March 28, 2012

Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

If it seems like you just updated Flash to fix security holes, it’s not your imagination. This is the third security update for Flash in the last six weeks. Flash Player v. 11.2 addresses a couple of flaws  in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. Adobe warns that these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

My previous posts on Flash updates have been accompanied by lengthy instructions about how to update the program. That’s in part because Adobe has traditionally deployed two separate installers for Windows based systems: One for Flash on Internet Explorer, and another for non-IE browsers. With the release of Flash Player 11.2, Adobe is introducing a new background update mechanism for Windows users that promises to take some of the pain out of updating.

Here’s how Adobe describes the updates to its updater:

The new Adobe Flash Player background updater updates all instances of a release version of Adobe Flash Player for all Web browsers on a computer. Previously, users had to perform separate updates for each Web browser running on their system.

With the introduction of the new background updater, Windows users have the option to download and install updates for Adobe Flash Player automatically (when available), without user interaction. After a successful installation of Adobe Flash Player 11.2, users are presented with a dialog box to choose an update method. The following three update options are available to users:

§  Install updates automatically when available (recommended)

§  Notify me when updates are available

§  Never check for updates (not recommended)

Additionally, the user can change his update preferences at any time via the Flash Player Settings Manager, which for Windows users can be accessed via the Control Panel > Flash Player. In the Flash Player Settings Manager, the update preferences can be found and selected in the “Advanced” tab under “Updates.”

Want to learn which version of Flash you have on your system? Visit this link. Updates are available via the Adobe Flash Player Download Center. Google’s Chrome browser usually auto-installs Flash updates, often before Adobe even publicizes them. But this is the second time Chrome has fallen behind on that front: My installation of Chrome still shows version 11,1,102,63.

Sadly, Adobe’s fancy new updater doesn’t go beyond Flash itself. If you have Adobe Air installed (that means you, Tweetdeck users), Air will need to be updated as well to accommodate these Flash fixes. For more on how to do that, see these instructions.


44 thoughts on “Critical Security Update for Adobe Flash Player

  1. Kevin

    Possibly dumb question…

    If I use multiple browsers, does Chrome automatically fix all of them when it patches Flash?

    1. Observer

      Kevin,

      No. Chrome only updates itself and its own Flash plug-in. If you run other browsers on Windows, you’ll need to download and install the updater for IE as well as that for the other non-IE browsers you use besides Chrome. At the most, you’ll have to download 2 files.

      If you’re running Windows 7, installing the 64 bit version automatically installs the 32 bit version of Flash.

      Hope that helps

      1. Observer

        …oh, and if you’re running OS X (Mac), Chrome just updates itself, similar to Windows.

        You’ll still need to run the Flash updater for Safari, Firefox, Opera, etc.

        The auto update feature doesn’t work for Mac users though.

    2. JCitizen

      At least after installing this update, you should have to worry less about updating from now on(providing it works); and he’s right about Chrome.

      Personally I’ve had troubles with the latest versions of Chrome for Vista x64, so I switched to Dragon from Comodo. Turns out they have a better privacy EULA on that version of Chrome, so I’m glad I made the switch!

  2. Neil Schwartzman

    It gets even better. Chrome gets a display window from Adobe telling me that it will auto-update itself, yet the version check indicates it is out-of-date. oh well, time to fire up Safari.

  3. Ron Blackwell

    I don’t know, but something seems out of whack here. I still had to run the Flash updater for both my IE browser and non-IE browsers (Firefox and Safari).

    Having said that, my RockMelt browser is still showing Flash version 11,1,102,63, even after running the updater.

    Google Chrome had a new update today, which apparently incorporated the newest Flash update. But you’re right, for once it appears Chrome lagged behind.

    1. Orlando

      >…I still had to run the Flash updater
      > for both my IE browser and non-IE browsers…

      I found the same.
      And then when one looks under the “Advanced” tab of the Flash Player Windows Control Panel applet, two separate entries are shown.

      1. JCitizen

        When I updated to this version, it , in deed, updated the rest of the flash versions automatically. I reserve judgement until the next update – however.

        So far the video tests okay, including IE x64.

  4. anon

    The Adobe Air instructions at the end of this post only instruct as to determining your currently installed version number, but a few minutes digging through the adobe site has failed to tell me what the latest version number is or whether downloading the installer from scratch is the proper update method. Any chance you could elucidate? (thanks)

    1. SFdude

      OK!

      Just reporting:
      – Flash Player 11.2.202.228 installed correctly,
      in my Firefox 3.6.28 !!!.

      XP-Pro SP3 …. 32-BIT here.

      This is what I did:

      1) Went to THIS Adobe D/L site:
      https://www.adobe.com/products/flashplayer/distribution3.html

      2) D/L Flash 11.2.202.228 EXE file,
      “for NON-IE browsers”, called:

      install_flash_player_11_plugin_32bit.exe

      (it’s in the middle section of the web page).

      3) Run my AV on it .
      (I don’t care if it’s from Adobe!),

      4) UNinstalled my prev. current Flash version:
      11.1.102.63 from Firefox.

      5) Installed the d/l file:
      install_flash_player_11_plugin_32bit.exe

      and selected:
      [ X ] only warn me of future updates,
      do not install updates automatically.

      Flash Player 11.2.202.228 installed fine!!

      6) Tested my FF with some YouTube videos.
      All working ok…

      Hope this helps…I know, it’s a pain….

      SFdude

      1. JCitizen

        That’s weird, I don’t remember having to uninstall a previous version of Flash for quite a while – even on my XP machines. Maybe you had a really old previous version?

  5. Reldel

    I updated three computers with Windows 7, two are Professional and one is Premium. I use software restriction policy on the Professional versions and Flash in IE9 will not run with SRP on. IE 9 locks up and has to be ended through task manager. Turn off SRP and everything is fine. Never had problem before, this flash update will not run with SRP. anybody else having problems?

    1. jerry

      I haven’t updated my XP Media Center yet but my guess is that the update needs to be run as an admin…or run as option in LUA with SRP. I’m betting the new flash auto update feature won’t work in a SRP enabled account either. Shucks!!

      1. JCitizen

        Well, at least it has a “download and notify me instead” selection.

    2. mechBgon

      Likewise, Flash Player 11.2 is hanging IE9 here with Software Restriction Policy enabled. I gave Adobe a bug report on it. I remember one previous occasion where they ran afoul of SRP, so here’s hoping they do fix it.

      My wild guess: their new update-checking process is trying to execute a filetype controlled by SRP, from a Temp directory in the user’s profile somewhere.

  6. Patrick

    When attempting to update via browsers other than Google Chrome, I entered this caveat from Adobe: “Note: Flash Player does not support 64-bit versions of Windows XP and Vista. Flash Player 11 now includes support for Windows 7 64-bit.” This means that many PC users won’t be able to update to this new version of Flash, no?!?

    http://www.w3schools.com/browsers/browsers_os.asp

    1. jerry

      I run Win7 64 bit OS but I run 32 bit browsers so I use 32 bit flash. I think this new version will support 64 bit browsers on 64 bit Win 7. FireFox doesn’t offer a 64 bit browser that I’m aware of. Not sure of the other vendors except IE which offers 64 bit.

  7. Kevin

    For us Mac users: “…the background updater feature is currently Windows-only for Windows XP and newer operating systems. A Mac version is currently under development.”

  8. Jay Wocky

    My installation of 11.2.202.228 appears to have succeeded. The control panel on my XP-SP3 still shows 11.1.102.63 Active X installed. If I delete this program, will I have flash on my IE from the 11.2 installation? Anybody know?

  9. Daniel

    The bigger problem is that all these updates don’t play well with the various sites that use flash. Ever since the last security update the play button on youtube videos disappeared when running the latest version of firefox. It’s not a problem in IE.

    IMO everyone is rushing out security updates so fast that compatibility is going straight out the window. The primary reason these days that I’m more secure is because everything is broken so I can’t use it.

    1. JCitizen

      All three of my browsers, IE9, FireFox, and Dragon(Chrome) work well with Vista x64 Home Premium. I haven’t tried the latest with XP, but will soon. All videos test nominal so far.

  10. Marvin the Martian

    I guess I’m torn on the issue. On the one hand, I want to say, “Good on, ya, Adobe, for finding and fixing the flaw in your code.” On the other hand, I want to say, “Really? Again? This soon?”

    I’ll update and carry on, as always.

  11. xAdmin

    Auto-update mechanism? It actually installs a service called “Adobe Flash Player Update Service” (listed under Services of Computer Management) that runs every hour on the hour (according to the system event logs) even if you’ve told Flash Player to NEVER check for updates!!! Grrrrr… I had to kill it (set the service to “Disabled”), so it shouldn’t be able to willy-nilly start itself anymore. Stupid Adobe, I really don’t appreciate services starting/stopping when I’ve told the software to turn off that functionality. I highly manage my systems and stay abreast of security news/updates, thus all auto update type functions are disabled (except daily AV definition file updates). Instead, I prefer to evaluate things myself before deciding to install an update.

    1. Xircal

      Disabling the service doesn’t disable the auto updater since the latter runs via Windows Task Scheduler. You need to disable it in there too.

      1. xAdmin

        Thanks! That’s some sneaky crap Adobe is pulling! I found the scheduled task under the administrator account that was used to install Flash Player. It wasn’t listed though under the limited user account I use for day-to-day stuff (Windows XP Pro). Regardless, setting the service to disabled and using the limited user account stopped any auto-update activity. I still disabled the scheduled task under the administrator account! Grrr…..

        1. JimV

          I didn’t merely disable the Adobe updater in Task Scheduler, I deleted it AND the Google Updater (both of which had previously been disabled in startup programs and services). Thanks for the heads-up….

          This type of default setting in multiple-layered structure among vendors is partly understandable — they’re trying to protect their business reputations and market positions by NOT becoming the latest publicly-outed malware-vector-du-jour — but this behavior is really beginning to chap my backside something fierce!

    2. Notify me of followup comments via Morse Code

      Don’t you LOVE THIS behavior?

      More often than not, if it’s not spyware and/or a browser toolbar install, proprietary “freeware” wants to shove another service down your throat to eat up memory and possibly spy on you even more.

      Welcome to Windows.

      It’s amusing how many Windows users I’ve met who, when confronted with odd bugs, OS behavior, infected systems, programs acting in ways they shouldn’t, just excuse the behavior because it’s “Windows.”

      This is especially true for some people who survived through Windows 98 and the blue screens, never forget those days of the POS OS.

  12. John

    If you use the Vista 64-bit operating system, you can’t get this Flash update, or any future Flash update, because Adobe has dropped all Flash support for that operating system. That’s right, if you use a 32-bit browser on a Vista x64 computer, no Flash update is available. When you attempt to update Flash on a Vista x64 computer, using a 32-bit browser, Adobe’s web site displays the error message “Flash Player does not support 64-bit versions of Windows XP and Vista.” (I use the 32-bit versions of IE9 and Firefox.) Vista isn’t that old, and it’s irresponsible for Adobe to halt Flash security updates on the 64-bit version of that operating system.

    1. benn

      So does that mean that since I run Vista64 that if I’m using Flash I have a “security concern” due to not using the patched update?

    2. JCitizen

      Huh? It installed and tested fine on Vista Home Premium x64 for me?!

  13. RESIST THE LIZARD OVERLORDS! THEY ARE VERMIN!

    “Everything we see has some hidden message. A lot of awful messages are coming in under the radar – subliminal consumer messages, all kinds of politically incorrect messages…” – Harold Ramis

    “RFID in School Shirts must be trial run”

    The trial runs began a LONG time ago!

    We’re way past that process.

    Now we’re in the portion of the game where they will try and BRAINWASH us into accepting these things because not everyone BROADCASTS themselves on and offline, so RFID tracking will NEED to be EVERYWHERE, eventually.

    RFID is employed in MANY areas of society. RFID is used to TRACK their livestock (humans) in:

    * 1. A lot of BANK’s ATM & DEBIT cards (easily cloned and tracked)
    * 2. Subway, rail, bus, other mass transit passes (all of your daily
    activities, where you go, are being recorded in many ways)
    * 3. A lot of RETAIL stores’ goods
    * 4. Corporate slaves (in badges, tags, etc)

    and many more ways!

    Search the web about RFID and look at the pictures of various RFID devices, they’re not all the same in form or function! When you see how tiny some of them are, you’ll be amazed! Search for GPS tracking and devices, too along with the more obscured:

    – FM Fingerprinting &
    – Writeprint

    tracking methods! Let’s not forget the LIQUIDS at their disposal which can be sprayed on you and/or your devices/clothing and TRACKED, similar to STASI methods of tracking their livestock (humans).

    Visit David Icke’s and Prison Planet’s discussion forums and VC’s discussion forums and READ the threads about RFID and electronic tagging, PARTICIPATE in discussions. SHARE what you know with others!

    These TRACKING technologies, on and off the net are being THROWN at us by the MEDIA, just as cigarettes and alcohol have and continue to be, though the former less than they used to. The effort to get you to join FACEBOOK and TWITTER, for example, is EVERYWHERE.

    Maybe, you think, you’ll join FACEBOOK or TWITTER with an innocent reason, in part perhaps because your family, friends, business parters, college ties want or need you. Then it’ll start with one photo of yourself or you in a group, then another, then another, and pretty soon you are telling STRANGERS as far away as NIGERIA with scammers reading and archiving your PERSONAL LIFE and many of these CRIMINALS have the MEANS and MOTIVES to use it how they please.

    One family was astonished to discover a photo of theirs was being used in an ADVERTISEMENT (on one of those BILLBOARDS you pass by on the road) in ANOTHER COUNTRY! There are other stories. I’ve witnessed people posting their photo in social networking sites, only to have others who dis/like them COPY the photo and use it for THEIR photo! It’s a complete mess.

    The whole GAME stretches much farther than the simple RFID device(s), but how far are you willing to READ about these types of instrusive technologies? If you’ve heard, Wikileaks exposed corporations selling SPYWARE in software and hardware form to GOVERNMENTS!

    You have to wonder, “Will my anti-malware program actually DISCOVER government controlled malware? Or has it been WHITELISTED? or obscured to the point where it cannot be detected? Does it carve a nest for itself in your hardware devices’ FIRMWARE, what about your BIOS?

    Has your graphics card been poisoned, too?” No anti virus programs scan your FIRMWARE on your devices, especially not your ROUTERS which often contain commercially rubber stamped approval of BACKDOORS for certain organizations which hackers may be exploiting right now! Search on the web for CISCO routers and BACKDOORS. That is one of many examples.

    Some struggle for privacy, some argue about it, some take preventitive measures, but those who are wise know:

    Privacy is DEAD. You’ve just never seen the tombstone.

  14. Charlie

    Adobe *IS* still updating Flash for Mac OSX 10.5 Leopard. The latest version of Flash for that is 10,3,183,18, which was released on March 20, 2012. This is in contrast to Apple, which has not updated Java (or issued any other security updates) for Leopard since early July 2011.

    Some of the important programs that I use regularly are incompatible with newer versions of Mac OSX, or require costly upgrades, thus I’m still using Leopard.

  15. Dennis Whitehead

    This might simply be a coincidence, but after updating Flash, my MLB-TV last evening had the video frequently and repeatedly freeze while the audio continued to play. Using Firefox (11.0) on Windows Vista (32-bit) with NexDef Plugin (4.2.21.MLB_10_25) & Flash player (WIN 11.2.202.228).

  16. "THEY" downvote because "THEY" don't want YOU to know the TRUTH, "THEY" are IN ON THE GAME!

    “RFID in School Shirts must be trial run”

    The trial runs began a LONG time ago!

    We’re way past that process.

    Now we’re in the portion of the game where they will try and BRAINWASH us into accepting these things because not everyone BROADCASTS themselves on and offline, so RFID tracking will NEED to be EVERYWHERE, eventually.

    RFID is employed in MANY areas of society. RFID is used to TRACK their livestock (humans) in:

    * 1. A lot of BANK’s ATM & DEBIT cards (easily cloned and tracked)
    * 2. Subway, rail, bus, other mass transit passes (all of your daily
    activities, where you go, are being recorded in many ways)
    * 3. A lot of RETAIL stores’ goods
    * 4. Corporate slaves (in badges, tags, etc)

    and many more ways!

    Search the web about RFID and look at the pictures of various RFID devices, they’re not all the same in form or function! When you see how tiny some of them are, you’ll be amazed! Search for GPS tracking and devices, too along with the more obscured:

    – FM Fingerprinting &
    – Writeprint

    tracking methods! Let’s not forget the LIQUIDS at their disposal which can be sprayed on you and/or your devices/clothing and TRACKED, similar to STASI methods of tracking their livestock (humans).

    Visit David Icke’s and Prison Planet’s discussion forums and VC’s discussion forums and READ the threads about RFID and electronic tagging, PARTICIPATE in discussions. SHARE what you know with others!

    These TRACKING technologies, on and off the net are being THROWN at us by the MEDIA, just as cigarettes and alcohol have and continue to be, though the former less than they used to. The effort to get you to join FACEBOOK and TWITTER, for example, is EVERYWHERE.

    Maybe, you think, you’ll join FACEBOOK or TWITTER with an innocent reason, in part perhaps because your family, friends, business parters, college ties want or need you. Then it’ll start with one photo of yourself or you in a group, then another, then another, and pretty soon you are telling STRANGERS as far away as NIGERIA with scammers reading and archiving your PERSONAL LIFE and many of these CRIMINALS have the MEANS and MOTIVES to use it how they please.

    One family was astonished to discover a photo of theirs was being used in an ADVERTISEMENT (on one of those BILLBOARDS you pass by on the road) in ANOTHER COUNTRY! There are other stories. I’ve witnessed people posting their photo in social networking sites, only to have others who dis/like them COPY the photo and use it for THEIR photo! It’s a complete mess.

    The whole GAME stretches much farther than the simple RFID device(s), but how far are you willing to READ about these types of instrusive technologies? If you’ve heard, Wikileaks exposed corporations selling SPYWARE in software and hardware form to GOVERNMENTS!

    You have to wonder, “Will my anti-malware program actually DISCOVER government controlled malware? Or has it been WHITELISTED? or obscured to the point where it cannot be detected? Does it carve a nest for itself in your hardware devices’ FIRMWARE, what about your BIOS?

    Has your graphics card been poisoned, too?” No anti virus programs scan your FIRMWARE on your devices, especially not your ROUTERS which often contain commercially rubber stamped approval of BACKDOORS for certain organizations which hackers may be exploiting right now! Search on the web for CISCO routers and BACKDOORS. That is one of many examples.

    Some struggle for privacy, some argue about it, some take preventitive measures, but those who are wise know:

    Privacy is DEAD. You’ve just never seen the tombstone.

  17. thumb me down again, windows lovers, YOU CAN'T HANDLE THE TRUTH

    Don’t you LOVE THIS behavior?

    More often than not, if it’s not spyware and/or a browser toolbar install, proprietary “freeware” wants to shove another service down your throat to eat up memory and possibly spy on you even more.

    Welcome to Windows.

    It’s amusing how many Windows users I’ve met who, when confronted with odd bugs, OS behavior, infected systems, programs acting in ways they shouldn’t, just excuse the behavior because it’s “Windows.”

    This is especially true for some people who survived through Windows 98 and the blue screens, never forget those days of the POS OS.

  18. Peter Brewster

    Does anybody know if the Google toolbar uncheck persists through the auto-update?

    1. JCitizen

      We’ll just have to wait for the next update to really know. Gotta love Adobe! :p

  19. AJ

    Adobe has, for me, been one big PITA. Nothing but trouble with conflicts and hassles.

  20. Stratocaster

    Now here it is a couple weeks further down the road, and Chrome has STILL not updated its internal Flash Player to 11.2.202.233, even though that is the current Chrome version listed on the Adobe Web site. I downloaded and ran the standalone installer, but the Chrome version number did not change.

Comments are closed.