Adobe patches two critical Flash Player vulnerabilities

Software developer also pushes out automatic update feature

Adobe has released a patch that fixes two critical vulnerabilities in its Flash Player web browser plug-in.

According to a security bulletin released by the firm alongside the software update, the patch upgrades Flash Player to version 11.2 and closes two vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

The patch also includes a new updater for Flash Player that is able to automatically check for and download updates directly from Adobe, without the need for user intervention.

However, this option can be disabled where it is deemed inappropriate, for example within a managed coroprate network.

Peleus Uhley of Adobe's Secure Software Engineering Team explained that the current system of user's deciding when the software is allowed to update can be maintained.

"Organisations with managed environments do have the capability to disable the background updater feature through the Flash Player mms.cfg file," Uhley wrote on the firm's blog.

"Also, those users who want to be notified of updates and do not want to be silently updated can continue to use the existing update mechanism."

However, he emphasised the importance of the automatic updater by explaining that a failure to patch promptly puts users' machines, and therefore their data, at risk.

"99.8 per cent of malware installs through exploit kits are targeting out-of-date software installations," wrote Uhley.

A further benefit of allowing the system to update itself is that it protects users from malware authors who dress their malicious code up as Flash Player updates, tricking users into downloading rogue software.

"Attackers have been taking advantage of users trying to manually search for Flash Player updates by buying ads on search engines pretending to be legitimate Flash Player download sites.

"Improving the update process is probably the single most important challenge we can tackle for our customers at this time."

Wolfgang Kandek, CTO of security firm Qualys, said that he recommends users employ the automatic updating feature for its security benefits, and simplicity.

"We highly recommend to opt-in [to the automatic updater]. Running on the latest version of Flash adds considerable resilience to one's setup, plus it avoids the chore of updating all of your installed browsers by hand."