Network News

X My Profile
View More Activity

Macromedia Flash Update Prompts an SF Rant

A newly released version of Adobe's Macromedia Flash Player fixes at least two security flaws in the program that more than 200 million people have installed on their computers.

Security vendor Fortinet released two advisories calling attention to the vulnerabilities, one of which it said could let bad guys hijack your browser and possibly your computer if you were to merely browse a Web site that took advantage of the flaw.

The flaws are present in Macromedia Flash Player v8.0.24.0 and earlier versions. The new version, released on June 28, is v9.0.16.0, downloadable here. You can check which version you have installed by visiting this page. The patch should update Internet Explorer, Firefox, Netscape or Opera, depending on which one is set to your default browser.

Soap box alert: Adobe needs to get its act in gear and ship an auto-updater for its Flash and Shockwave media players. Most people have some version of Flash installed in their Web browser, mainly because it is used to display visual content on so many Web sites.

Putting aside its ongoing tussle with Microsoft over the fate of Acrobat Reader in future versions of Windows, Adobe recently teamed with Microsoft to have a previous update that fixed a bundle of security flaws shipped with as a security update from Microsoft.

Both companies are to be commended for cooperating to keep customers protected from flaws that bad guys have been quick to exploit in the past, but this should be the rule, not the exception, and it should come from Adobe, not Microsoft. Adobe has the brains and the infrastructure in place to make auto-updating a reality, and it is long overdue. Heck, even Mozilla is now working to develop its own auto-updater to check and see whether users have the latest version of Flash installed.

Adobe Reader already has (a sometimes kludgy) mechanism that checks for updates when the user starts the program, and Adobe Flash Product Manager Emmy Huang recently commented on Security Fix that Adobe was working on making that a reality for Flash and Shockwave. It's a good idea we're still waiting for the company to implement. Emmy, any updates?

Update, July 11, 2:50 p.m. ET: For the record, I just today received this response from Emmy Huang regarding the auto-update notification feature in Flash and Shockwave. I don't recall receiving notification of an update for either of these products, ever, but then again I don't generally wait that long. Anyone else using one of these older versions described in this response get a notification of a new version 30 days after it was released?

Huang's response:

We are aware of the latest potential vulnerabilities affecting previous versions of the Flash Player. These potential vulnerabilities are not present in Flash Player 9, which can be downloaded at from Adobe.com We encourage all users to update to this latest version of the Flash Player.

For customers who cannot upgrade to Flash Player 9, Adobe is currently working to incorporate a modification into earlier versions of Flash Player. Details will be provided on at this page here and through Adobe's security notification service as soon as a solution is available. Users can subscribe to the service for Adobe bulletins and advisories on our security website.

To correct the misperception about the Flash and Shockwave Player auto-update notification capabilities, these two products do indeed have this functionality. Beginning with Flash Player 7, the Automatic Notification and Update feature has been included in the Flash Player, which allows Adobe to automatically notify users when an updated version of Flash Player is available. Users may choose whether to receive automatic notification of updates and how frequently to receive them. Shockwave Player has a similar feature that was introduced in Shockwave Player 7. For more information about the Flash Player auto-update feature, you can visit this page. For Shockwave Player visit this link

I think the confusion was caused when I said we do not immediately "turn it on" the day we launch a new player. This is because we typically wait to ensure everything on the download center is working and kinks are worked out before driving a high traffic load. Once we change the minimum version check to notify users who are on a version lower than the current version, users will begin to see the update notification appear on their systems. By default, this check occurs if it has been at least 30 days since the last time it checked for updates. Users can change this setting in the Settings Manager here. Note, the auto-update notification feature is for Windows only at this time.

By Brian Krebs  |  July 7, 2006; 11:35 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Seven Security Updates From Microsoft Next Week
Next: Citibank Phish Spoofs 2-Factor Authentication

Comments

Thanks, Brian.

I understand this product is necessary for YouTube. I have the 8.0.24 version and with my Opera browser YouTube does not display videos. Do I need to update for this to work as well?

Posted by: Bartolo | July 7, 2006 1:24 PM | Report abuse

Bartolo, No idea what YouTube's requirements are: my guess is it will run w/ any recent version of Flash. However, you are running 8.0.24, which is outdated. You should upgrade, as the Flash upgrade will update your Opera browser, if you have it set as the default browser on your machine.

Posted by: Bk | July 7, 2006 2:05 PM | Report abuse

What about Safari on OS X?

Posted by: EJ | July 7, 2006 4:56 PM | Report abuse

Adobe has a long and unfortunate history of attempting to hide security fixes. This gives us the worst of both worlds. Binary diffs across the updates point attackers right at exploits, while we busy sysadmins don't know we've a security update to apply. Ouch.

Also, past discussion, including the PR blats about automatic updates from Adobe spokespeople, misses the boat. Users increasingly aren't going to have admin privs to install updates, and the Adobe software won't be installed suid. Sysadmins thus need to be notified about which updates are security fixes so they can build and push the MSI via WSUS or group policy on Windows, push the install on Macs using remote desktop or ssh, etc.

Finally, what's the idea with including security updates in unrelated (and major) feature upgrades? Security updates must instead to be specific to security issues. They need to be small and efficient to apply without the extra headache of the feature misses that come with entirely new versions of a package.

I hope Adobe will get their act together on 1) disclosing security updates and 2) providing security fixes that don't also blang us with major feature changes. Moreover, I hope they do so soon, before we have to throw in the towel and ban their products as demonstrably unsecurable and therefore too dangerous to use.

Posted by: Richard Johnson | July 7, 2006 7:18 PM | Report abuse

I vaguely recall a very early version of Flash having an auto-update feature... or maybe it was the Shockwave plug-in. Either way...

Posted by: Jake Barlow | July 7, 2006 7:54 PM | Report abuse

I don't know if I would trust the updater at all. For the 4th time i have tried to upgrade to the newest version and it still only says I have version 8. Does anyone have any ideas or suggestions that will work to correct the problem?

Posted by: DB | July 7, 2006 10:28 PM | Report abuse

Well I'm not sure what happened but it finally updated to the newest version.

Posted by: DB | July 8, 2006 12:48 AM | Report abuse

How does the update work for the non-default browser? Firefox updated fine, but not IE, Opera, or Netscape. (Yes we use them all to check things at work).

Thanks!

Posted by: jon | July 8, 2006 9:38 AM | Report abuse

Jon, Just open up each browser and visit the install link. Then check your version to see if it updated by clicking on the version link above. If you updated but it doesn't say so, try closing out all browser windows and restarting the browser.

Be aware that if you try to install this update on IE, it will prompt you to also install the Yahoo! toolbar. You can uncheck that before installing, as the Yahoo thing isn't necessary for this update.

Posted by: Bk | July 8, 2006 11:01 AM | Report abuse

brian,
thanks for covering our backs.

i went to the link in your blog/column and it says Flash Version 9 is a 'beta' for Macs.

i usually avoid betas. is it worth taking the chance here?

tom rusch

Posted by: ValleyDriver | July 8, 2006 3:46 PM | Report abuse

I recently installed WinSP2, and see that it has a Permanently Block Flash Update Downloads function. I have tried downloading it about a dozen times, with no results. On the rare occassion that a gold security bar appears, authorizing the download has no effect. Thanks SP2, for making me _less_ secure.

Posted by: John Johnson | July 8, 2006 9:46 PM | Report abuse

I take back my previous outburst , because I finally got the Flash update to download and install.

Posted by: John Johnson | July 8, 2006 10:33 PM | Report abuse

I find your blog having interesting contents. Hope you will visit my site. http://www.theacne.info

Posted by: acne | July 10, 2006 8:34 AM | Report abuse

Thanks so much for posting this and giving the link to download the newest version. I actually have been having trouble with my Microsoft Update on this particular update. I was able to successfully install the new Flash Player (finally!). Thank you!

Posted by: Kelly | July 10, 2006 11:24 AM | Report abuse

I can't seem to upgrade to v9.0 (without the Yahoo toolbar) having attempted numerous times...even tried with the Yahoo toolbar...guess what?...the toolbar installed but not v9.0!

Posted by: george | July 10, 2006 3:52 PM | Report abuse

Thanks Brian, I had a really old V6 of Flash Player on IE. Firefox had a V8. Both are now updated to V9. Thanks again. I don't know where else I would get security information about these 3rd party programs that run "under the covers" and can leave security holes open.
Rich B.

Posted by: dbm1rxb | July 10, 2006 5:13 PM | Report abuse

Hello Brian...Don't waste your time trying to give yourself a headache on trying to find where did the contents of my articles in my word document came from. They did not come from [WireTap] or buggy bugs in hotel rooms or whatever you're thinking about it. What are they and who are they? They are real "Aliens in human disguised" who visits me and talk to me according to their own time and space. Do you believe in what I'm saying is true? You have to experience it yourself to find out the facts and amazing discovery that they came from the [Dark Matter] of the Universe. They split themselves into multiple identities and marked their chosen at the back of their heads. Their problem is how to see me in person to see that mark.

Posted by: carolina | July 10, 2006 10:01 PM | Report abuse

Yes, I have received update notifications from Flash player in the past. Typically, this happens when breaking open a new pre-configured laptop or desktop (happens a lot at work). I haven't ever tried to click through from the notification message to d/l the new version, but the notifier does come up as advertised.

Posted by: Scott | July 12, 2006 12:43 PM | Report abuse

> Adobe Reader already has (a sometimes kludgy) mechanism that checks for updates when the user starts the program

Users can change this behavior in a Preference setting; see

Acrobat & Reader updates: Who's in control?
http://www.acrobatusers.com/blogs/kfoss/

Posted by: Kurt Foss | July 12, 2006 1:48 PM | Report abuse

Brian,
I agree that Adobe deserves a rant. Pretty sad that Microsoft does a far better job at updates than Adobe.
However, you are too kind when you give Adobe credit that "Adobe Reader already has (a sometimes kludgy) mechanism that checks for updates when the user starts the program"
The Acrobat updater is so awkward that I sometimes just uninstall Reader and install the newest version. The real hassle is for updating installs of the full version of Acrobat. Joys include huge files and an interface that can't seem to figure out if 7.05 has to be installed before 7.08 or if it has already been installed or if it is going to make you spend half an hour searching the internet to figure out the secret that gets it to stop, please STOP saying REBOOT NOW or REBOOT LATER!

Posted by: OhioMC | July 13, 2006 2:22 PM | Report abuse

Brian - Thanks for the post/rant. Please note that automatic Adobe Reader updates only work if you are logged on as administrator. I do not run as admin and do not get the update notification until I happen to logon as admin.

Posted by: Steve Mullen | July 16, 2006 9:54 PM | Report abuse

Have any Windows Vista Beta 2 users noticed that no page from the Adobe.com web site will load in IE7 or Firefox?

I have Vista loaded on two computers, and neither one will load Adobe.com pages -- the page load just gets stuck in an endless loop before any content is actually displayed.

How are Vista users to update their security if Adobe.com locks them out? I don't have this problem with any other web site.

Posted by: Mike Airhart | July 18, 2006 7:51 PM | Report abuse

Nut Bar anyone? How about you Carolina, Nut Bar?

Posted by: Reality Check | July 20, 2006 11:11 AM | Report abuse

I'm a Flash Developer. Flash has an auto-update feature. It's up to the Flash developer to enable it. Assumedly, this is not to continually nag a user that is stuck on a corporate box without admin rights.

Posted by: Tim Scollick | July 21, 2006 3:38 PM | Report abuse

Sorry to post twice but I just found this by googling "Flash auto-update":
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=16701594

This 'rant' isn't so well researched. You muddle the facts but the gist of it is a point well taken.

Please take this rant with a grain of salt. Adobe has been very responsive to the user and developer community to fix security holes.

I've never heard of anyone that had any damage done to their computer by Flash.

Posted by: Tim Scollick | July 21, 2006 3:42 PM | Report abuse

Well, my computer has now been made unable to view Flash sites because the Flash Player 9 I was pushed to download by MySpace does not work with Safari (OSX Panther). Major major headache trying to uninstall it and find a Flash 8 player -- unsuccessfully. Very upset and frustrated.

Posted by: Suzanne O'Keeffe | July 25, 2006 2:20 AM | Report abuse

I receive a update notice for Flash Player and click on install now, it does the complete download and at the end I receive an error has occluded and to retry, I click the retry and the complete cycle reoccurs after the download is completed.

Posted by: Robert | July 28, 2006 11:59 AM | Report abuse

If you are sick of annoying flash ads and continual security problems, uninstall or blockflash:

http://johnhaller.com/jh/useful_stuff/disable_flash.asp

Posted by: Frank Hileman | July 30, 2006 10:01 AM | Report abuse

Quick Flash Player is a stand-alone flash player that enables Flash Users to quickly browse the SWF files.

http://www.purchaseshareware.com/multimedia-design-video/quick-flash-player8890-3.htm

Posted by: flash player | August 5, 2006 1:18 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company