Flash Player update includes privacy, security fixes
Adobe on Thursday issued a Flash Player update that quashes a number of critical security flaws and introduces an easier way for users to delete Flash cookies, which can be abused to track users' browsing habits.
In an effort to improve user privacy, the update, Flash Player 10.3, integrates with various web browsers to allow users to easily manage and delete Flash Player local storage, also known as local shared objects (LSOs) or Flash cookies, in a similar way that browser cookies are cleared today.
Much like browser cookies, Flash cookies are a mechanism to store information about a user's preferences for websites that use Adobe Flash.
Researchers have warned since 2009 that some websites and advertising networks abuse Flash cookies to restore browser cookies after they have been deleted by a user, a process known as “browser cookie respawning,” which effectively bypasses users' efforts to avoid being tracked online.
Flash Player 10.3 mitigates this privacy issue with the inclusion of a new API, called ClearSiteData NPAPI, which allows supported web browsers to communicate a user's preference to wipe data stored by Flash Player. As a result, users will be able to clear both browser and Flash cookies from their web browser settings menu.
Previously, users were able to delete Flash cookies, but it could not be done through a web browser and the process was not user-friendly, Wiebke Lips, senior manager of corporate communications at Adobe, told SCMagazineUS.com, in an email Friday.
The new functionality is already supported on Internet Explorer 8 and 9 and Mozilla Firefox, Lips said. In addition, it is currently in the beta channel for Google Chrome and is expected to be available for Apple Safari in a future release.
“We applaud the change,” Andy Zeigler, program manager for Microsoft's Internet Explorer, wrote in a blog post. “It resolves a longstanding privacy issue.”
The Flash Player update also includes fixes for several critical vulnerabilities, which could cause an application to crash to potentially allow an attacker to take control of an affected system, Adobe said. The update, available for Flash Player for Windows, Mac, Linux and Solaris operating systems, as well as Google's Chrome web browser and Android mobile operating system, fixes 11 security vulnerabilities in total.
Adobe has identified malware in the wild that is attempting to exploit one of the memory corruption flaws via a Flash file embedded in a Microsoft Word or Excel file delivered as an email attachment. The company said it has not, however, come across a sample that successfully completes the attack.
The update also includes a new auto-update notification mechanism for Apple's Mac OS X.