Posts tagged "Flash Player"

An Update for the Flash Player Updater

Peleus here with the second major 2012 security announcement for Flash Player. Today’s release of Flash Player contains a new background updater. This new background updater will allow Windows users to choose an automatic update option for future Flash Player updates.

If you read this September 2011 CSIS report, then you saw that 99.8 percent of malware installs through exploit kits are targeting out-of-date software installations. This point was reiterated recently in volume 11 of the Microsoft Security Intelligent Report. Also, attackers have been taking advantage of users trying to manually search for Flash Player updates by buying ads on search engines pretending to be legitimate Flash Player download sites. Improving the update process is probably the single most important challenge we can tackle for our customers at this time.

Overview of the background updater design

A full technical description of the new background updater design is available on DevNet, but here are the highlights:

After a successful installation of Adobe Flash Player 11.2, users will be presented with a dialog box to choose an update method. The following three update options are available to users:

  • Install updates automatically when available (recommended)
  • Notify me when updates are available
  • Never check for updates (not recommended)

For our initial release, we have set the new background updater to check for updates once an hour until it gets a response from Adobe. If the response says there is no new update, then it will wait 24 hours before checking again. We accomplish this through the Windows Task Scheduler to avoid running a background service on the system. If you are running multiple browsers on your system, the background updater will update every browser. This will solve the problem of end-users having to update Flash Player for Internet Explorer separately from Flash Player for their other open-source browsers. Google Chrome users, who have the integrated Flash Player, will still be updated through the Chrome update system.

Additionally, the user can change their update preferences at any time via the Flash Player Settings Manager, which for Windows users can be accessed via the Control Panel > Flash Player. In the Flash Player Settings Manager, the update preferences can be found and selected in the “Advanced” tab under “Updates.”

Organizations with managed environments do have the capability to disable the background updater feature through the Flash Player mms.cfg file. Also, those users who want to be notified of updates and do not want to be silently updated can continue to use the existing update mechanism. Lastly, the background updater feature is currently Windows-only for Windows XP and newer operating systems. A Mac version is currently under development.

I do want to note that we are not promising that all Flash Player updates going forward will be completely silent. We will be making the decision to silently install on a case-by-case basis. For instance, any update that changes the default settings of Flash Player will require confirmation from end-users even if they have already agreed to allowing background updates. Today’s update is an example of where confirmation would be required since we are changing how updates get applied to the user’s machine. However, we could apply a zero-day patch without requiring end-user confirmation, so long as the user has agreed to receiving background updates. Adobe will also continue to release feature-bearing releases that will trigger an update notification to users that highlight new and exciting features to the Flash Player.

The new background updater will provide a better experience for our customers, and it will allow us to more rapidly respond to zero-day attacks. This model for updating users is similar to the Google Chrome update experience, and Google has had great success with this approach. We are hoping to have similar success.

One last note

Since Flash Player 11 was first released in September 2011, we have continued to maintain Flash Player 10.3 with security updates for users who cannot update to the current version of Flash Player. In support of Microsoft’s initiative to get the world to drop Internet Explorer 6 and upgrade to a newer version of Internet Explorer for a safer browsing experience, Adobe will be dropping support for Internet Explorer 6 starting with today’s release of Flash Player 10.3.

While we will no longer include testing on Internet Explorer 6 in our certification process and strongly encourage users to upgrade to the newest version of Internet Explorer, we will not block the installation of newer versions of Flash Player 10.3 on systems running Internet Explorer 6 and expect functionality on those systems to remain unchanged.

CanSecWest 2012

The team and I are about to head off to CanSecWest. While I have been attending CanSecWest for several years, this year will be a unique experience for me. During my talk, I will demo an open-source tool I just released, called Adobe SWF Investigator. The tool can be useful for developers, quality engineers and security professionals for analyzing SWF applications. It has been a pet project of mine for some time, and I decided to share it with a broader audience.

Within my current role, I have to look at all aspects of SWF applications from cross-site scripting issues to binary analysis. Therefore, the tool includes capabilities to perform everything from testing cross-site scripting to viewing the individual SWF tags within the file format. I am hoping that by releasing the tool as an open-source ActionScript application, it will encourage all ActionScript developers to learn more about security. The tool is designed to be an extensible framework everyone can build upon or modify. More information on the tool can be found in my DevNet article.

In addition to demonstrating the tool, I will also be talking about Advanced Persistent Response. Adobe has been the focus of hackers for some time, and I plan to discuss what we have learned and observed in the process of responding to those threats. My talk will be on Wednesday at 3:30pm, if you are interested. When I am not speaking, you can probably find me and the Adobe team either at the Adobe table or milling around the pwn2own contest for no particular reason. Please feel free to come by and talk with us. See you there!

Flash Player Sandboxing is Coming to Firefox

Peleus here. In December of 2010, I wrote a blog post describing the first steps towards sandboxing Flash Player within Google Chrome. In the blog, I stated that the Flash Player team would explore bringing sandboxing technology to other browsers. We then spent 2011 buried deep within Adobe laying the groundwork for several new security innovations.

Today, Adobe has launched a public beta of our new Flash Player sandbox (aka “Protected Mode”) for the Firefox browser. The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach. Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities. The sandboxed process is restricted with the same job limits and privilege restrictions as the Adobe Reader Protected Mode implementation. Adobe Flash Player Protected Mode for Firefox 4.0 or later will be supported on both Windows Vista and Windows 7. We would like to thank the Mozilla team for assisting us with some of the more challenging browser integration bugs. For Flash Player, this is the next evolutionary step in protecting our customers.

Sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring effective exploits. For example, since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X. We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year. In the meantime, please help us get these protections out to end-users as fast as possible by volunteering to download our beta and help test. Information on known bugs, configuration options and other information can be found on Adobe Labs in the “Getting Started” section.

P.S.: I will be speaking at CanSecWest on this and other exciting topics. I hope to see everyone there!

Flash Player 11 Privacy and Security Updates

You may have seen our Flash Player 11 announcement earlier today. In addition to the major advancements for gaming, media and data-driven applications, this new version of Flash Player, which will be available in early October, will include several important new privacy and security features. We’ll start with privacy:

Extending Key Privacy Capabilities to Mobile Devices

Adobe has been working hard to make it easier for users to control their privacy and privacy settings on their desktops. We added support for the private browsing feature found in many Web browsers when we introduced Flash Player 10.1, created a desktop version of the Flash Player Settings Manager (aka a native control panel) and redesigned the Flash Player Settings Manager interface in Flash Player 10.3. And we worked closely with the browser community to allow end-users to clear their Local Shared Objects (LSOs) through their existing browser controls—functionality that was also introduced in Flash Player with the release of Flash Player 10.3.

With Flash Player 11, we are extending key privacy capabilities to tablets and mobile devices. Privacy is important regardless of the device you are using. With the release of Flash Player 11, we are bringing support for private browsing mode (aka incognito mode)* and a mobile control panel to Android devices. This means that end-users will be able to leverage the same private browsing mode protections available to them on their desktops today on their mobile devices, while the new mobile control panel will make it easier for them to manage their Flash Player privacy settings on their Android devices. (*Private browsing mode, or incognito mode, is supported on Android Honeycomb.)

The mobile control panel will launch the browser on the device and take the user to the online mobile settings manager, which allows users to control two of the mobile Flash Player features:

  • The first are the settings for controlling Local Shared Objects (LSOs). Users can choose to “always” allow local storage, allow local storage “only from sites I visit” or “never” allow local storage. The settings manager also provides a handy “clear [all] local storage” option.
  • The second feature that can be controlled is peer-assisted networking which allows Flash Player to use connection sharing to provide a better media experience.

 

New Security Features in Flash Player 11

On the security front, we are introducing several new features that will allow developers to better protect customer data. The first major new feature we are adding is support for SSL socket connections, which will make it easier for developers to protect the data they stream over the Flash Player raw socket connections.

We are also adding a secure random number generator. Flash Player previously provided a basic, random number generator through Math.random. This was good enough for games and other lighter-weight use cases, but it didn’t meet the complete cryptographic standards for random number generation. The new random number generator API hooks the cryptographic provider of the host device, such as the CryptGenRandom function in Microsoft CAPI on Windows, for generating the random number. The native OS cryptographic providers have better sources of entropy and have been peer reviewed by industry experts.

Lastly, the introduction of 64-bit support in Flash Player 11 brings with it some security side-benefits: If you are using a 64-bit browser that supports address space layout randomization (ASLR) in conjunction with the 64-bit version of Flash Player, you will be protected by 64-bit ASLR. Traditional 32-bit ASLR only has a small number of bits available in the memory address for randomizing locations. Memory addresses based on 64-bit registers have a wider range of free bits for randomization, increasing the effectiveness of ASLR.

Overall, our security and privacy roadmap still has much more to come, and we are already working on the next generation of features for upcoming releases. To take a look at the many new features in Flash Player 11—whether it be the advancements for gaming, media and data-driven applications, the security enhancements or the new mobile privacy features—check out the release candidate of Flash Player 11 for desktops now available on Adobe Labs or watch for an announcement once Flash Player 11 for desktops and Android devices becomes available in early October. We look forward to your feedback!

Lindsey Wegrzyn, Senior Product Manager, Privacy
Peleus Uhley, Platform Security Strategist