Critical Security June 2012 Update For Adobe Flash Player – Includes Firefox Sandbox

Adobe have released an urgent security update – the full release notes of Flash Player version 11.3 are available here but a summary of the major new features includes security fixes and a new Protected Mode for Firefox on Windows. Full technical details are available on Adobe’s blog here.

Firefox Protected Mode is a new enhancement designed to limit the impact of attacks launched from malicious SWF (Flash) files against Adobe Flash Player when running in Firefox 4.0+ on Vista and higher. Protected Mode is enabled by default when you view Flash Player files in Firefox, reducing the risk of potential security threats on client systems via persistent malware.

When Protected Mode is on, these files are displayed in a restricted environment called a sandbox. It is comparable to the sandboxing already used in Google Chrome – Protected Mode will also be included in IE10 in Windows 8 when released.

Protected Mode for Firefox is NOT available in Windows XP so the only option for XP users who want the security benefits of sandboxing in Flash Player is to use Google Chrome (or use a full sandbox solution like Sandboxie).

Other improvements in 11.3 include a background updater feature for Macs to silently update Flash with security updates and bug fixes – see the Download section below for more detail and a screenshot of the Update options. Also improved is Apple MacOS App Store Support and there are many new technical features including low latency audio support, texture streaming and full screen keyboard input.

Finally, there are several fixes for freezing and quality issues etc in specific circumstances.

If you have ‘automatic background updates’ enabled, you may already have received this update and no further action is required – skip to the ‘How To Test Flash Player’ section below to check if it worked and that you already have this latest version.

For users who do not have automatic updates:

  • Users of most major web browsers (except Google Chrome – see note below) can download and install Flash Player 11.3.300.257 directly from Adobe here. Alternatively, download the .exe file for IE or non-IE (Plugin based browsers like Firefox) from Adobe’s Distribution page here. The advantage of these downloads is that they don’t include the ‘freebie’ rubbish (see the next bullet point below) and you can save it to copy to/install on other computers.

Note: version 11.3 downloads now include both 32bit and 64bit versions within the same file – i.e. you no longer have to worry about whether you need to download the 32bit or 64bit version.

  • During installation, untick the additional ‘freebie’ (Google Toolbar or McAfee Security Scan) unless you want that as well.
  • If you use more than one web browser you will need to install this security update for Flash Player 11.3 for each web browser.
  • After installation completes, choose your update method from the options as shown in the example (picture from 11.2 but exactly the same in 11.3) below:
Flash112

Flash 11.3 Future Update Choices

If chosen, the automated installation of future Flash updates will be ‘silent’ i.e. no notifications will appear before, during, or after an update is performed by the Flash Player Background Updater – so there will be nothing for the user to do and Flash will keep itself updated in future :-)

What About Google Chrome? Chrome is different because it contains an integrated Flash plugin which should be updated automatically by Chrome. Many users of Chrome have previously reported problems with the integrated Flash plugin – see Shockwave Flash crashes in Chrome if required for tips on how to resolve issues these issues.

How To Test Flash Player? Open each web browser and visit the Adobe Flash Player test page to check that Flash 11.3 is now properly installed and working.

Conclusion

This update includes a critical security fix and many new features that should be applied by all users. The inclusion of sandboxing for Firefox is welcome but it is not available for XP – this is a poor decision by Adobe considering that XP is still the world’s most popular operating system with c 48% market share (W7 43% and Vista 7%).

Trends suggest that XP will still be a major player for at least a couple of years and Firefox will  remain the world’s third most popular browser – so Adobe’s decision to ignore XP is a bad one for security. Flash Player 11.3 also adds the option to automatically install future updates for Mac, not just Windows.

As long as users choose the automatic install option, all future updates will take place without any user intervention – so Flash will keep up to date and more secure.

2 Responses to: "Critical Security June 2012 Update For Adobe Flash Player – Includes Firefox Sandbox"

  1. Mark W. says:

    “The inclusion of sandboxing for Firefox is welcome but it is not available for XP – this is a poor decision by Adobe considering that XP is still the world’s most popular operating system with c 48% market share (W7 43% and Vista 7%).
    Trends suggest that XP will still be a major player for at least a couple of years and Firefox will remain the world’s third most popular browser – so Adobe’s decision to ignore XP is a bad one for security.”

    I was thinking exactly the same thing while reading this post.
    The Adobe team should check into the “real” world because many people will still be using their WinXP OS past the support date. Many people don’t give a “hoot” about security as long as their computer still functions. I have a feeling XP will still be supported with security updates after the proposed cutoff in 2014 with some sort of paid plan available.
    My 0.02 and + a zillion for the sentiment and a chance for me to rant. :)

    • Roy says:

      We all love a good rant ;-)

      I guess XP support depends on businesses moving to W7 – another extension or paid support could be an option.

      IE 9/10 is already unavailable for XP and IE8 is too old so this may make more XP users switch to Chrome (HTML5 isn’t up to the job yet) – maybe it’s an indication of Adobe’s future (lack of) support