Security updates available for Adobe Flash Player
- Adobe Flash Player 2017 Latest Version - The last of these updates as of this writing anyway was available in November 8 where Adobe resolved 9 code execution problems that can enable enemies to have control over a damaged system. Protection updates defined a lot of 2016 for a number of Adobe's products, Flash consisted of.
- Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player version 26.0.0.137 as soon as possible.
- Current Flash Player users who have enrolled in the 'Allow Adobe to install updates (recommended)' update mechanism will be automatically updated to Flash Player 28 over the next 24 hours. Users who have selected 'Notify me to install updates' will receive an update notification dialog within 7 days from today.
Safari opens the Adobe Flash Player page on the Adobe website. Follow the instructions on the Adobe website to download and install the latest version of the plug-in. If you need to use an older version of Flash Player, you can use Internet plug-in management in Safari to run the plug-in in unsafe mode for websites that you trust.
Release date: April 11, 2017
Vulnerability identifier: APSB17-10
Priority:See table below
CVE number: CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, CVE-2017-3064
Platform: Windows, Macintosh, Linux and Chrome OS
![Adobe flash player for mac download Adobe flash player for mac download](/uploads/1/2/6/1/126172025/397427201.png)
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
Product | Affected Versions | Platform |
---|---|---|
Adobe Flash Player Desktop Runtime | 25.0.0.127 and earlier | Windows, Macintosh and Linux |
Adobe Flash Player for Google Chrome | 25.0.0.127 and earlier | Windows, Macintosh, Linux and Chrome OS |
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 | 25.0.0.127 and earlier | Windows 10 and 8.1 |
- To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select 'About Adobe (or Macromedia) Flash Player' from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product | Updated Versions | Platform | Priority rating | Availability |
---|---|---|---|---|
Adobe Flash Player Desktop Runtime | 25.0.0.148 | Windows and Macintosh | 1 | Flash Player Download Center Flash Player Distribution |
Adobe Flash Player for Google Chrome | 25.0.0.148 | Windows, Macintosh, Linux and Chrome OS | 1 | Google Chrome Releases |
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 | 25.0.0.148 | Windows 10 and 8.1 | 1 | Microsoft Security Advisory |
Adobe Flash Player Desktop Runtime | 25.0.0.148 | Linux | 3 | Flash Player Download Center |
- Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 25.0.0.148 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center.
- Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 25.0.0.148 for Windows, Macintosh, Linux and Chrome OS.
- Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 25.0.0.148.
- Please visit the Flash Player Help page for assistance in installing Flash Player.
[1] Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-3058, CVE-2017-3059, CVE-2017-3062, CVE-2017-3063).
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-3060, CVE-2017-3061, CVE-2017-3064).
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
- Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero (CVE-2017-3061, CVE-2017-3064)
- Anonymously reported via Trend Micro's Zero Day Initiative (CVE-2017-3059)
- willj from Tencent PC Manager working with Trend Micro’s Zero Day Initiative (CVE-2017-3063)
- b5e4b07ed250ac8014390628445b0d26 working with Trend Micro's Zero Day Initiative (CVE-2017-3060)
- bee13oy of CloverSec Labs working with Trend Micro's Zero Day Initiative (CVE-2017-3058)
- Yuki Chen of 360 Vulcan Team working with Trend Micro's Zero Day Initiative (CVE-2017-3062)
Adobe would like to thank the following individuals and organizations for reporting these issues and for working with Adobe to help protect our customers:
- Dhanesh Kizhakkinan of FireEye as well as Peter Pi of TrendMicro (CVE-2015-5122)
- Peter Pi of TrendMicro as well as slipstream/RoL (@TheWack0lian) (CVE-2015-5123)
In response to a class of recently disclosed vulnerabilities in popular CPU hardware related to data cache timing (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), known popularly as Spectre and Meltdown, we are disabling the ‘shareable’ property of the ActionScript ByteArray class by default and have added in jitter to our event and timer api’s.
EnableInsecureByteArrayShareable
Short Description:
Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class.
Detailed Description:
EnableInsecureByteArrayShareable= [0,1] (0=false, 1=true)
Adobe Flash Player For Mac Os Sierra
This setting will allow Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class. Shared ByteArrays are used to share data between threads with ActionScript “Workers.” Shared ByteArrays are an advanced feature of the ActionScript API set and not commonly used in the vast majority of published Flash content. For increased security, we recommend administrators leave this feature disabled.
EnableInsecureByteArrayShareableDomain
Adobe Flash Player For Android
Short Description:
Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class on a per-domain basis.
Detailed Description:
EnableInsecureByteArrayShareableDomain= domain name or IP address
By default, Flash Player 30 and above will no longer allow the “shareable” property of the ActionScript ByteArray API class. The EnableInsecureByteArrayShareableDomainsettings provide exceptions to that rule. Administrators can create a “white list” of approved domain names or IP addresses to which the EnableInsecureByteArrayShareable setting will apply. If the active security context is in the list of domains and IP addresses, then access to the sharable ByteArray property will be allowed. Otherwise, sharable ByteArray access will be denied.
For domain names, prefixing a * wildcard is allowed. For example, *.adobe.com would allow all Flash content with the “shareable” property to run on www.adobe.com, get.adobe.com, helpx.adobe.com, and so on. Wildcards are not allowed when specifying IP addresses.
For example, the following settings allow SWFs using the shareable ByteArray property to only run on servers at www.mydomain.com and 10.1.1.10:
For domain names, prefixing a * wildcard is allowed.
Example:
This would allow all Flash content with the “shareable” property to run on www.mydomain.com, foo.mydomain.com, and so on. Wildcards are not allowed when specifying IP addresses.
EventJitterMicroseconds
Setting this value to 0 disables an important mitigation for Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances.
TimerJitterMicroseconds
Setting this value to 0 disables an important mitigation for Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances.
For information on managing the mms.cfg file, please see the Flash Player System Administrator’s guide, here: