Critical Adobe Flash and Air player vulnerabilites

*Shocked* to see that Adobe has major security problems with Flash Player and Air. Be sure to download the latest versions, released on December 8th, here. You can read the related security bulletin here.

Cookie monster, Part 2

While browsing some RSS feeds today, I came across some more intersting Flash cookie and browser cookie information. There’s a great paper detailing the Flash Cookie issue which I blogged about earlier this week.

If you are concerned about browser privacy and ad tracking, its well worth a read. What I also found intersting was the mention of an opt-out web site for many advertisers. But, it seems this opt-out web site does NOT cover Flash cookies, and browser HTTP cookies are often re-created from Flash cookies. So the NAI opt-out web site really doesn’t do as much as one might think. One might even call it deceptive.

Flash cookies can be accessed in private browser modes, such as IE’s InPrivate. So sites can track you, even if you think the InPrivate session will help mask who you are. Also, if you look at your Flash cookies directory, it will show the domains for which cookies are stored. This in essense tracks your browser history and is NOT deleted when you clear your brower’s history.

On my Windows 7 computer, the Flash cookie file path is:
C:UsersusernameAppDataRoamingMacromediaFlash Player#SharedObjects

Under this directory is where I found a list of sites which I’ve visited:
C:UsersusernameAppDataRoamingMacromediaFlash Playermacromedia.comsupportflashplayersys

The SYS directory included sites which didn’t show up in the Adobe website storage panel applet. So it seems even if you clear out the data from Adobe’s applet, traces are still left on your computer.

In short, everyone needs to be educated about Flash cookies and the industry as a whole needs to be more forthcoming about their use and make it easier to delete or prohibit these types of cookies.

Say no to the cookie monster

I read a very interesting article from PC World regarding browswer cookies. What was news to me was that Adobe Flash and SilverLight can both store their own cookies independent of your browser. So even if you clear your browser cookies or have placed restrictions on them, advertisers and other sites can still track you. Given that Flash has so many security holes, I’m pretty much of the mind to disable Flash all the time except for times when you really need to view flash content.

To help eliminate ads and many tracking cookies, I use a hosts file which does a pretty good job, and for free. What I found interesting about the article is link to a tool from Adobe which allows you to change your privacy settings for flash. This applet has a variety of settings. I promptly launched the applet, disabled all cookies, and deleted all existing cookies.

If you value your privacy, take a look at your Flash cookies! You will likely be surprised how many you have.

Major Adobe PDF security patch

In case you missed it, Adobe has released a patch for a critical Acrobat security vulnerability. InfoWorld has a good write up on the flaw. Adobe released an official bulletin on the patch. If you have any version of Adobe Acrobat (including the free reader), I urge you to install the patch ASAP.

If you have the free reader, download the patch here. If you have the full-blown Acrobat suite (standard, Pro, Pro extended) you can find the patch here.