the latest, and all is well.

  24. Clinton Neal says:

    why didn’t you allow my comment?

  25. Rush says:

    Um..how many OTHER apps have a lib called ‘autoplay.dll’??? How many other apps are people, potnentially, going to muck up by renaming to ‘autoplay.xxx’?

    • Barry K. Nathan says:

      The DLL to rename in this case is not “autoplay.dll”, but “authplay.dll”…

    • R McKee says:

      FYI, Rush: I just installed 10.1, renamed the authplay.dll as to authplay.xxx, then ran the hard drive search that Steve recommended. I have 18 copies of authplay.dll on my hard drive – mostly in folders related to Adobe CS4. I’m going to cross my fingers and rename all of them now.

  26. Philip says:

    How ironic. I’m sitting here now listening to SN-251 and right away Steve says there’s no security update this week, when lo and behold his blogpost for Flash gets to my email. Obviously, I read the blogpost first, which is why, now listening to 251, it seems Steve spoke to soon about Adobe’s quarterly updates. heheh

  27. Pingback: ‘FLASH [Adobe] Forward’ a la versión 10.1 | Shadow Security

  28. Nathaniel says:

    When I used Windows I never installed reader prefering instead foxit a free and less bloatted alternative. Steve maybe you could take a look at it and then recommend it as a way to avoid future exploits

  29. Arenlor says:

    Hey all, it seems that Foxit DOES play embedded flash videos.
    The thread stating as such

  30. Umair says:

    would browsing inside sandboxie be safe if we clear the sandbox after the session? can banking etc be done in a fresh sandboxed browser?

  31. nascent says:

    Thanks for the update on authplay.dll.

  32. Hey Steve,

    I’m almost done listening to Security Now 251, and just finished listening to the discussion about doing away with HTTP and using only HTTPS. In specific, about Google providing an HTTPS Search now, but how your ISP can still watch what websites you visit by monitoring your requests. Wouldn’t it just be possible for Google (or some other site that you trust – how that is set up is not important right now) to display HTTPS links, that is, links that go through Google but internally redirect to the actual site? Something like (Google.com/sdfwrw%d, for example) where Google.com would return the page the actual link would have taken you to?

    I guess this might suffer from code injections but wouldn’t this solve the problem of your ISP being able to see what you’re doing? As far as they are concerned, you’re just visiting Google. A lot.

    Even having a server/client mechanism to encrypt/decrypt requests from inside the domain would do the trick (and would be midly more secure than having to trust someone else with your data/requests).

    Thoughts?

  33. Barry K. Nathan says:

    (This post is written from a rather Windows-centric point of view, but that’s because like Steve, I expect Windows to be targeted much more heavily, so I’m concentrating on it first. Also, the Macs and Linux boxes I currently manage tend not to have Reader or AIR installed. In addition, sorry about this post being so long, but hopefully it’s all relevant.)

    I just realized there’s another Adobe product that contains an embedded copy of Flash (with the vulnerability since it’s 10.0 not 10.1), namely, Adobe AIR — which is installed automatically by Adobe Reader 9 (since AIR is needed by the Acrobat.com application that is also automatically installed by Reader 9). And AIR has been patched in the past for vulnerabilities in its embedded copy of Flash. (That’s just one example of AIR being patched due to Flash; I’m pretty sure there are others.)

    I’m guessing (hoping?) that AIR will end up being basically a lower-priority, secondary target (like Mac and Linux) compared to browser plug-in Flash and Reader on Windows, but I could be wrong.

    OBTW this embedded copy of Flash is named NPSWF32.dll, not authplay.dll. (See C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources)

    I guess the best approach would be to uninstall Adobe AIR (from Add/Remove Programs) if you don’t need it, and the next best would be to upgrade to the AIR 2.0 release candidate if you do need it.

    On a related note, it seems to me that there are (at least) 3 different variants of Flash:

    A. Flash10h.ocx (with an “Original File name” of Flash.ocx in Windows Explorer’s Properties); this is used by Internet Explorer
    B. NPSWF32.dll; this is used by non-IE browsers and by Adobe AIR
    C. authplay.dll; this is used by Adobe Reader/Acrobat and Adobe CS products

    Hopefully I’ve got this straight (or at least straight enough for now).

    Also, does anyone know what version of authplay.dll the CS5 programs come with?

    Finally, it looks like there’s a vulnerability that allows code executionin Adobe InDesign CS3, and since CS5 is now out, Adobe apparently intends to never patch CS3 again (according to that link). In the process of trying to secure friends/relatives/neighbors’ systems against the Flash vulnerability, I’ve been finding CS3 installs where I expected to see either CS4 or no Adobe CS at all, so this whole thing just gets a little more frustrating. *Sigh*

  34. Brandon Champion says:

    Dear Adobe,

    Why do I need to install a proprietary download manager plugin and restart my browser just to download a 2.45 MB file?

    Sincerely,
    Brandon

  35. Ron says:

    Steve,
    I just noticed that Adobe Photoshop Elements 6 has a version of authplay.dll too. In my case, it’s Adobe Flash Player 9.0 r43. So that probably needs to be renamed too.
    :o(

    Ron

  36. Pingback: New Adobe Flash Security Alert

  37. Chris Jones says:

    I’m using Chrome 6 (Dev tree) which does have the built-in Flash, and this build has 10.1.x. If you’re on the Dev tree, I’d guess you’re safe since 10.1 isn’t vulnerable. If you’re not on Dev, they’re apparently not using a built-in Flash and you can just install 10.1 yourself.

    The reason for the built-in Flash plugin is to allow Google to see that we have the best Flash available since most of the browser-using public are really delinquent on keeping up with updates for this perpetually vulnerable plugin.

  38. Tim says:

    Thanks for the heads up, Steve!

    What a perfect opportunity to give the latest version of Gnash a try! So far, so good on my Ubuntu system. YouTube videos play fine, and all of my bookmarked sites work fine with the exception of one banking site that chokes on login (I guess I’ll access this site through Win7 and Flash 10.1 RC7). Any Linux users that want to give Gnash a try make sure you install ffmpeg. Also, YouTube only worked for me after erasing all YouTube cookies and then blocking YouTube cookies from recurring (under Privacy Preferences in Firefox).

    Tim

    • Fenny Fox says:

      In my experience, the performance of Gnash has been atrocious.

      The software-only rendering engine stutters and tears, and the OpenGL-accelerated engine doesn’t work at all (though my OpenGL is otherwise working fine, e.g., for compiz and some games through Wine).

      I’d love to dump Adobe and use Gnash, but I fear it has quite a bit of work left to do. ;)

  39. How interesting that Adobe, no one here, or anywhere else that I’ve read about this has mentioned whether the Flash problem is exploitable for XP users logged on as limited/restricted users. In general this is a great thing to do for security but it has absolutely no mind share. Not even on anyone’s radar. So sad.

    I logon as a limited user and don’t use antivirus software and feel safer than someone logged on as an admin user with av software. Granted this is a matter of opinion.

    • Barry K. Nathan says:

      Yes, running as a limited user is a good idea. However, it does not prevent your system from being compromised through this Flash hole. Nonetheless, it limits the damage that exploits can do once they compromise your system.

      (As I started adding more detail, this post became far longer than I originally intended. I suppose the first and last paragraphs are the most important.)

      Assuming the exploit isn’t also able to accomplish privilege escalation (see below), this will keep the exploit from infecting your disk driver a la TDSS, but it could still do stuff like searching through your account for personal info and transmitting it over the ‘Net. Also, under XP, I think the malware could read or modify the memory of other processes running under the same limited user account, so a lot of mischief is still possible. (Vista and 7 provide some protection against this latter attack, although I don’t remember the exact details. I wonder if browser sandboxes like Sandboxie can provide protection against this under XP; currently I don’t know the answer to that question.)

      Keep in mind that some of the security holes fixed by Microsoft yesterday allow local privilege escalation. So, in theory, an exploit could use the Flash hole followed by one of yesterday’s Windows holes to break into a limited user account then gain full Administrator privileges and do anything it wants. (If you’ve ever wondered what McAfee or Symantec mean by the phrase “blended threat,” this is the sort of thing they have in mind.) Thus, it’s especially important to apply yesterday’s updates if you’re relying on a limited user account to give you protection.

      By the way, if you’re using a limited user account on an XP system with antivirus installed, and the antivirus program wasn’t designed/implemented carefully enough, an exploit could potentially use a security hole in your antivirus software to elevate from limited user to Administrator privileges by way of a Shatter attack. (This could actually apply to any 3rd-party service which runs with elevated privileges and can be configured with a GUI, not just antivirus software.) Again, this is something that Microsoft addressed in Vista and 7; if you ever wondered why Vista introduced so many compatibility problems, these security improvements were a major reason. (One would hope that all the antivirus vendors fixed any Shatter vulnerabilities under XP in the process of adding Vista compatibility, if not earlier, but I don’t know if that’s actually the case.)

      I’m not saying that using a limited user account is useless — it’s a really good idea — just that it only goes so far. Now, if you start using multiple limited user accounts — for example, one limited user purely for online banking and another limited user (not admin!) for everything else — then (aside from privilege escalation exploits) malware on the general-use account will be unable to mess with the banking account, and you’ll get a bigger improvement in security. Not as good as using a separate computer or OS for banking, but a considerable improvement nonetheless.

  40. Richard F says:

    Thanks, switched over my 3 computers.

    Really enjoy your show. Amazing the knowledge you have accumulated.

    Big Fan

  41. Ronc says:

    Why are there 2 download links (Windows and IE) for the RC? All previous downloads of flash were done at one time.

    • Barry K. Nathan says:

      Actually, it depended on what part of Adobe’s site you were downloading Flash from. The main Flash download page will automatically pick the most suitable one based on the browser you’re using; the other Flash download pages will show download links for all the possible versions. (The ActiveX version is for Internet Explorer and the other version is for all other browsers.)

    • Barry K. Nathan says:

      Oops, I forgot to mention in my last post: Once Flash 10.1 becomes a final release, it should show up on the main Flash download page, where it will be just one download like the previous versions were for most people.

  42. Jim says:

    Makes me glad i have this iPad. No flash, no problem.

  43. Barry K. Nathan says:

    Adobe updated their advisory yesterday (the link is in the original post by Steve, just above his signature). A basic summary of the updates to the advisory: In addition to the instructions for Adobe Reader 9 on Windows, they have added Mac and Linux/Unix instructions. They also have an expected release date of June 10 for an updated “Flash Player 10.x” final release for non-Solaris platforms (they don’t specify whether the x is 0 or 1) and June 29 for the Adobe Reader/Acrobat 9 update. Finally, they now list Flash 10.1 as “confirmed” (no longer “probably”) not vulnerable.

    BTW, Safari 5 has security updates, so anyone using Safari should update. (Apple also released Safari 4.1 for people who are still on Tiger.)

    Also, just a reminder, today is Patch Tuesday, so Microsoft will be releasing a bunch (I think 10 in all) of Windows, Office, etc. security fixes later today.

  44. Pingback: TWiT 251: Flop Sweat | CastMedium

  45. deakaz says:

    Thanks for letting people know about this Steve, I love the idea of you starting a blog about the world of security.

    I should mention that people should use a different PDF reader to Adobe’s and I’d recommend FoxIT.

    I’ve been curious for a while as to what blogs you read, if any and where you get your security news/updates from. I think this might make for a interesting post.

    I’m @deakaz on twitter if you’d like to reply there.

    Keep up the great work Steve, much appreciate your efforts!

  46. tom reilly says:

    Steve, first let me say thank you. I will direct all of my contacts and friends to your website. I have a couple of questions:
    1. Is there any way to tell if your system has been compromised?
    2. If yes, will upgrading to v10.1 & renaming authplay.dll be effective in uncompromising your system?

    Thanks again.
    tom

    • Barry K. Nathan says:

      1. With the currently circulating exploits, a properly updated antivirus program should in theory be able to find and remove the exploit code (or better yet, keep it from compromising the system in the first place). I have not done the necessary research to figure out which AV programs are doing a good job in this regard and which aren’t. In any case, it’s usually possible for the malware creators to tweak their malware to bypass antivirus detection.

      There may be other ways of figuring out whether a system has been compromised using this hole, but I think that would depend on exactly what the current in-the-wild exploits are doing.

      Basically, once malware gets in through this hole, it’s pretty much like handling a Trojan horse compromise in general.

      2. No. Doing that will prevent other malware from using that same infection vector, but any malware that has already entered your system that way will still be on your system.

  47. Gareth says:

    Hi Steve
    Thanks for the heads up – however what do you do if you are running Windows 7 64bit?

    As according to Adobe:
    “The 64-bit versions of Flash Player will not be in the initial release of Flash Player 10.1. We remain committed to bringing native 64-bit Flash Player to Windows and Mac in future, in addition to the currently available 64-bit alpha version of Flash Player 10 for Linux. ”

    Gareth

    • Barry K. Nathan says:

      If you’re running Flash 9.0 or 10.0 on Windows, it’s already 32-bit, so upgrading to 10.1 makes no difference in that regard. (This is why web browsers on 64-bit Windows are usually run in 32-bit mode.)

      Adobe is focused on making a 64-bit Flash player for Linux first; they’re under the belief that the people who have the greatest need for a 64-bit player tend to use Linux as their OS. (Also, until Mac OS X 10.6 “Snow Leopard” came out, there were probably more people trying to run 64-bit browsers under Linux than under any other OS. Under Snow Leopard, Safari now runs in 64-bit mode by default, since it uses the new “Grand Central Dispatch” multiprocessing API to allow a 64-bit Safari to run 32-bit plugins.)

      • Fenny Fox says:

        64-bit Linux users should note that in some cases, there is a way to run 32-bit plugins in a true 64-bit browser. I note how this can be done in a comment further down the page.

  48. Barry K. Nathan says:

    This is arguably off-topic, but probably of interest to all Windows XP users here. Tavis Ormandy found a really bad XP/2003 Help Center vulnerability. I’m not sure whether it’s more or less severe than the Flash hole, but it’s really bad in any case. It’s currently unpatched, and he has some proof-of-concept exploits there, but the advisory has mitigation instructions as well.

    Here are (lightly tested) instructions of my own for mitigating it from a command-line prompt (I think you’ll need to run the delete and import commands with admin privileges):

    To save up the relevant registry keys before erasing them:
    reg export hkcr\hcp hcp.reg
    (make sure to save the hcp.reg file!)

    To blow away the HCP protocol handler (and protect against the vulnerability):
    reg delete hkcr\hcp

    To undo the mitigation:
    reg import hcp.reg
    (or double-click the hcp.reg file in Windows Explorer)

    Another possibility would be to use “hkcr\hcp\shell\open” instead of “hkcr\hcp” in the above instructions (for reg export and reg delete). I don’t know which is best, but both ways seem to mitigate the vulnerability in my testing.

    There’s another advisory regarding this hole, from VUPEN, which advises renaming hkcr\hcp to something like hkcr\hcp-old. (I won’t include a second link in this post, to make sure this doesn’t get stuck in moderation.) I think renaming hkcr\hcp instead of deleting it is insufficient protection against the hole, but I want to finish this post before I get a chance to fully test that.

    • Barry K. Nathan says:

      Renaming hkcr\hcp as suggested in the VUPEN advisory actually does work. The attack ends up getting blocked in Help Center instead of in the web browser, but it does stop the attack. Sorry about the false alarm.

    • Barry K. Nathan says:

      Another possibility would be to use “hkcr\hcp\shell\open” instead of “hkcr\hcp” in the above instructions (for reg export and reg delete). I don’t know which is best, but both ways seem to mitigate the vulnerability in my testing.

      It turns out that you have to use hkcr\hcp in the commands I gave, not hkcr\hcp\shell\open (Microsoft’s advisory, see below, strongly suggests that the latter does not fully mitigate the vulnerability).

      Microsoft has an advisory now and their mitigation is basically the “reg delete” command I posted, but done through the regedit GUI.

  49. Disabling authplay.dll causes Adobe Photoshop Elements 7 to stop working.

    After changing authplay.dll to authplay.xxx, Elements 7 would no longer open. It resumed working after changing back to authplay.dll and restarting the PC.

  50. Fenny Fox says:

    If anyone’s running 64-bit Flash (like in Linux), they’re screwed. There’s NO 64-bit Flash 10.1 at the present time.

    I suppose if a 64-bit Linux user has a 32-bit browser lying around, they can install 32-bit Flash there; certain VM setups might help here, too (those that revert when switched off).

    • craig speed says:

      Fenny
      Hi ! Please forgive my potential and likely ignorance but I saw where you said there was no 64 bit adobe flash 10.1 on Linux. I have a 64 bit Windows 7 machine that I have flash 10.1 on so were you just talking about Linux or all O.S. systems?
      I also went into my control panel this a.m. and un-installed all the adobe stuff and reinstalled them with the versions that Paul had written that adobe was recommending this morning. Thanks very much.

      • Fenny Fox says:

        It is possible to use a 32-bit Flash Player (in this case, 10.1) under a 64-bit OS, if a 32-bit browser is in use. Windows 7 makes this relatively easy; in fact, there is no 64-bit Firefox for Windows right now, because of that simplicity.

        However, it’s a far more complicated process to do this under 64-bit Linux – so complicated, that I’ve never managed to pull it off. True 64-bit browsers are the norm there.

        Note that in the interim since my first comment, I found a way to use 32-bit Flash Player in a 64-bit browser in a 64-bit Linux install. I’ll note it in a reply to myself.

    • Fenny Fox says:

      Update: In the time since my first comment above, I found a way to use a 32-bit Flash Player in a 64-bit Firefox build under 64-bit Linux – thus, allowing the use of Flash Player 10.1 easily in such scenarios.

      In short, the solution is called nspluginwrapper; this is a piece of software that allows 32-bit binary plugins to be used in 64-bit browsers, whereas they normally could not be.

      Since I use Debian Linux, the best way to make this work was to enable the Debian Multimedia repository (you need to enabled the non-free section), and install the flashplayer-mozilla package using apt. This should install Flash Player 10.1 (32-bit), nspluginwrapper, a number of other 32-bit libraries that are needed, and configure everything automatically. :o)

  51. Reuben says:

    FYI:
    PSI says nothing (although it got me to update AIR this week)
    and
    the stupid DL manager from Adobe failed to DL the update after it installed. >.<

  52. Paul says:

    Steve, Thanks so much for all you do.

    As of today June 11, 2010 Adobe posted the following regarding those of us who installed beta version 10.1.
    “For Flash Player 10.1 Beta users, if Adobe Flash Player fails to install, uninstall previous versions of Flash Player prior to installation. For more details, click here”

    http://www.adobe.com/products/flashplayer/support/index.html

    Note: For Flash Player 10.1 Beta users, you must uninstall previous versions of Flash Player prior to installation.

    How to uninstall the Adobe Flash Player plug-in and ActiveX control

    http://kb2.adobe.com/cps/141/tn_14157.html

  53. Mac says:

    People ask me why I switched from Adobe reader to a newer cleaner PDF reader and I tell them because adobe is bloatware and insecure. If there was only a way to get rid of or change to an alternate flash I would. I pray that HTML 5 kills flash forever it would be a godsend. .

  54. nonW00t says:

    So what’s with Gibson not writing a flash replacement in pure assembly code already??!! Shocking.

  55. Paul says:

    Steve,

    Adobe now says Adobe Air needs to be updated.

    Summary

    Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

    Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.

    http://www.adobe.com/support/security/bulletins/apsb10-14.html

  56. Pingback: Adobe Security update available for Adobe Flash Player | ChrisR Tech Blog

  57. Josh says:

    Dear Steve,
    Thanks for the update just fixed my computer keep up the good work.

  58. douglas davenport says:

    don’t forget on 64 bit windows this will actually be in:
    c:\program files (x86)\adobe

  59. Ben says:

    I’ve been going around and installing Flash 10.1 on all my family’s PC. However, I’ve noticed that as I do, the screen “blanker” quits working dependably. The feature I’m talking about is in Windows Power Option

  60. Ben says:

    I’ve been going around and installing Flash 10.1 on all my family’s PC. However, I’ve noticed that as I do, the screen “blanker” quits working dependably. The feature I’m talking about is in Windows Control Panel/Power Options Properties/Power Schemes “Turn off monitor.” Most of my family’s PCs are still XP so I don’t have a good observation for Windows 7.

  61. PLM says:

    Adobe’s inability to take security seriously holds a large part of the internet users hostage. The track record is atrocious. Steve Jobs really is on to something with the iPad, using Apple’s influence in moving the internet towards a safer place.

  62. Wickedproxy says:

    Makes me glad I’m using a PS3 to surf the web. :) The exploits I’ve been seeing lately would make me want to unplug my computer if I had one. Keep up the great work.

  63. TIANNA PATRICE Tyson also confirmed in the Times that he has dismi ARMIDA

  64. Bob says:

    Very interestingly. I was recently interested in this topic. Very interesting and informative. I wish more such articles on this portal. Thanks for the article.

  65. Pingback: Wayne's Workshop » Daily Run Down 06/06/2010

  66. I read this just a couple of minutes ago and thought I’d pass it along even though it is not truly that topical. What’s one of the most sensible factor you’ve ever heard someone say?

  67. james says:

    thanks Steve.
    i nuked acrobat a few weeks ago.
    ohh my, how much crap it left behind. but all gone now.
    our pc’s are so much better off without it.
    HOWEVER, i use nuance paper port 12 now. which has pdf viewer plus. so i wonder if i am back to square one??
    any thoughts…. (not sure if you are familiar with this product).
    cant wait to hear your next netcast :)

  68. Thank you a bunch for sharing this with all people you really recognise what you are speaking approximately! Bookmarked. Please also seek advice from my site =). We will have a link change agreement among us!

  69. Fiz says:

    Why is it that Adobe crashes, or complicates anything they put their name on? Aren’t there ANY other companies out there that can produce those products properly and efficiently, without either crashing a browser, computer, demanding updates, or dimming the lights?

    • JEB_i says:

      Could be they are emulating Oracles business model. When a digital Titan rears up above the morass of commonality to become unique, special, offering that one thing making everything better. The world falls in love with them and a brief span of time later, what they once offered exclusively, may be obtained from many.

      When that occurs, it’s difficult for the ‘powers that be’ in those organizations to divorce themselves from the ‘adored status’. It’s allure is so very very seductive. Hence mega programmers retain power and prestige around the world by maintaining, ‘default application’ status. Email is to Outlook as Database’s are to Oracle, as PDF are to Adobe.

      Though the webmail and email apps like Thunderbird proliferate, expecting any of them to replace Outlook in fortune 500 companies, simply is not going to happen. Same may be said for PDF’s and Adobe. Once ingrained at that level, the ships of enterprise do not port for refitting unless a major problem is encountered. They are able to counter threats through ‘policy’. Well, policy and an IT department able to support all inevitabilities.

  70. JEB_i says:

    In planning the recent system rebuild, Adobe was not re-deployed. Foxit PDF reader was selected from the choices available. Superior software @ Zero cost.

  71. Karl says:

    Thanks for the advise. I’ve renamed as advised.
    Great site and blog! Enjoy the password section most.
    Regards

  72. Good to know, I’ve renamed the files. I’m surprised a large company like Adobe could make a slipup like this and take that long to produce a fix.

  73. Will be back for any updates.

  74. I am sure this article has touched all the internet users, its really really
    pleasant piece of writing on building up new web site.

  75. I leave a response when I like a post on a blog or I have something
    to contribute to the conversation. Usually it’s caused by the sincerness displayed in the article I browsed. And after this article FLASH Adobe Forward to v10.1 | Steve (GRC) Gibson’s Blog.
    I was actually moved enough to post a leave a responsea response :
    -) I actually do have a couple of questions for you if it’s allright. Is it just me or do a few of these responses appear as if they are written by brain dead people? :-P And, if you are writing on other places, I’d like to
    follow everything new you have to post. Could you
    make a list every one of your public sites like your Facebook page, twitter feed, or linkedin profile?

  76. I every time used to read piece of writing in news papers
    but now as I am a user of net thus from now I am using net for articles or reviews, thanks to
    web.

  77. I absolutely love your blog and find many of your post’s to be what precisely I’m looking for.
    Do you offer guest writers to write content to suit
    your needs? I wouldn’t mind publishing a post or elaborating on many of the subjects you write with regards to here. Again, awesome web log!

  78. Chrome users don’t have to download new versions of Flash Player since it can automatically update when new versions of Flash Player are available and users always have the latest security updates.

  79. Johnf415 says:

    Howdy! Do you know if they make any plugins to protect against hackers? I’m kinda paranoid about losing everything I’ve worked hard on. Any recommendations? eeccgaedeade

  80. We’re a group of volunteers and opening a new scheme
    in our community. Your web site offered us with valuable
    information to work on. You’ve done a formidable job and our whole community will be
    grateful to you.

  81. Thanks , I have just been looking for info about this subject for a
    while and yours is the greatest I’ve discovered till now.
    However, what concerning the bottom line? Are you sure concerning the source?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s