Adobe Issues Critical Macromedia Flash Update
Adobe has released updated versions of its ubiquitous Macromedia Flash and Shockwave online media players, which the company said fix several critical security vulnerabilities in previous versions.
Adobe said that if a user loaded a specially crafted Shockwave file from a malicious Web site, that site could hijack that person's browser and potentially seize complete control over the visitor's computer.
Microsoft Windows users are more or less guaranteed to have Flash on their systems whether they recall installing it or not. The program was redistributed with Windows XP Service Packs 1 and 2, Windows 98, Windows 98 SE, and Windows Millennium Edition, according to a separate advisory Microsoft issued Tuesday. Adobe says updated versions of Flash Player 7 for Linux and Solaris, which contain fixes for these vulnerabilities, are also available from the Adobe Player Download Center (the link is a bit hard to find -- it's actually at the "alternates" download page.)
The problem affects Flash Player versions 8.0.22.0 and earlier. To see what version you have installed, check out this link. To update, go here.
Shockwave versions 10.1.0.11 and earlier also have this problem. Updates for that player are here. In addition, you will need to update if you are using Adobe's Breeze Meeting Add-In version 5.1 and earlier, or the Flash Debug Player version 7.0.14.0 and earlier.
Alternatively, if you're completely spooked by this advisory or simply don't want Flash on your system anymore, Adobe has kindly posted a program to help you uninstall it. The company also has put up instructions on how to manually remove the ActiveX Flash player from Internet Explorer.
By Brian Krebs |
March 15, 2006; 11:45 AM ET
New Patches
Previous: Microsoft Patches: Two for Tuesday |
Next: Anti-Spyrus Software and the Keylogger Conundrum
Posted by: scottr | March 15, 2006 1:02 PM
I had the same issue. Nothing seemed to happen when I tried their update.
Posted by: Ken | March 15, 2006 1:14 PM
Ken,
After I wrote the first post, I went to the Macromedia site via the links above and installed the update there. Macromedia's site still reported I had 8.0.22.0 (even though the site said the update was successful) until I closed and reopened IE. Try that and see if it helps.
Posted by: scottr | March 15, 2006 1:17 PM
Hi,
Installations can fail for a number of reasons. However, a very common one is if a program, such as a browser or IM client, is using Flash Player. The best way to guarantee you have updated properly if you are exhibiting this problem is to:
1. use the uninstaller at www.macromedia.com/go/14157
2. install the latest Flash Player from www.macromedia.com/go/getflashplayer
3. Check your version
If you continue to have problems with this installation, please file a bug report at www.macromedia.com/go/wish so we can track these issues.
Thank you!
Emmy Huang
Product Manager, Flash Player
Adobe Systems, Inc.
Posted by: Emmy Huang | March 15, 2006 1:49 PM
Emmy and Brian,
Thanks for the followup. I'll chalk the install problems up to 2 causes. First, some of the ads on this blog are themselves Flash items, so the Flash player was probably in use, and I do have an IM package running and it never occurred to me that it might be using Flash, but it does show ads, so...
Posted by: scottr | March 15, 2006 4:06 PM
Firefox users:
There are extensions to block Flash and other types of embedded music/movies pushed out by thoughtless web site designers.
Check out "Flashblock" and "Stop Autoplay"
http://addons.mozilla.org/?application=firefox
The "Noscript" extension, in addition to limiting Javascript to a whitelist of permitted sites, also has options to block Flash and other plugins.
Posted by: Ken L | March 15, 2006 4:27 PM
Macromedia continues to provide the vulnerable version of Shockwave to Admins and IT departments with a distribution license. The executable currently on the site installs Shockwave 10.1.0.11 which Macromedia says is vulnerable.
Downloading the regular installer from the Public Shockwave site gets a file that attempts to foist the Yahoo! Toolbar on unsuspecting users.
Isn't it time that Macromedia drops the bundle? A respectable software company has no business bundling an add-on program with and important security update.
Posted by: Walter H | March 15, 2006 6:40 PM
I checked out the advice in the last statement in this article "The company also has put up instructions on how to manually remove the ActiveX Flash player from Internet Explorer." at http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=3d2855d6
On this web page, under "b. Manually uninstalling the ActiveX Flash player:", instruction "vii." states ...
At the command prompt, type the following command:
regsrv32 -u flash.ocx
to remove the Flash Player.
... which caught my eye since I have always thought it was "regsVR32" (Microsoft Windows valid app) not "regsRV32." A quick Google and having the latter file is a petty good indication that you have a virus(es).
I noticed a Macromedia rep posting here and so figured my comment will get a quicker resolution/correction to both the Macromedia web page and within this blog.
Regards,
Sam
Posted by: Sam Winston | March 15, 2006 6:58 PM
WalterH: Yes, this is a known issue that we are working to resolve. Note that the Flash 8 Asset Xtra has been updated to include the fixes for the Flash Player vulnerabilities. The vulnerability is not with Shockwave Player itself.
Sam: Actually, that technote needs some revamping to include instructions for "unlocking" the control for manual removal... I sincerely apologize that it was not ready for this launch, but I am prepping the TechNote as we speak. I will fix the typo.
Until then, we do have a note for developers with more detailed instructions for manual registration: http://www.macromedia.com/go/4da116d3
thanks for posting these issues. It would be a great help if you could log any issues you find with this update on www.macromedia.com/go/wish
best,
emmy
Posted by: Emmy Huang | March 16, 2006 1:23 AM
I'm still befuddled by these fairly ubiquitous programs having significant security holes and no notification mechanisms for updates. This means unless someone is an avid security reader or just likes to keep his software up to date, he/she's likely not to update these programs and remain vulnerable...
Posted by: Dave H | March 16, 2006 2:59 PM
Dave,
This is excellent feedback. We do intend to turn on auto-update in the coming weeks, which will send notification that there is a new version of Flash Player available to the installed base (the auto-update notification feature was built into Flash Player 7). Our general release policy is to wait a few weeks before turning it on, so that if there are major issues with the release we can catch them before pushing the notification.
But, I agree that for something like a security update we need to review this policy since a security update is not really an "optional" type of upgrade notice.
best,
Emmy
Posted by: Emmy | March 16, 2006 4:53 PM
Emmy:
Dave makes a great point for everyone, which is really who you should consider.
> Until then, we do have a note for developers with more detailed instructions for manual registration:
> http://www.macromedia.com/go/4da116d3
When I see the word developer, I normally stop reading. What’s why I went back to Mac. I was spending simply too much time keeping things updated. I have not allowed my Mac to auto-update Shockwave, Flash or Adobe reader. I was very unhappy at work after discovering that I installed Shockwave Player after installing another program.
I hope Macromedia will take a stand and simply provide users a simple step to uninstall the program and reinstall it if they want to. What are Macromedia updates? A new version of the program or ‘patches”. I find it funny every time I need to grab a 40 MB update for a program that was only 20 MB when I installed it. (No, I don’t mean this happens with Flash or Shockwave, but you get the idea.)
Brian:
In addition, what happens with all the updates? It the suspect part of the program ‘patched,’ or is the item completely removed? Or I should say, does the update use more hard drive space?
Posted by: Don | March 22, 2006 1:17 PM
A script in this movie is causing Macromedia flash 8 to run slowly. If it continues to run your computer may become unresponsive. Do you want to abort the script?
This message pops up whenever viewing a site that has advertisements. It doesn't pop up just once, but many, many times.
If you have an outdated version of flash, KEEP IT. Or you will be getting this pop up millions of times a day. When I went to Macromedia support & sent an email request to see how to fix this problem, they sent me an email stating "I'm sorry you had a problem installing our software"
If they had bothered to read my email concern they would have noted that Macromedia Flash 8 IS THE PROBLEM. My suggestion is google my error message and you will see that this is happening all over the world to all web sites and all computer versions due to this download.
Thanks to this company I can't even play a simple game of solitaire or yahtzee let alone surf the web. Does anyone have a prior version of flash out there, or have you all been dumb like me??
Posted by: Awenita Cazon from Edmonton Alberta | April 6, 2006 9:08 PM
A script in this movie is causing Macromedia flash 8 to run slowly. If it continues to run your computer may become unresponsive. Do you want to abort the script?
Posted by: Anonymous | April 6, 2006 9:11 PM
good
Posted by: hoang | April 12, 2006 12:10 AM
"A script in this movie is causing Macromedia Flash Player 8 to run slowly. If it continues to run, your computer may become unresponsive.
Do you want to abort the script?"
What in GODS NAME IS THIS FOUL POPUP ABOUT!!!? I'm plagued with it as well, and just like you, NUMEROUS frackin' times in a row. Is this Adobe screwing up Flash for us? Why did I ever get into Flash development, ugh!
Posted by: Mortimer | April 27, 2006 8:48 PM
Quick Flash Player - a stand-alone swf browser and flash player.
http://www.yaodownload.com/video-design/videoplayers/quick-flash-player_videoplayers.htm
Posted by: queen | April 28, 2006 11:57 PM
A script in this movie is causing Macromedia Flash Player 8 to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort the script?
I know someone who is getting this too.
Posted by: PK | May 11, 2006 10:48 AM
You can find a copy of macromedia flash 5 and MX at www.oldversion.com
A very interesting site I recently discovered when trying to find an old version of winzip. Seeing as how I have an old computer, it made me very happy. hope this helps.
Posted by: Anonymous | May 27, 2006 2:35 PM
Quick Flash Player is a stand-alone flash player that enables Flash Users to quickly browse the SWF files.
Posted by: flash player | August 5, 2006 2:48 AM
I have been getting a simple, but persistantly irritating message that pops up onto my screen. It simply says: Cannot find macromedia flash player. I have installed it, then uninstalled it and reinstalled it and still this annoying message! What can I do? I am almost ready to move everything to my other hard drive and reinstall windows to get rid of it, but even that is no insurance that it won't happen again. Does anyone know?
Posted by: lorrie | August 11, 2006 9:00 AM
how to abort script
Posted by: Anonymous | September 13, 2006 2:58 PM
I have been getting the same error message as Lorrie.
Whenever my computer has idled for awhile I get the same message.
If anyone finds a fix or hears of one please let me know.
Greggs78@yahoo.com
Posted by: Greg | September 28, 2006 8:16 PM
The comments to this entry are closed.
Brian,
It's interesting. I tried to update my Flash8.ocx control inside IE6 via the Tools | Manage Add-ons dialog, which allows you to highlight a control and then press a button to update it. Well, I definitely downloaded and installed **something**, but then going to the Macromedia site to test the version still reports 8.0.22.0 and NOT the newest version 8.0.24.0. Seems like they don't have all of their update mechanisms updated themselves. Would you be interested in following up with them?