Adobe has released a critical software update to fix nearly two-dozen security holes in its Flash Player browser plugin. Separately, I want to take a moment to encourage users who have Adobe Shockwave Player installed to finally junk this program; turns out Shockwave — which comes with its own version of Flash — is still many versions behind in bundling the latest Flash fixes.
If you use and need Flash Player, it’s time to update the program (the latest version is 19.0.0.185 for Windows and Mac users). Google Chrome and Internet Explorer bundle their own versions of Flash (also now at v. 19.0.0.185); each should auto-update to the latest. Find out if you have Flash installed and its current version number by visiting this page.
Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.
If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.
If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
SHOCKWAVE SHOCKER
In other Adobe patch news, on Sept. 8, 2015 I urged readers who have the Shockwave media player installed to update to the latest version or else junk the program altogether. In a post more than a year ago, I outlined Why You Should Ditch Adobe Shockwave, noting that the program bundles a component of Adobe Flash that was more than 15 months behind on security updates.
I checked back with Adobe last week to find out whether the version of Shockwave that the company released earlier this month is caught up on Flash flaws. Turns out, it’s still woefully behind. The version of Shockwave released just two weeks ago bundles the Flash runtime 16.0.0.305, a version of Flash that Adobe released in February 2015.
Translation: The version of Shockwave that Adobe released two weeks ago lacks fixes for a whopping 155 vulnerabilities in Flash that can be used to backdoor virtually any computer running it! Included in those missing fixes are patches for a half-dozen Flash flaws that were being actively exploited at the time they were fixed in Flash Player.
Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.
The fifth paragraph seems to begin stating something to beware of about MSS — “but beware potentially unwanted add-ons, like McAfee Security Scan” — then stops?
It stops because that’s the end of the sentence. The Flash installer bundles MSS. What’s unclear, exactly?
“but beware OF potentially unwanted add-ons…” might have been more clear.
Simply put, the MSS installer is included by default and as a caution Brian let us know that we could uncheck it before downloading the latest update installer.
That makes no sense, the wording is just fine.
Beware means to be cautious of. So, what you’re proposing is that Mr. Krebs word his sentence to say “be cautious of of potentially unwanted add-ons.”
As Shakespeare once wrote: “Beware the ides of March.”
The more you know! 😎
I hate being proof read by others. It made perfect sense, just re read the sentence.
The sentence is indeed perfectly clear. What Proof Reader may have been referring to is that Brian doesn’t share with us the reasons why we might not want to install McAfee Security Scan. Maybe it’s covered elsewhere in this excellent blog, but not in this post.
McAfee Security Scan is bloatware plain and simple. It basically replicates existing security checks built into modern versions of Windows. Read here for more on this:
http://tiptopsecurity.com/what-is-mcafee-security-scan-should-i-uninstall-it-from-my-computer/
I am confused. Can I install Scockwave and then install the latest version of Flash Player to avoid all of the dangers? My child needs both for school to work on Pearson successNet.
Shockwave is not Flash, but it bundles a version of Flash (a very old, insecure version that can be invoked to compromise your computer). There is no secure way to run Shockwave unless and until Adobe updates it with the latest Flash runtime.
If you need to run Flash, I’d recommend using Chrome, which auto-updates Flash to the latest version and often has the fixes installed even before Adobe releases them.
I’m also concerned about a school full of minors who are required to be surfing the web with vulnerable software, probably on the same computers their parents use to do their banking and taxes. Is there some family-friendly web page that demonstrates the vulnerabilities in a way that those teachers can understand, so the parent can direct them to a URL that will clue them in? … something along the lines of the “Conficker eye test” page?
Archived Flash Versions page (https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html) is also always behind current updates.
Uninstalling from IE doesn’t seem to work. On the webpage to test for installation I keep seeing an image inside the box that seems to be the animation indicating that “v. 12.1.3r153 Installation Complete”
Any insights or is this just the invitation to install rather than the active animation indicating that it is installed…..
You need to uninstall Adobe Flash from the Windows “Programs and Features” control panel.
Unreal, it never stops with Flash!
One might assume there are confidential pre-release communications between Adobe and Firefox regarding something as important as Flash updates, but apparently not: My Firefox’s plugin check still indicates that Version 18.0.0.232 is “Up to Date…”
https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update
I think I’ll wait a day or two for others to finish the beta testing. 😉
I thought I’d install the Flash update right away while Likes2LOL tests the vulnerabilities that the update fixes.
FWIW, I’ve never had an issue with Flash updates causing computer mayhem, knock on wood.
Don’t spoil it for him Harry, maybe that is why he Likes2LOL; because it is very entertaining to see what happens to a browser in a virtual machine while it is under attack with a known vulnerability on board. 😉
All right, Harry and JCitizen, your point is well taken — I can’t remember any poorly crafted Flash updates that caused problems either. (It’s the Microsoft updates that are buggy.)
For example, I still bear the scars of a poorly tested Microsoft 2000 update SNAFU that broke fastfat.sys, a driver needed for MS Office to write files to a floppy. At the time, I was the caretaker of a classroom full of PCs used for trainings, and suddenly none of the students could save their work to their floppies. There was a lot of chaos and distress, and everybody slammed ME because I was responsible for the upkeep of the PCs. After sleuthing the problem and Microsoft issuing an emergency patch to fix their previous defective patch, I opted to become a little more deliberative as to when I applied any updates.
Anyone remember when the Microsoft Security Essentials update flagged Google Chrome as a false positive? From Microsoft at the time: “On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed. Within a few hours, Microsoft released an update that addresses the issue. Signature versions 1.113.672.0 and higher include this update. Affected customers should manually update Microsoft Security Essentials (MSE) with the latest signatures. After updating the definitions, reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers.”
Maybe Bill Gates desire to not wanting to see people using iPods instead of Zunes in the office bled over to not bothering to test MSE updates on the competitors’ browsers? 😉
Application updates rarely cause the same problems as OS updates. The two can hardly be compared. As an interesting example, I had Ubuntu update itself once and it completely hosed the GRUB 2 bootloader. The system would literally not start. It took hours online in their support forums to get the issue resolved. By comparison, I’ve never had an MS update issue that couldn’t be fixed with a system restore rollback or by uninstalling the update.
Adobe will not auto-update through Firefox – even if it is supposed to I’ve never seen it work successfully. The only recourse is to follow Brian’s links to the Adobe download page, or save it as a favorite and check it constantly, and restart Firefox to test the installation. You can download the proper version by clicking the link on the left side of that page to select your operating system and browser you are trying to update. That way it doesn’t matter what browser you use to download the particular flash version you need. However, you do need to be using the particular browser you want to test to see if the animation works and the version number matches.
If you have a portable browser it will have to be closed and restarted manually to install the new version. I would NOT wait to update flash, as that makes you a zero day target!! It has been my experience that as long as you have a new version, and you run as a limited user in the OS environment, you will not be compromised by malware attacks. The code the criminals use has to be tuned to the version with known vulnerabilities – new versions rarely respond to attacks. You would be better off simply getting rid of flash until a page you need to view, and trust, prompts you to download it. More and more web sites no longer need the PC based application. HTML-5 is taking care of that, with the exception of web-sites that have lazy or cheap managers who are not updating the server side.
It has worked on occasion with Firefox for me, but to be safe I don’t wait for that to happen …
I should point out that the unbundled (NPAPI, for Firefox/Iceweasel/etc. users) version of the Flash plugin is still maintained on an older base version. Today’s patch update version for Linux is 11.2.202.521.
It is available through both Adobe’s Linux deb/rpm package repositories as well as through a flashplugin-installer update for Ubuntu.
(Linux Chrome users make use of the PPAPI version of Flash which is bundled with Chrome itself.)
Some Chrome variants only work by downloading that update manually; not all of them can do it automatically.
Any version of Flash has at least two dozen unknown to the public negative day exploits at any given time. Anyone who keeps using it is a dope in denial.
Yes, I know, some stupid old sites that are refugees from the late 90s still need it. Find alternatives. I did. Or if you absolutely must use Flash, use it in a VM. Ditto for Java in your browser.
I know people that have subscriptions to the game site Pogo and I believe that Flash is required for that site.
You lost me at “negative day exploits.” Anybody that makes up terminology is a dope in denial and doesn’t know what they’re talking about..
that’s a very negative day attitude to have
I looked on my calendar, there is no zero day on it, so I think I’m safe. Whew.
Flash-free here for the last 6 months. It doesn’t even cross my mind that I’m missing it anymore.
I also got my wife to get rid of it about a month ago. I thought it was going to be more difficult with her, but she understands the risks. She says she also never notices its missing.
Dump flash. It’s done.
Brian, as Todd Vierling points out, the most recent NPAPI version of Flash Player for Linux is 11.2.202.521, but it’s deemed an Extended Support Release, which I assume means that while it doesn’t have all the capabilities of 19.0.0.185, it has all the security patches. Might this be the case for Shockwave Player’s 16.0.0.305 as well?
No. I checked with Adobe, and they confirmed my findings.
Is the Flash version bundled with Shockwave integrated into Shockwave in such a way that you essentially have an old version of Flash running inside Shockwave even if your regular Flash install is up-to-date?
Yes.
Plugins are generally designed to work in isolation, they don’t use other things that may/may not be present (specifically because they may not be present).
I have a problem.
On my Windows 10 system Adobe Flash is uninstallable, and the About page shows it’s an old version.18,0,0,232.
The Adobe uninstaller for both Flash and Shockwave won’t get rid of it. I’ve tried everything.
It appeared as a control panel after I upgraded from Windows 7 to Windows 10.
Maybe try an uninstaller program such a Revo Unintstaller.
In Windows 8 and higher, Flash is built into Internet Explorer and Edge in Windows 10. You’ll get the update for it from Microsoft, not Adobe. While you can’t remove it you can disable the plugin.
With Flash being such a big problem. If I can’t have Windows anymore without having Flash, then I no longer have a reason to use Windows. My mind was pretty much made up as it is. But there is absolutely no justifiable reason to subject myself to all this nonsense.
If both Flash (fully patched) and Shockwave (vulnerable) are installed is there a way of forcing the browser to use Shockwaves flash to exploit the user?
Absolutely. Flash and Shockwave are invoked in completely different ways.
How am I supposed to be able to simply uninstall Shockwave when both Netflix (at least back when I subscribed) and Amazon Prime Instant Video use it to play streaming videos in Windows?
i think Netflix uses Silverlight not shockwave!!
You’re right. So does Amazon. I got the two confused. Thanks goodness.
I have not used, nor had installed, Shockwave for years. When required MS Silverlight was once considered safer and up-dated/patched as needed much quicker than the Adobe product. Now I am using Windows X as an OS and find that I still use Firefox (primarily because of FVD Speed Dial) for the majority of my on-line use. I have maintained whatever updates from Adobe for Flash, and have also required it to ask to activate whenever a site uses Flash. Microsoft Edge is really a better browser than Firefox, but since it is essentially sand-boxed, it will not allow add-on’s like FVD or a proprietary Google application that I use every day. If I must use Flash I normally do so via Edge.
MS updated Flash via their Windows X update services yesterday. Firefox had to be done manually. Both without incident.
Dumb question… what is the difference between Flash and Shockwave? Flash I know plays videos, what does Shockwave do?
Depending on how Shockwave is launched by the site, you may get an even older (almost 3 years old) version of Flash:
https://twitter.com/wdormann/status/621347437274398724
Note that my tweet was from an older version of Shockwave (12.1.9), but the latest Shockwave (12.2) provides the same Flash version.
During the process of removing Shockwave from our business environment a while back, I discovered that there are different types of shockwave installations which require different removal methods (thanks Adobe!)
If the shockwave uninstall tool doesn’t actually work on your computer (shockwave still appears in the control panel and system32 folder), that means the application was originally installed with an MSI package, and you must use that same MSI package with a /uninstall switch to remove it. OR you can just remove it from add/remove programs manually, which isn’t ideal for a business trying to deploy this change to hundreds of computers or more.
As another side note, there is currently a bug with the Flash 19 installer, where Flash 18 is being left behind in your programs list. They’re supposed to be working on a fix for that.
I also noticed that 18 wasn’t removed during 19 install. This is the only place I’m finding mention of it.
Thanks for so diligently keeping us safe, Brian! I upgraded from Windows 7 to Windows 10 a month ago and when checking Windows Update just now, I’m prompted with a notification that Flash Player tried to install an update but wasn’t able to. “There were problems installing some updates, but we will try again later. • Security Update for Internet Explorer Flash Player for Windows 10 for x64-based Systems (KB3087040) – Error 0x80004005” I’m using Internet Explorer 11 and have Flash Player version 18,0,0,232 installed, not version 19.0.0.185. Every attempt to update Flash Player manually fails. The download site says, “Flash Player is integrated with Internet Explorer in Windows 10.
You do not need to install Flash Player.” Should I just wait for Windows to eventually update my computer automatically?
Go to: Action Center > All Settings > Update and Security > Windows Update. Then click on the check for updates. The original time t tried there may have been some lost packets or server delay. Have all browsers closed etc.
Thanks for your reply, Eaglewerks! I tried your suggestion but end up with the same results, and that’s the case on two computers with the same OS. “There were problems installing some updates, but we will try again later. • Security Update for Internet Explorer Flash Player for Windows 10 for x64-based Systems (KB3087040) – Error 0x80004005”
An additional suggestion: “Fast Startup” (which is on by default) Should be turned off. The reason is that sometimes a cache is created that causes some systems (on rare occasion) to respond as yours seems to be doing. Once you have turned off Fast Startup (search the net for directions) then turn off your system, then turn it back on and you should see a longer start-up procedure. Once you have the longer boot time then follow again the directions in my original post to you above. If you still get the same or similar error then it’s time to telephone Microsoft. Good Luck.
I am running a system that uses an Intel motherboard with a Phoenix Bios and running Windows 10 Pro, 64 bit.
Thanks once more, Eaglewerks! I very much appreciate your suggestion and will definitely keep that valuable tip for future reference. What happened: Before I started that possible fix you suggested, I ran the update one more time, and it succeeded without any glitches. Why the Flash Player update came through Windows Update with such delay is a mystery to me, but I’m glad it’s done. My OS is also Windows 10 Pro, 64-bit.
If you have the Adobe AIR runtime installed, it also needs to be updated due to security vulnerabilities. The latest version for Windows and Mac is 19.0.0.190, which was released on September 21.
You can see whether you have it installed on Windows by looking in “Control Panel/Programs and Features”. If it appears and you want to remove it, select the item and choose “Change/Remove”.
On a Mac, look in the “Applications/Utilities” folder to see whether the “Adobe AIR Uninstaller” is present. If it is, then Adobe AIR is installed. Simply run the uninstaller to remove the product.
Note that some applications may require Adobe AIR, and they may have originally installed it for you (but likely didn’t keep it updated). In that case, if Adobe AIR is removed, those apps will not function correctly.
Thanks for offering your help, David, but I don’t have Adobe Air installed.
> I hate being proof read by others.
But that’s how proofreading (which is one word) works, ideally. (Granted, a correction was not necessary for this article. Though there was some minor semicolon abuse & there’s no hyphen in reenable.) Even the most fastidious writers need a second pair of eyeballs, otherwise “glitches” like missing words (usually a verb) slip through.
> It made perfect sense, just re read the sentence.
& reread is one word.
[tongue-face]
Whether or not to use a hyphen after the prefix “re” is a style matter. “Re read” is of course wrong, but “re-enable” is not necessarily wrong.
I am removing Shockwave and Flash and using Chrome. I got malware on a FireFox Flash plug in complete with 800#