Flash Player 10.3, which is available for Android, Linux, Mac OS, and Windows, includes a new browser API that enables clearing local shared objects, also known as Flash cookies, from browsers. Cookies can be used to track online activity. The Flash cookie has been particularly difficult to get rid of.
According to Seth Schoen with the Electronic Frontier Foundation, Flash cookies are stored outside of the browser's control.
“Web browsers do not directly allow users to view or delete the cookies stored by a Flash application, users are not notified when such cookies are set, and these cookies never expire. Flash cookies can track users in all the ways traditionally HTTP cookies do, and they can be stored or retrieved whenever a user accesses a page containing a Flash application”, he explained.
The Flash Player update makes the process of deleting Flash cookies easier. Users can delete them using the browser’s privacy setting or through a user friendly control panel that also controls the camera and microphone.
“We have created a new native control panel for Windows, Macintosh and Linux desktops that will allow end-users to manage all of the Flash Player settings, including camera, microphone and Local Shared Objects. The control panel can still be found by right-clicking on content written for Flash Player and selecting 'Global Settings.' However, starting with Flash Player 10.3, it can now also be found in the Control Panel or System Settings for your operating system”, Adobe noted.
The updated Flash Player also fixes a number of critial security vulnerabilities.
According to Adobe, “critical vulnerabilities have been identified in Adobe Flash Player 10.2.159.1 and earlier versions (Adobe Flash Player 10.2.154.28 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.2.157.51 and earlier versions for Android. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports of malware attempting to exploit one of the vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. However, to date, Adobe has not obtained a sample that successfully completes an attack.”
Adobe recommended that users upgrade to the Flash Player 10.3 to plug the vulnerabilities.
In addition, Flash Player 10.3 includes security fixes for critical vulnerabilities in Flash Media Server and Audition and for an important vulnerability in RoboHelp.