Flash Player update includes privacy, security fixes

Share this article:

Adobe on Thursday issued a Flash Player update that quashes a number of critical security flaws and introduces an easier way for users to delete Flash cookies, which can be abused to track users' browsing habits.

In an effort to improve user privacy, the update, Flash Player 10.3, integrates with various web browsers to allow users to easily manage and delete Flash Player local storage, also known as local shared objects (LSOs) or Flash cookies, in a similar way that browser cookies are cleared today.

Much like browser cookies, Flash cookies are a mechanism to store information about a user's preferences for websites that use Adobe Flash.

Researchers have warned since 2009 that some websites and advertising networks abuse Flash cookies to restore browser cookies after they have been deleted by a user, a process known as “browser cookie respawning,” which effectively bypasses users' efforts to avoid being tracked online.

Flash Player 10.3 mitigates this privacy issue with the inclusion of a new API, called ClearSiteData NPAPI, which allows supported web browsers to communicate a user's preference to wipe data stored by Flash Player. As a result, users will be able to clear both browser and Flash cookies from their web browser settings menu.

Previously, users were able to delete Flash cookies, but it could not be done through a web browser and the process was not user-friendly, Wiebke Lips, senior manager of corporate communications at Adobe, told SCMagazineUS.com, in an email Friday.

The new functionality is already supported on Internet Explorer 8 and 9 and Mozilla Firefox, Lips said. In addition, it is currently in the beta channel for Google Chrome and is expected to be available for Apple Safari in a future release.

“We applaud the change,” Andy Zeigler, program manager for Microsoft's Internet Explorer, wrote in a blog post. “It resolves a longstanding privacy issue.”

The Flash Player update also includes fixes for several critical vulnerabilities, which could cause an application to crash to potentially allow an attacker to take control of an affected system, Adobe said. The update, available for Flash Player for Windows, Mac, Linux and Solaris operating systems, as well as Google's Chrome web browser and Android mobile operating system, fixes 11 security vulnerabilities in total.

Adobe has identified malware in the wild that is attempting to exploit one of the memory corruption flaws via a Flash file embedded in a Microsoft Word or Excel file delivered as an email attachment. The company said it has not, however, come across a sample that successfully completes the attack.

The update also includes a new auto-update notification mechanism for Apple's Mac OS X.

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.