Macromedia Flash Update Prompts an SF Rant
A newly released version of Adobe's Macromedia Flash Player fixes at least two security flaws in the program that more than 200 million people have installed on their computers.
Security vendor Fortinet released two advisories calling attention to the vulnerabilities, one of which it said could let bad guys hijack your browser and possibly your computer if you were to merely browse a Web site that took advantage of the flaw.
The flaws are present in Macromedia Flash Player v18.104.22.168 and earlier versions. The new version, released on June 28, is v22.214.171.124, downloadable here. You can check which version you have installed by visiting this page. The patch should update Internet Explorer, Firefox, Netscape or Opera, depending on which one is set to your default browser.
Soap box alert: Adobe needs to get its act in gear and ship an auto-updater for its Flash and Shockwave media players. Most people have some version of Flash installed in their Web browser, mainly because it is used to display visual content on so many Web sites.
Putting aside its ongoing tussle with Microsoft over the fate of Acrobat Reader in future versions of Windows, Adobe recently teamed with Microsoft to have a previous update that fixed a bundle of security flaws shipped with as a security update from Microsoft.
Both companies are to be commended for cooperating to keep customers protected from flaws that bad guys have been quick to exploit in the past, but this should be the rule, not the exception, and it should come from Adobe, not Microsoft. Adobe has the brains and the infrastructure in place to make auto-updating a reality, and it is long overdue. Heck, even Mozilla is now working to develop its own auto-updater to check and see whether users have the latest version of Flash installed.
Adobe Reader already has (a sometimes kludgy) mechanism that checks for updates when the user starts the program, and Adobe Flash Product Manager Emmy Huang recently commented on Security Fix that Adobe was working on making that a reality for Flash and Shockwave. It's a good idea we're still waiting for the company to implement. Emmy, any updates?
Update, July 11, 2:50 p.m. ET: For the record, I just today received this response from Emmy Huang regarding the auto-update notification feature in Flash and Shockwave. I don't recall receiving notification of an update for either of these products, ever, but then again I don't generally wait that long. Anyone else using one of these older versions described in this response get a notification of a new version 30 days after it was released?
We are aware of the latest potential vulnerabilities affecting previous versions of the Flash Player. These potential vulnerabilities are not present in Flash Player 9, which can be downloaded at from Adobe.com We encourage all users to update to this latest version of the Flash Player.
For customers who cannot upgrade to Flash Player 9, Adobe is currently working to incorporate a modification into earlier versions of Flash Player. Details will be provided on at this page here and through Adobe's security notification service as soon as a solution is available. Users can subscribe to the service for Adobe bulletins and advisories on our security website.
To correct the misperception about the Flash and Shockwave Player auto-update notification capabilities, these two products do indeed have this functionality. Beginning with Flash Player 7, the Automatic Notification and Update feature has been included in the Flash Player, which allows Adobe to automatically notify users when an updated version of Flash Player is available. Users may choose whether to receive automatic notification of updates and how frequently to receive them. Shockwave Player has a similar feature that was introduced in Shockwave Player 7. For more information about the Flash Player auto-update feature, you can visit this page. For Shockwave Player visit this link
I think the confusion was caused when I said we do not immediately "turn it on" the day we launch a new player. This is because we typically wait to ensure everything on the download center is working and kinks are worked out before driving a high traffic load. Once we change the minimum version check to notify users who are on a version lower than the current version, users will begin to see the update notification appear on their systems. By default, this check occurs if it has been at least 30 days since the last time it checked for updates. Users can change this setting in the Settings Manager here. Note, the auto-update notification feature is for Windows only at this time.
Posted by: Bartolo | July 7, 2006 1:24 PM | Report abuse
Posted by: Bk | July 7, 2006 2:05 PM | Report abuse
Posted by: EJ | July 7, 2006 4:56 PM | Report abuse
Posted by: Richard Johnson | July 7, 2006 7:18 PM | Report abuse
Posted by: Jake Barlow | July 7, 2006 7:54 PM | Report abuse
Posted by: DB | July 7, 2006 10:28 PM | Report abuse
Posted by: DB | July 8, 2006 12:48 AM | Report abuse
Posted by: jon | July 8, 2006 9:38 AM | Report abuse
Posted by: Bk | July 8, 2006 11:01 AM | Report abuse
Posted by: ValleyDriver | July 8, 2006 3:46 PM | Report abuse
Posted by: John Johnson | July 8, 2006 9:46 PM | Report abuse
Posted by: John Johnson | July 8, 2006 10:33 PM | Report abuse
Posted by: acne | July 10, 2006 8:34 AM | Report abuse
Posted by: Kelly | July 10, 2006 11:24 AM | Report abuse
Posted by: george | July 10, 2006 3:52 PM | Report abuse
Posted by: dbm1rxb | July 10, 2006 5:13 PM | Report abuse
Posted by: carolina | July 10, 2006 10:01 PM | Report abuse
Posted by: Scott | July 12, 2006 12:43 PM | Report abuse
Posted by: Kurt Foss | July 12, 2006 1:48 PM | Report abuse
Posted by: OhioMC | July 13, 2006 2:22 PM | Report abuse
Posted by: Steve Mullen | July 16, 2006 9:54 PM | Report abuse
Posted by: Mike Airhart | July 18, 2006 7:51 PM | Report abuse
Posted by: Reality Check | July 20, 2006 11:11 AM | Report abuse
Posted by: Tim Scollick | July 21, 2006 3:38 PM | Report abuse
Posted by: Tim Scollick | July 21, 2006 3:42 PM | Report abuse
Posted by: Suzanne O'Keeffe | July 25, 2006 2:20 AM | Report abuse
Posted by: Robert | July 28, 2006 11:59 AM | Report abuse
Posted by: Frank Hileman | July 30, 2006 10:01 AM | Report abuse
Posted by: flash player | August 5, 2006 1:18 AM | Report abuse
The comments to this entry are closed.