June 17, 2016

Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.

brokenflash-aThe latest update brings Flash to v. for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually check for updates in Chrome an restart the browser to get the latest Flash version).

For some reason that probably has nothing to do with security, Adobe has decided to stop distributing direct links to its Flash Player software. According to the company’s Flash distribution page, on June 30, 2016 Adobe will decommission direct links to various Flash Player downloads. This will essentially force Flash users to update the program using its built-in automatic updates feature (which sometimes takes days to notice a new security update is available), or to install the program from the company’s Flash Home page — a download that currently bundles McAfee Security Scan Plus and a product called True Key by Intel Security.

Anything that makes it less likely users will update Flash seems like a bad idea, especially when we’re talking about a program that often needs security fixes more than once a month.

43 thoughts on “Adobe Update Plugs Flash Player Zero-Day

  1. Bruce Hobbs

    Note the following warning from Chrome: “This computer will no longer receive Google Chrome updates because Mac OS X 10.6, 10.7, and 10.8 are no longer supported.” There is a good chance this also includes any updates to Flash. You may want to switch to another browser.

    1. SalSte

      That’s because none of those operating systems are supported by Apple anymore. Google has been doing a one year after OS end of life support pattern with both Windows and OS X.

      1. twinmustangranchdressing

        Except that Google no longer updates Chrome on Windows Vista even though Vista is still getting security updates from Microsoft.

      2. Bruce Hobbs

        Even though Apple may no longer support Mac OS X 10.6.8, Firefox (Ver. 47.0) and Flash ( still do. Life is good. I’m waiting for the new MacBook Pros come out any … day … now.

    2. svim

      Also note Google dropped support for Chrome in 32-bit Linux. As Linux runs on older hardware quite well this makes makes Flash support even less capable for Linux systems. Adobe deprecated its support for Linux by only updating a very, very dated 11.x version so Google is actually supporting Flash for Linux better than Adobe does for its own product. But now Chrome for 32-bit Linux is frozen at ver. 48.x so Flash is also frozen at ver. 21.00.213.

  2. Mikey

    do the breached companies notify the software co of the vuln or is it a lack of patching?

  3. Ralph

    It just occurred to me that Adobe benefits from Flash being so buggy. Ten or twelve times a year, everyone has to think about Adobe’s Flash Player. Even those who don’t use it continue to hear about it. Eventually it becomes embedded in our consciousness. It validates that saying, “there’s no such thing as bad publicity.”

    If it weren’t so buggy, it wouldn’t matter whether or not people were aware of it. Having the most recent version would become so much less important. The nuisance factor would become more obvious.

    1. James

      Only when having a product associated with poop in everyone’s minds every time they think of it is considered a great thing….

  4. Alan

    Even with the distribution page, updating can be a nightmare. I grabbed the MSIs for Explorer and Firefox. The Active-X version installed although I did get the usual “The version of the Player that you are trying to install is lower than what is currently installed”. I have been getting this stupid message for years even though the version I’m always installing the latest release over the prior release. I got the same stupid message on the regular version update and it refused to update. I downloaded the EXE version and that worked, with the same message again. Updating Flash is the software equivalent of getting a root canal.

  5. Dennis Kavanaugh

    I hope it comes as no surprise that Adobe has somehow managed to maintain some market dominance and therefore profitability in spite of the fact that they clearly do not, and have not, utilized any secure software development capability, ever. The continued emergence of the number and type of vulnerabilities indicates they are very happy to save lots of money employing low end developers, then fixing the software later as bugs are identified. As consumers in a free society, it is sad to see how we behave like sheep and keep them in business rather than voicing our displeasure by evicting them from our lives.

    1. Pete

      “As consumers in a free society, it is sad to see how we behave like sheep…”

      …er, right…except that “free” is a relative term. Measured by the amount of suffocating regulation and crippling taxation we endure today, we are less free than we were 200 years ago. Why? Because the price of freedom is responsibility, and the sheep have increasingly become accustomed to demanding that the state take responsibility for them.

      When it comes to computers+the web, taking responsibility requires knowledge most people don’t have. In my experience, the average user is barely even aware of the subject of security, let alone have any idea how to take responsibility for it. Hence, the entrenchment of inferior software (which you correctly identified) becomes institutionalized via ignorance plus static inertia.

      It would take an enlightened market of users to give Flash the boot. Alas, that’s unlikely to happen; the masses will continue to behave like sheep. What’s more likely is that web application and content developers will simply continue the existing trend of gradually supplanting Flash with better software technologies.

  6. SalSte

    Adobe has been threatening to shut down the direct download site since March, but they keep moving the deadline back. Maybe they’ll do the same again?

    If not, there are still a few sites that have copies of Ninite’s old Flash updater that will install both the IE (pre-Windows 10) and plug-in versions.

  7. zeke

    “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).”

    The important thing about this one is that even if you don’t normally (at least deliberately) use IE, there’s plenty of stuff that uses IE for HTML rendering. Thus, if a flawed version of the ActiveX version of Flash installed, then you may be vulnerable.

    In this particular situation, it’s worth uninstalling the ActiveX version of Flash — even if you want/need in another browser, it’s unlikely that you’ll need Flash, if something is using IE.

    Parallel item — it’s also essential to make sure that you update AdobeAIR, and there’s also an update for that one.

    AIR is a tool that allows for Flash-type rendering in things outside a browser, and tends to be susceptible to the same exploits as Flash is. One prominent user of AIR are the manufacturer-installed management tools that come bundled with Lenovo machines (such as Lenovo Service Center). There may be plenty of cases where AIR is installed, Just In Case, and where it’s safe to delete, but if you have something like Lenovo Service Center installed, then removal of AIR will break that. Thus, when there’s a security update for Flash, assume that there will be a corresponding update for AIR, and it’s essential to get that one updated, too.

    One other tool that I know of that uses AIR is Lego Digital Designer.

    1. James Edward Lewis II

      The Pandora One app is another notable app that relies on AIR; also, if an AIR app is launched shortly after an AIR update is available, it will request that update, but it doesn’t show up for the first couple days after the update was actually released.

      1. zeke

        For both Flash and AIR, Adobe does have auto-update capacities, but my experience is that they’re slow on pushing them.

        With Flash, even if you have it set either to auto-install updates or notify of updates, it takes several days (and possibly a system reboot) before anything happens. Handling of AIR is also slow.

        Moral of the story: if you know of security updates from Adobe, don’t wait for automatic handling — go get the updates yourself, and install immediately.

  8. rei

    Brian: the version should be ****

    192 is the old, vulnerable version. There are no downloads at the MSI download page for 242 yet. Chrome has auto-updated and MS put up 242 on WindowsUpdate yesterday.

    1. Stratocaster

      No, the new version is 22…192. The old version you are mistaking was 21…192, which was replaced by 21…242 — which has now been replaced with 22…192 as Brian states.

      1. Likes2LOL

        I’m still watching with with bated breath to see if the “.0.0.” numbers in the middle of the version numbers is ever going to change again. 😉

        What a goofball company and product millions of computers are using and being vulnerable to!

        P.S. to Brian: Thanks, as always, for the notice and explanation. BTW, whatever happened to the box to tick off and subscribe for automatic emails of further comments when you add a comment? Too much of a hassle, or a security threat of some sort? I really liked getting the follow-up replies automatically…

  9. Pete

    True Key is a password manager (Intel Security is the artist formerly known as McAfee).
    Everybody eventually needs a password manager, to use different passwords for everything. I don’t trust any of the current ones. I use a manual non-cloud method.
    True Key has the potential to be the first cloud one I trust, but at present I find it a wet mess and am waiting for it to grow up.

    1. Bruce Hobbs

      I don’t trust any password manager just as I don’t voluntarily trust anyone with all my credit card numbers. If they get breached, you’re in for a world of hurt.

    2. EstherD

      Any piece of software that starts out as a “wet mess” is never, *ever* going to “grow up” to be anything that can be even remotely considered “trustworthy”. Trust me on that…

  10. JimV

    If your system happens to be running Windows 10, it doesn’t appear a manual process of installing the ActiveX version downloaded through Adobe’s site is allowed by the OS — generates an error message, and you must wait for some indeterminate period until MS issues its own patch (which of course is eventually downloaded and installed automatically, a quirk and ‘feature’ that I thoroughly detest).

  11. Likes2LOL

    This patch “fixes three dozen security holes in the widely-used browser plugin” — Does anybody elese wonder, “How on Earth could some plug-in module to a browser be so riddled full of security flaws?”

    I mean, after all, it’s on Version 22+; I am not a programmer, but it just boggles my mind how the code could be so poorly crafted, version after version after version… What is it that I’m not understanding here? Are they adding security holes on purpose, so they can fix them later?

    1. timeless

      Flash is composed of millions of lines of code. It’s hard to reason through all possible interactions.

      > Does anybody elese [sic] wonder,

      You wrote about one paragraph of text and have at least one error in it. I’m not going to look for others. You can fix the mistake I’ve reported to you, and then someone else can look for additional mistakes in your corrected post.

      Programming is very much like writing a novel. Except that you’re writing much more than your average novelist, and you aren’t doing it alone. Also, there’s a significant reward available for finding errors.

      Have you ever watched a movie/read a book or series and noticed a continuity error? Effectively, in software, that’s a bug, and if the continuity error should allow a criminal to get away (maybe the protagonist shot seven times with as six shooter?), then that’s the equivalent of a security hole.

      Big software projects (browsers, plugins, operating systems) are written by teams of hundreds or thousands of people often over the course of decades.

  12. BillC

    Thanks Brian. Downloaded Firefox version on Windows 10 with no problem using automated updates feature. Takes about one second to uncheck the bloatware, so why the outcry??

    1. EstherD

      How about: Because all it takes is *one* brief moment of inattention, or a *single* trigger-happy click at the wrong time, and you’ll potentially have a mess on your hands that might take a hour or more to clean up?

  13. twinmustangranchdressing

    I see that Solaris was dropped from the table on the above page that shows the various version numbers, and ChromeOS (sic) was added. I wonder why the version of Flash Player for the Chrome web browser on Chrome OS might differ from the version for that web browser on any other OS.

    1. timeless

      The most basic reason is that Google manages the Chrome OS builds of Flash. They probably also have slightly different bits (possibly additional changes for Chrome OS which haven’t been merged into mainline Flash).

  14. Brian Fiori (AKA T he Dean)

    As much as I’d love to dump Flash, there are still a few websites I use regularly that require it. And the same goes for most of my clients. Thankfully, I’ve weaned most of them off Java. However, I do require my browser to let me decide whether or not to run it.

    And for the record, there are direct downloads for Flash.


    IE (Windows 7 and earlier):

    And, if for some reason, these can’t be posted (though I can’t see why not), go here, and scroll to the bottom of the page for the direct download links:

  15. Pat C.

    I have Flash Player but it only works when I tell it to. Case in point – If I need it to view whatever I get a request from my browser to activate Flash – Y/N – so I choose. I don’t trust automatic updates so I check manually. Flash is Flash; use it or don’t. Some sites won’t work without it. Is there an substitute for it? Please tell me.

    1. CplDaniel

      Funny. I remember that being the case for years, but now when I go to my one site that needs flash (which I of course have disabled), it doesn’t say anything. And on every media page of that site someone posts “hey the video isn’t working” at least since MS and Google disabled flash by default a couple months ago.

  16. CplDaniel

    It would be nice if MS had a small enable/disable Flash button on the in the corner space just above the navigation bar of the Desktop version of I.E.
    I hate manually enable/disable through drop menus and manage_ad-ons every time I go to and leave the RoosterTeeth media pages.

  17. Silas

    I ‘worked’ for a nfp as IT Manager, one thing I did was to make sure that I removed flash from all the machines, I did a technical brief to the executive and explained why it needed to be so…
    I was then ‘TOLD” to install it back on certain machines so that staff could access ‘content’
    None of that ‘content’ was actually work related !!

    Hence the ‘worked’ 🙂

    There are two sides, those that support it, and those that still use it, BOTH need to stop, anyone who has ANY interest in security knows better by now?

  18. Mike

    You can have it which ever way you want it. If you want Flash then relax in the comfort of knowing that you are vulnerable.

    When you goto a website that requires Flash in order to function (like Youtube, Vimeo, or speedtest websites) then you are agreeing that you are perfectly ok with being vulnerable. It’s not like you are going to and using these websites without knowing anything about what Flash is. You therefore have no leg to stand on to complain. The answer here is so simple. Perhaps too simple. Remove Flash from your computers and/or devices (even if that means using a different OS and/or browser). Stop going to websites that require Flash (no matter what that site is).

    When a website forces you into Flash, that site (and those that run it) are telling you that they do NOT care anything about you, your safety, your data, your computer, your identity, or your level of pain and grief. That’s not even to mention how little they care about their own servers, code, data, and network. The fact that THEY screw up THEIR website by using this crap does NOT mean I have to screw up MY computer. If they want me on their site, THEY need to take control of and be more responsible with THEIR code. I am so sick of this suggestion that I am the bad guy for filtering out advertising that webmasters allow through their servers for making money. That few cents per click is just not worth compromising my ID or my computer. If filtering out certain things means breaking a website then so be it. It isn’t breaking for what I’m doing. It’s breaking for what THEY are doing to it. At they end of the day, those websites are just not worth my time or trouble.

  19. JCitizen

    Flash updated automatically this time! It rarely every does that anymore. I doubt the Avast application scanner did it, because that is a manual tool.

    Many here point out the limitations on Vista and no more Chrome support. I’m limited to only three browsers that work now. All of them still need a separate flash file. Oddly enough, what I have left runs better than it has in years!

  20. Martin Smith

    Just had to kick Chrome to update itself on a Windows 7 machine. Seems the auto update, isn’t all that auto…

  21. DM

    Brian, You know what would be way more interesting than telling us about the Flash patches, which is useful.

    Doing an article on the security issues for Voting machines. At the moment it appears many states are getting their voting machines from a company that Chavez setup in Venezuela at the urging of certain political parties wanting to change the votes. Nobody is looking into this very deeply.

  22. PaulJ

    Adobe Flash, the multi-purpose container for type confusion vulnerabilities, use-after-free vulnerabilities, heap buffer overflow vulnerabilities, and memory corruption vulnerabilities.

    I hear it does video and audio too….

  23. Wayne

    Has anyone else had problems installing Flash for Firefox? Being stuck with using Firefox because I’m running Vista (hey, it works), I downloaded the update Saturday, but Firefox keeps telling me there is no plug-in installed, and keeps crashing when I run Adobe Flash’s home page. I uninstalled and re-installed Firefox and Flash, but keep getting the same results.

  24. G.Scott H.

    Has anybody else complained to website owners over the use of flash or java or other security issues? I have. Simply “voting with your wallet” is less effective than also letting them know they are losing a visitor and why.

Comments are closed.