Adobe released updates to Flash Player yesterday for Windows, Mac, Linux, and Android platforms. While addressing a number of vulnerabilities, this version also introduces Flash Player Protected Mode (sandbox) for Windows Firefox users. The Flash Player for Mac OS X includes the background updater and is signed with an Apple Developer ID to ensure compatibility with the new Gatekeeper tech in Mountain Lion.
The Adobe Secure Software Engineering Team blog talks about these new features in details:
The background updater on Mac works similar to the updater introduced for Windows in Flash Player 11.2. The Mac Launch daemon will launch the updater every hour to check for updates if the user opts in to background updates. If an update is found, the updater will download and install the update without interruption.
With Mac OS X Mountain Lion (10.8), Apple introduced a feature called “Gatekeeper,” which can help end-users distinguish trusted applications from potentially dangerous applications. Gatekeeper checks a developer’s unique Apple Developer ID to verify that an application is not known malware and that it hasn’t been tampered with. Starting with Flash Player 11.3, Adobe has started signing releases for Mac OS X using an Apple Developer ID certificate. Therefore, if the Gatekeeper setting is set to “Mac App Store and identified developers,” end-users will be able to install Flash Player without being blocked by Gatekeeper. If Gatekeeper blocks the installation of Flash Player with this setting, the end-user may have been subject to a phishing attack.
A separate post gets into further detail to explain the new sandbox that the Firefox plugin uses on Windows Vista and 7. Windows XP does not get the same level of protection and Adobe did not see the investment worth it with Windows XP use declining – another reason to upgrade if you’re still on XP.
|Adobe Flash Player||11.3.300.257||Windows and Mac OS X|
|22.214.171.124||Android 3.x and 2.x|
|Adobe AIR||126.96.36.19910||Windows, Mac, and Android|
The updates resolve a variety of vulnerabilities:
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-2034).
These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2012-2035).
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-2036).
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-2037).
These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2012-2038).
These updates resolve null dereference vulnerabilities that could lead to code execution (CVE-2012-2039).
These updates resolve a binary planting vulnerability in the Flash Player installer that could lead to code execution (CVE-2012-2040).
Download Adobe Flash Player directly using the link in this previous 404 Tech Support article.
In other Adobe news, Adobe Reader and Acrobat 9 will reach end-of-life a year from now on June 26, 2013.