SEI Insights

CERT/CC Blog

Vulnerability Insights

Is Your Adobe Flash Player Updated?

Posted on by in

Hey, it's Will. As you may already be aware, there is active exploitation of a vulnerability in Adobe Flash. So, it's a good idea to make sure that you have the latest version of Flash Player, which, at the time of this writing, is 9.0.124.0. Even if you think that you are up to date, can you be sure?

Many security researchers, myself included, incorrectly determined that the recent attacks using malicious SWF files were exploiting a zero-day vulnerability in Adobe Flash. How could the same mistake be made by independent researchers? The conclusion I came to is that although the characteristics of the attack looked like exploitation of a zero-day vulnerability, in truth, the systems probably weren't running versions of Flash Player that addressed the vulnerability being exploited. It is actually difficult to determine if Flash has been updated completely and correctly on any given system.

It is important to realize that a system may contain several instances of the Adobe Flash Player. The Adobe Flash Player plug-in installer for Windows will install only the Netscape-style plug-in for Flash, which is used by Mozilla Firefox, Opera, and other browsers that support plug-ins. The Adobe Flash Player ActiveX installer for Windows will install only the ActiveX version of Flash, which is used by Internet Explorer and other programs that use Internet Explorer components.

The situation that someone may run into is that the plug-in version of Flash may be completely up to date, but the ActiveX version is not, or vice-versa.

All Microsoft Windows systems should run the the ActiveX installer. If you have any browser other than Internet Explorer, also run the plug-in installer. Alternatively, visit the Get Flash Player page with every browser on your system to install the appropriate Flash Player versions.

Another cause for confusion is that Firefox allows plug-ins to be installed either system-wide or in a specific user's profile. As a result, a Flash plug-in that was installed in one manner may not be updated properly if the new version of Flash is installed in a different manner. Other browsers may have similar issues.

At the very least, make sure that you have attempted to upgrade to the latest version of Adobe Flash. But to make sure that you are protected, it would be wise to investigate whether your system has multiple versions of Adobe Flash Player, and update each of those accordingly.

About the Author

Will Dormann

Contact Will Dormann
Visit the SEI Digital Library for other publications by Will
View other blog posts by Will Dormann