Bundling of Flash Player and a bit of irony

By Carsten Eiram

It seems to become popular for software vendors to bundle Flash Player in their products. Adobe has been doing it for a while with Adobe Acrobat and Adobe Reader and lately Google also started bundling Flash Player with Chrome.

One problem with bundling of Flash Player is that users cannot easily address vulnerabilities simply by installing a new Flash Player version when available, but instead have to wait until a new version of the product bundling Flash Player is released.

Two days ago, Adobe issued a security update for Flash Player, fixing a number of memory corruption vulnerabilities, which could allow execution of arbitrary code when viewing specially crafted Flash content.

Google were quick to issue an updated version of Chrome, bundling the latest version of Flash Player to protect their users. They should definitely have kudos for the fast response time, but it would be more helpful to inform users that it is a security update instead of just stating that it "contains an updated version of the Flash plugin" without mentioning the security impact.

Ironically, while Google were fast to issue an updated version, then Adobe has still not issued updated versions of Adobe Acrobat and Adobe Reader even though it can hardly come as a surprise to them that an update for Flash Player was issued.

Fortunately, since Charlie Miller disclosed a vulnerability at Black Hat in Adobe Acrobat/Reader, then Adobe is scheduling an out-of-band release for next week instead of waiting until the next scheduled quarterly update on October 12th. According to Adobe, this also includes an updated version of the bundled Flash Player, but one has to wonder how long we would have had to wait if they weren't forced to issue the out-of-band release.

In the meantime, users should rename or prevent access to authplay.dll in Adobe Reader/Acrobat to disable support for Flash content in PDF files.

Stay Secure,

Carsten Eiram,
Chief Security Specialist