Thanks for giving us these reminders!

Thanks for the heads up, Brian! If it weren't for your blog, I don't think I would've known about the Flash update.

The new Flash Player version 9,0,115,0 was actually released back on Dec. 5. Yet, Adobe released the security bulletin Dec. 18? What's with the almost two week delay in getting the word out?.

I've found it works best to download the Flash uninstaller to remove all currently installed versions, then install the latest version off the Adobe website.

How to uninstall the Adobe Flash Player plug-in and ActiveX control
http://www.adobe.com/go/tn_14157

I would also recommend to check for updates to any other software you may have installed at least around Microsoft's patch Tuesday (second Tuesday of every month).

Lighter-weight version check, at least for Firefox users: visit about:plugins and look at the version there. Not in exactly the same format--mine says "9.0 r115".

At least your browser says something there. When I check about:plugins, I don't see anything about adobe. I downloaded the uninstaller and rebooted, but still there are no adobe plugins among the list. And when I check Add/Delete programs, I see a red X attached to the adobe player icon. Now, when I go to WoPo and try to play any video, I get: Note: Please upgrade your Flash plug-in to view our enhanced content. It's the same for the msnbc site.

this is 'pretty much' a poor grammar article.

Brian, thanks for providing the links to the testing page, and to the downloads page.

"TJ", these changes were rolled into the current Adobe Flash Player 9 Update 3 (aka "Moviestar", r115), released earlier this month. What's new this week is the application of the same security changes to older v7 and v8 generations of Player, for those intranets which take longer to approve major-version changes than to approve minor security updates. Once these were all protected with changed versions, then the documentation of those changes went live too.

Thanks for the mention of the Uninstaller... this is definitely needed if you've used pre-release versions (the public betas, eg), and can be useful to "freshen things up" if your system has been manually changed or if there are other problems, but it shouldn't be needed in the usual case.

To "umm.huh", your description doesn't mention that you've actually run the installer, only the uninstaller. If you're in IE/Win, then just visiting a page should be enough to start the normal ActiveX install process; for other browsers, visiting the Player download page should be enough to start a virgin installation.

tx, jd/adobe
http://weblogs.macromedia.com/jd

Hi Brian,

I was updating some machines of relatives now that I'm around them for Christmas and wondered if you had a list of the different various web-plugins that often need updating, how to check the version on that computer, and the latest version, plus how to get it. It would be helpful to have a link to such a page in the "related links" of your blog site.

I found it tricky to test some of the players (I tested Real player on the BBC site) and Windows Media player (tested on Davis Cup radio). Firefox, Quicktime, Flash, etc. Anyway, just an idea. I would find it helpful, especially this time of year.

To: John Dowdell

That was implied! Yes, of course I ran the installer. Twice, in fact. The procedure worked fine with IE. Just not Firefox, even though after running the installer, it said it successfully completed the action. (That's a paraphrase.)

For more on the Flash player see

Update your copy of the Flash player now. And do it the right way.
http://blogs.cnet.com/8301-13554_1-9837179-33.html

I too had to fight with one copy of Firefox to get it to use the latest version of the Flash player. Eventually, I figured out the problem and blogged about it at CNET. See
Problems updating the Flash player in Firefox
http://blogs.cnet.com/8301-13554_1-9837353-33.html

Michael Horowitz> I figured out the problem and blogged about it at CNET.

Since I don't feel like "joining the CNET community", I'll respond on a couple of your points here.

Michael Horowitz> Firefox bug: Using a DLL despite having the wrong name.

That is not a bug. What is the correct name for a DLL? Generally, whether a dynamic library should be treated as a plugin is properly testing it by opening it and looking for particular symbols. Firefox has no way of knowing what a third party is going to call their plugin DLL file; the program just tries the DLLs it finds in the plugins directory and uses the ones that work. The documented exception is if the DLL filename begins with X. See:

http://kb.mozillazine.org/Issues_related_to_plugins

Michael Horowitz> Firefox bug: There should be one and only one location that Firefox uses for plugins. The use of two folders for plugins fooled both Secunia and Adobe.

On multi-user systems, having multiple plugin locations allows some plugins to be maintained by an administrator while allowing individual users to maintain other plugins that don't interfere with one another's browsers.

Note also that Firefox on Windows has special functionality enabled to search for plugins using the Windows registry. This behavior is controllable by editing prefs.js or using about:config. See:

http://kb.mozillazine.org/Plugin_scanning

I suspect that in this case, Firefox isn't really "using two folders"; it's preferring its plugins folder, then locating the other folder by scanning the registry for PLIDs.

Just downloaded Thunderbird 2.0.0.9.

Have Adobe Photoshop Starter Ed, which previously connected to Thunderbird. It is still connecting, but no ATTACHMENT is showing on the e-mail.

Any comments. [Preferably also by e-mail]

Seasons greetings to all.

Bigger story from The Register (via Slashdot).

http://it.slashdot.org/it/07/12/22/2240257.shtml

"Serious Flash vulns menace at least 10,000 websites"

Hosting sites compromised so subsequent visitors at risk?

uh-oh> Hosting sites compromised so subsequent visitors at risk?

This is an XSS issue. No one needs to be compromised as a precondition; instead a malicious page anywhere can instantiate one of the Flash objects in such a way that additional attacker-supplied script is executed by the browser in the context of the provider hosting the Flash, i.e. the bank website, or youtube, or micepace, etc.

To: antibozo

A better system design would have the plugin identify itself as part of the installation procedure. Then there would be no need for Firefox to do detective work when it starts up.

Neither of the two folders I ran across were in locations associated with a
user. Both were system folders.

The Firefox dependency on the Windows registry also strikes me as a design flaw. Not only is the registry a complex beast, it doesn't exist on other OSs. There's a lot to be said for .ini files. A simple design tends to be secure, transparent and relatively easy to debug.

Michael Horowitz> A better system design would have the plugin identify itself as part of the installation procedure.

Can you elaborate? I'm not sure how you mean that the plugin would identify itself, or to whom. Currently the plugin does identify itself by being in the plugins folder with an appropriate name and instantiating some hook symbol Firefox looks for.

While I understand you object to the current design, it is a common design for extensible systems to define an extension API and then search a known location for dynamic libraries that implement it. While this can sometimes lead to surprising results, the behavior is documented. And, not intending disrespect, I think it was naive on your part to expect a plugin DLL to be deactivated by renaming it to something else that still ends with .DLL, in the same folder.

Michael Horowitz> Neither of the two folders I ran across were in locations associated with a user. Both were system folders.

In this case, yes, in a sense, but they remain distinct locations. An organization may grant write permissions to one and not the other for a given user. And Firefox doesn't have to be installed under Program Files, after all.

Michael Horowitz> Not only is the registry a complex beast, it doesn't exist on other OSs.

I agree with that statement, but I think the Firefox behavior is designed to make the best of a bad situation. In a typical scenario, I'd rather not have third party applications messing with the Firefox plugins folder at all; I'd rather they install themselves in their own area, and leave it up to the browser to go look for a canonical system-wide version. The current design supports this while still letting users override the behavior when needed. The problems occur when things like the Flash installer go hunting, like viruses, for extra places to invade, such as the Firefox plugins folder, and you end up with crapware all over the place. iTunes is even worse in this respect, refusing to run if you don't allow it to violate the Firefox plugins folder.

Isn't it time the software producer be held accountable for the problems with their product? On softwar bug delivered lethal doses of radiation in a medical treatment machine, another contributed to the massive Northeast Power Outage and the stories go on and on. Is there any other product or industry that has escaped product liability - I don't think so. And whay is that you may ask? The software industry has better lobbiests!

Flash? Don't ever download it and you won't have to upgrade it or suffer its vulnerabilities. You also won't waste bandwidth on all that annoying flash content. Of course you won't be able to click on news stories and spend a lot of time listening to the reporter read his story, which is also a plus.

thanks for the notification, Brian.

Tip: disable Flash in Internet Explorer by using the Tool menu, "Manage Add-ons".

I only use Flash in Firefox because Firefox can utilize the Flashblock extension. I.E. doesn't have an equivalent utility to enable Flash on a site-by-site basis.

@Robert

Point taken, but very difficult to do, as Flash is more widely used than most other media players. Without Flash, no YouTube, Liveleak, Google Video, etc., many of which are heavily used on many major news and weather sites, blogs, and social networking sites (via embedded video/audio).

Of all media players, Flash is quite lightweight and relatively secure compared to the likes of QuickTime and RealPlayer, both of which have become bloatware (Windows Media Player not so much) and much more likely to have major security flaws. As such, I've been using ONLY Flash and Windows Media Player for years. If a site doesn't support one of these two, their loss as I move on to one that does.

Ultimately, it's all about keeping your system's attack surface small, which many times requires limiting the amount of software installed on it. So everyone has to make their own decisions on what media players to use or ban in keeping their systems better secured.

To Josef:
A very good method of checking a lot of browser "backend" apps and other apps and add-ons that you would normally not update by yourself is to go to:

http://secunia.com/software_inspector

A prerequisite for using their software inspector is to have Sun Java installed and set as you Java VM in your browser.

If you need the Sun Java VM (JRE) then go to:

http://www.java.com/en/download/index.jsp

and download and install it then run the secunia software inspector. When you run it it will ask you to approve a download, do so and check the "Enable thorough system inspection" checkbox and then start.

It will most likely be an eye opener.

Fred

Updating Flash does not quite fix the security vulnerbility.

Updating Flash from whatever version you have (assuming version 9.0.47) to the latest version (9.0.115 as of the moment) , will only update the flash player component usally located at C:/WINDOWS/system32/Macromed/Flash

If you have Dreamweaver for example you will still have the old version, and need to manually patch the flash player.

How to do this is simple and is on our blog :

http://protocolsolutions.co.uk/wordpress/

What should be a simple update is turning into a huge pain. Once Secunia told me I had old Flash versions on my computer, I downloaded the Flash removal tool from Adobe, because Add/Remove Programs doesn't work for removing Flash. I ran the removal tool, but Secunia still says I have two old versions of Flash hiding somewhere on my machine. Argh!