Last month Adobe released version 10 of their free Flash Player plugin for web browsers. If you've installed version 10, then you're done. You are not missing any patches and can stop reading now.
If you're not sure which version of Flash is installed, Adobe has a tester page. Windows users that have installed another browser, need to run this test in both Internet Explorer and the other web browser(s).
Anyone still running version 9 of the Flash Player needs to be running the latest edition, 9,0,151,0, which was released just a few days ago. It fixed a slew of bugs.
If you have an older edition of version 9, then you have a choice.
To install version 10 see my October 18th posting Seven steps to update the Adobe Flash Player on Windows. But, version 10 seems like a big change, and for defensive computing, it's often best to avoid the bleeding edge.
The problem with updating to version 9,0,151,0 is finding it. Adobe recommends using version 10 and that's the only available version at the Flash Player Download page. But, version 9,0,151,0 is available from Adobe at Flash Player 9 for Unsupported Operating Systems. There are links for Windows, Macs and Linux.
Although not always necessary, I suggest doing a full un-install of the Flash player before installing a new version. For more on this see How to uninstall the Adobe Flash Player plug-in and ActiveX control. For documentation on the fixes to the latest edition of version 9 see Flash Player update available to address security vulnerabilities.
See a summary of all my Defensive Computing postings.
Adobe just released version 10 of the free Flash Player Web browser plug-in. The new version (10.0.12.36) replaces version 9,0,124,0 (yes, those are commas, not periods) and includes an important fix for a security flaw known as "clickjacking," as well as fixes for other problems.
Everyone should update their copy of the Flash Player, and this post explains how to do so on Windows machines (the Flash Player also runs on OS X and Linux).
Updating the Flash Player on a Windows machine is unusually cumbersome. In part, this is because the Internet Explorer version is packaged very differently from the Firefox/Opera/Chrome version, so the Flash Player needs to be installed separately into each browser.*
Another reason for the unusual hassle is that for many years, installing a new version didn't remove old versions. Then too, if all goes well, you should be able to remove recent versions of Flash in the normal way, but all doesn't always go well. For example, on the Windows XP computer I'm writing this on, version 9,0,124,0 of the Flash Player plug-in is installed and working fine, yet it doesn't show up in the "Add or Remove programs list" in the control panel.
Thus, the safest approach is to use Adobe's Flash Player uninstaller program.
I've written about this before, so rather than rehash it fully, what follows is a seven-step cheat sheet.
Step 1: To get the lay of the land, use Adobe's Flash tester page to see which version is currently being used by your Web browsers. I say "browsers" because this needs to be done in each installed Web browser.
Uninstalling
Step2: Download the Adobe Flash Player uninstaller here. If you've done this before, do it again. The Windows uninstaller was last updated on October 15, 2008.
Step 3: Shut down all running programs, then run the uninstaller. Below are the uninstall details.
A detailed report from the Adobe Flash un-installer program
Step 4: Check the output from the uninstaller to see if you need to restart Windows. Here is what Adobe says about this:
"Internet Explorer users may have to reboot to clear all uninstalled Flash Player ActiveX control files. If you're not certain, select the "Show Details" button in the Flash Player uninstaller. If there are any log lines that begin with "Delete on Reboot..." then you'll need to reboot BEFORE running the Flash Player installer again."
Step 5: Adobe's Flash Player uninstaller is limited in a few ways. For one, it does not deal with portable versions of Firefox (see Portable Firefox and the Flash Player). It also doesn't handle other software, such as Dreamweaver, that includes its own copy of the Flash Player. Then too, there used to be a bug with its not searching for installed copies of Flash in places used by very old browsers.
The best way to get a true inventory of all instances of the Flash Player is to run the Secunia Online Software Inspector and turn on the checkbox to "Enable thorough system inspection." Expect it to take awhile.
Installing
Step 6: In Internet Explorer, first make sure that only one copy of IE is running. Then get the new version of the Flash Player at www.adobe.com/go/getflash. Look for a checkbox about also installing the Google toolbar. If there is one, I suggest turning it off on the theory that the less software installed the better.
The Flash Player installs like any other ActiveX control. Adobe warns, however, that "if you don't have administrator access, then you may not be able to install Flash Player successfully."
Step 7: For Firefox, Opera, and Chrome, Adobe also warns that you "may require administrative access to your PC" (see Flash Player installation instructions). Start any of these browsers, go to www.adobe.com/go/getflash, and download a file called install_flash_player.exe.
Downloading the Flash Player installer for the plug-in version of the Flash Player
Close all Web browsers, then run the installation program. Finally, start each non-IE Web browser on your computer and verify the installation at the Flash tester page.
Here's the pot of gold at the end of the rainbow:
The latest and greatest Flash Player
If you have any problems, see Troubleshoot Adobe Flash Player installation for Windows. You can also download flash at adobe.com/shockwave/download/alternates/.
To answer the question you may be thinking, yes, in an ideal world this posting would not be needed, let alone be so long.
*Adobe refers to the Firefox/Opera/Chrome version of the Flash Player as the "plug-in" version. In Internet Explorer, the Flash Player is an ActiveX control. You'll see them listed separately in the list of installed software in the control panel.
See a summary of all my Defensive Computing postings.
The way software is updated on personal computers, with every company rolling their own solution to a common problem, is archaic. In the same way we look at typewriters as something Fred Flintstone used, future techies will scorn this time period for the disgracefully inadequate way patches are distributed to end users.
I'm reminded of this by the latest update to a popular program, the free Foxit Reader for Adobe Acrobat files. The update, released August 4, 2008, fixes a number of bugs. Had I known about the update last month, I would have installed it. But, I just stumbled across it by accident.
This is not a knock on Foxit, a company that makes a very useful program, one that I use often, and gives it away for free. But, it's unrealistic for any normal computer user to keep up with updates to software when there are so many different delivery schemes.
For learning about software that needs to be updated, I'm a big fan of the online Secunia scanner, but it only goes so far. For one thing, Secunia only tracks the most popular software. Then too, unless you run a their full scan, there is no chance of detecting old versions of portable applications. Finally, it does not warn you about known buggy software for which there isn't yet a patch.
The version number for the Foxit Reader has not changed, it is still 2.3. The latest edition is build 3201. Prior editions of version 2.3 had build numbers of 2923, 2825 and 2822. Prior to that, the software was at version 2.2. As shown below, the standard Help -> About displays the version number and build number.
The company is working on a more automated self-updating system for version 2.4.
The Foxit Reader for Windows supports Windows ME, 2000, XP, Vista and Server 2003. There is also a Foxit Reader for Linux that has been tested on Fedora 4 and SuSE Linux 10, according to the company.
As I wrote previously, the Foxit Reader for Windows is available as a normally installed application and as a portable application.
The normally installed version is available at CNET's download.com, where the reviewer rated it 5 stars (out of 5). If you have an older copy of the normally installed edition, you can update it with Help -> "Check for Updates Now..." The list of available updates should include "Foxit Reader 2.3.2008.3201 Upgrade".
The portable version is available from Foxit as a 2.92MB zip file. Inside the zip file is a single 6.5MB EXE file. Extract the EXE file and you're done. I suggest renaming it, however, to make the version number more obvious. My naming standard for portable applications is something like:
FoxitReader.v2.3.August.2008.Portable.exe
Firefox 3 users can make Foxit their default PDF viewer with Tools -> Options -> Applications. Look for "PDF File" in the Content Type column, then click on the drop-down in the Action column and select "Use other". If you use the portable edition of the Foxit Reader, you'll have to click the Browse button to point Firefox to your latest portable copy.
See a summary of all my Defensive Computing postings.
This story starts out like so many others, but then takes a twist.
On Monday, Adobe released a patch that fixed a critical bug in their Adobe Acrobat Reader program. This was reported at CNET by Robert Vamosi, at ZDNet by Ryan Naraine, at the Washington Post by Brian Krebs and elsewhere. When I ran the Adobe Reader on a couple machines, I was duly reminded by a yellow tooltip window that a bug fix was available. On each machine the patch installed just fine. Ho hum.
The twist came about when I went to verify that the patch had been installed. I had started with the latest version of the Adobe Reader, 8.1.2. After installing the patch, I still had version 8.1.2.
You would be excused at this point if you thought this posting was about how or why the patch hadn't been correctly installed. But no, it had installed fine. Pretty surprising behavior, especially since the Adobe Reader may be the most widely installed software on the planet.
So, how can you tell if you have the buggy or the patched version of version 8.1.2?
Of course, if you're online, you can always check for updates. But, update applications are far from foolproof. Just today, Adobe's updater warned me that it couldn't check for updates to itself.
Windows
Security firm Secunia issued an advisory about this bug on the June 24. Yet, four days later, its usually excellent online scanner incorrectly flags a patched instance of version 8.1.2 as being version 8.1.0.137. I verified this on Windows XP and 2000.
For Windows XP, an answer came from someone calling themselves "zube" who made a comment at WashingtonPost.com. Go to the "Add or Remove Programs" applet in the Control Panel. At the top, turn on the checkbox to "Show updates" and Windows XP reports the installation of this latest bug fix.
As for Windows Vista, I installed a new copy of the Acrobat Reader today. A check for updates said it was the latest and greatest. But, the "Programs and Features" applet in the Control Panel did not indicate that it included this latest patch.
On a Windows 2000 machine with version 7 of the Adobe Reader, I uninstalled the old version and downloaded version 8.1.2 from Adobe.com. Even though this latest critical patch was released four days ago, Adobe is still offering up the buggy version of version 8.1.2 for download (as of June 27, 7 p.m. PDT). After installing the just-downloaded software, a check for updates showed that it was missing this latest bug fix. After installing the patch, the Add/Remove programs applet in the Control Panel verified that it had been installed.
Update: After this posting was originally written, Adobe pointed me to the Release notes for Adobe Reader and Acrobat 8.1.2 SU1 security update, which details two other ways to verify that you are using a patched instance of version 8.1.2. From the Adobe Reader, click on Help -> "About Adobe Plug-Ins..." -> Comments. The displayed date (see below) should be 6/7/2008. There is also another method that involves querying the registry.
Macintosh
On a Macintosh, Adobe advises clicking Reader -> Adobe Plug-Ins -> Comments. Just as with Windows, they say the API should be dated 6/7/2008. The Release Notes for the patch also describe some files that Mac users can look for. The presence of the files indicates a patched instance of the software.
Linux
The Security Bulletin for this patch doesn't say anything about Linux.
Ubuntu 8.04 does not include the Adobe Reader, instead Evince is used to read PDF files. I installed Acrobat 8.1.2 on Ubuntu after downloading it today from Adobe.com. The Help->About showed that the software was from January 15, 2008. I'm no expert on the four different package managers that come pre-installed with Ubuntu, but it didn't seem there was a more recent update to the Reader. Whether the software is vulnerable, only Adobe knows.
Update: According to Adobe, the software is vulnerable on Linux, an update is "in process" and it's expected to be released in July. When the fix is available, Adobe will update the Security Bulletin (link above).
Foxit
Many people argue that the Foxit PDF Reader is a better choice for viewing PDF files. There is a version for Windows, Linux, U3 and more (but no Mac version). Whatever the prior arguments were, now there is a new one. Adobe should not make patching into a guessing game.
Update June 27, 2008: Added Windows 2000
Update June 27, 2008: Added Secunia
Update June 28, 2008: Expanded Secunia and Linux topics
Update June 28, 2008: Included information from Adobe
Update June 29, 2008: Updated Foxit topic
Some information from the Release Notes for this patch also appears on an Adobe blog by Steve Gottwals How Can I Tell if I've got Reader 8.1.2 or 8.1.2 Security Update 1 Installed?
See a summary of all my Defensive Computing postings.
Old versions of Adobe Flash Player, perhaps the most widely used software in the world, contain known bugs that are being actively exploited online. If you are using any version of Flash Player, other than the latest, you should update to version 9.0.124.0 as soon as possible.
Early reports from Symantec said the bug being exploited was a new one. Turns out this is not the case. On Thursday, Adobe said
"Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0."
You can see which version of Flash Player is being used by your Web browser at the Adobe Flash tester page. You need to check every Web browser installed on your computer.
For instructions on updating Flash Player, see Time to update the Flash Player. Here's how. If you use the portable version of Firefox, see Portable Firefox and the Flash Player for instructions on updating Flash Player.
See a summary of all my Defensive Computing postings.
Foxit software just released a new version of its Adobe Acrobat PDF file reader. The previous version was 2.3 build 2825. The new version is still 2.3 but the build number is now 2923.
Although there is nothing about it on Foxit's Web site, the company confirmed on the phone that this is a bug-fix release.
On May 20, Secunia issued an advisory that pointed out what it called a "highly critical" bug in the prior version. Secunia expected a fix from Foxit in an upcoming version of the software, however, as of 12:15 p.m. EDT on Sunday May 25th (roughly two days after the software was released), Secunia still lists the bug as unpatched.
Update May 26, 2008: Secunia has confirmed that the bug they wrote about is fixed in this release.
If you use the portable version of Foxit, as I suggested back on May 6, then simply download the Zip file again and delete the older version. If you use the normally installed edition of Foxit, then you can check for updates with Help -> Check for Updates Now. The new version will show up as "Foxit Reader 2.3.2008.2923 Upgrade" if you are running the previous version. If you don't use Foxit at all, give it a try.
(Credit:
Foxit)
The Foxit servers appear to be swamped. I experienced multiple failures both checking for updates from within the program and trying to download the Zip file.
See a summary of all my Defensive Computing postings.
The May 15th issue of the Support Alert newsletter has an interesting article on converting PDF files into Word documents. Initially, the newsletter author, Ian Richards, tested a couple free online conversion services, then he got readers with seven different commercial products to convert his sample document.
He called the results "fascinating" and found that "the products varied markedly". The most expensive product produced one the worst conversions. Overall, he likes Zamzar, a free web-based conversion service, saying "Most users who have only a casual need to convert PDFs to DOC should save their pennies and use Zamzar rather than buy a commercial product." The list of file types that Zamar converts from and to is huge.
The original PDF used for the tests was posted at techsupportalert.com, but it's no longer there. So, I searched news.com and ran across a PDF formatted profile of someone named Kathy White (I haven't read the document) from 2002 that seemed like it might be hard to convert. You can see the results of the Zamzar conversion here michaelhorowitz.com/zamzar.test.white.doc.
Looks pretty good to me.
Update. June 5, 2008: Someone just told me about another review of PDF to Word software and services at www.freewaregenius.com, How to convert PDF to Word DOC for free: a comparative test. The comparison testing, done in March 2008, included six products, all freeware. The favorite was the Koolwire.com service.
See a summary of all my Defensive Computing postings.
The big claim to fame for the Foxit PDF Reader has always been speed - it opens PDF files much faster than Adobe's own Acrobat Reader. Then too, it's free and much smaller than the Adobe Reader. Plus, people just like it. At download.com, the CNET review gave it 5 stars out of 5.
But there is another big advantage, the Foxit Reader is portable.
Portable applications are those that can be run without being installed. I'm a huge fan of portable applications and use them whenever possible, running them both off the C disk and USB flash drives. By distancing themselves from the host copy of Windows, portable applications offer two advantages. First, they insulate you from problems with Windows or the registry. On the other end, they are less likely to cause problems for the host copy of Windows.
For whatever reason, the fact that there is a portable copy of the Foxit Reader seems to be a secret. It is not mentioned on either the Foxit download page, the Foxit overview page or at download.com.
To get the portable version, simply download the 2.9MB "ZIP Package" from Foxit Software. This downloads a Zip file consisting of a single file, FoxitReader.exe. When unzipped, the reader is 6.5MB.
The portable version of Foxit saved me on one computer where the old version 7 of the Adobe Acrobat Reader could not be un-installed, and the new version 8 could not be installed. Foxit to the rescue.
The current version, 2.3, was released at the end of April. According to Foxit Software, many new features have been added. According to Brian Krebs, writing for the Washington Post, critical security bugs were fixed in this release.
While elsewhere on CNET, new features are considered a good thing, they scare me - new code is more likely to be buggy than older, established code. Still, I will use and recommend version 2.3 because of the bug fixes it contains, but be sure to check for updates (Help -> Check for Updates Now... ) relatively often.
Normally-installed software requires certain file names, but this is not true of portable software. If you do run the portable version of the Foxit PDF Reader, let me suggest changing the file name. I use:
FoxitReader.v2.3.April.2008.Portable.exe
This tells me at a glance the version/release, the date it was released and that it is the portable version rather than the setup file for the normally installed version.
The Foxit PDF Reader runs on Windows 98, ME, 2000, XP, 2003 and Vista.
Update May 7, 2008: I just stumbled across a feature in the Adobe Reader that is missing from the Foxit Reader - the ability to copy images. I was recently using a PDF file that had started out as a Word document. As shown below, the Adobe Reader lets me copy individual pictures out of the PDF simply by right clicking on the image. Foxit does not seem to support this.
Update May 20, 2008: A critical bug was just found in the Foxit PDF Reader.
Update May 23, 2008: A new version of the Foxit PDF reader was just released.
See a summary of all my Defensive Computing postings.
I had no intention on focusing so much on the Flash Player and Firefox, but there just seems to be a lot to say. This time the topic is installing the latest version of the Adobe Flash Player in a portable version of Firefox.
I'm a huge fan of portable applications; I all but live in the portable versions of both Firefox and Thunderbird, both downloaded from portableapps.com. This posting was written in an airport and traveling is one reason to like portable applications. I normally work on a Windows XP desktop computer and before leaving on a trip, all I have to do is copy a single folder from the desktop machine to my XP based laptop computer to bring along my copy of Firefox. Copying another folder gives me all my email. When I return from the trip, copying the folders back is all it takes to pick up where I left off.
The Firefox folder includes not only the program, but also my bookmarks, my preferred configuration options, the website passwords that Firefox saves for me and the customization I made to the toolbar (such as adding the New Tab button and removing the Home button). It also includes my extensions, for the most part.
This all works fine, with the slight exception of the Flash Player plugin. Adobe doesn't do portable. Neither the Flash Player installer nor the uninstaller is the least bit aware of, or concerned with, portable versions of Firefox.
A few days ago, when I updated my desktop computer to the latest version of the Flash player, it didn't take. Although the Flash Player installer ran fine, my portable copy of Firefox kept using the old version, according to the Adobe Flash tester page.
Confused, I ran a scan with the free online Secunia Software Inspector (highly recommended) and it reported that the new version of Flash was happily living on the hard disk at C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll.
But, I had run a normal Secunia scan rather than a "thorough" scan. The normal scan looks for applications in their normal location. Anyone using a portable application needs to use the "thorough" option when scanning with Secunia for old software. A thorough scan showed that the portable version of Firefox was indeed still using the older software.
It also, convienently, showed the file name and location of both the new Flash Player on the C disk and the old copy on the X disk where the portable copy of Firefox resided.
What To Do?
There are a couple of ways to deal with this.
If, as in my case, the computer has the latest copy of the Flash Player on the C disk, copying the appropriate DLL from the C disk to the X disk will get the portable Firefox using the latest version of Flash.
Specifically, copy file NPSWF32.dll from C:\WINDOWS\system32\Macromed\Flash to X:\FirefoxPortable\App\firefox\plugins. The full path for your portable copy of Firefox will be different, but wherever it resides, copy the Flash Player DLL into the \App\firefox\plugins folder. Again, a "thorough" Secunia scan will point you to the right place.
If the computer in question doesn't have a normally installed copy of Firefox, then simply delete or rename the file with the old version of the Flash Player (Secunia will find it). The next time you visit a web page that needs Flash, such as the Adobe Flash tester page, Firefox will prompt you to install the missing plugin and you'll get the latest version.
Finally, be aware that a portable copy of Firefox that doesn't have it's own installed version of the Flash Player will pick up a copy from the C disk, if a normally installed copy of Firefox exists. But, if the portable Firefox has an old version of Flash in its plugin folder, it will use that even if a newer version of Flash is on the C disk - which is what prompted this posting in the first place.
It's a pain, but to me, well worth it for the advantages of portable web browsing.
Note: The Secunia Software Inspector requires a recent version of Java. You can see which, if any, version of Java is installed on your computer at my JavaTester.org site.
See a summary of all my Defensive Computing postings.
My last posting was about upgrading the Adobe Flash Player, a Web browser plug-in. Adobe Systems just released a new version that fixes critical bugs in older versions, so everyone should update to the latest version.
Adobe's Flash tester page displays the version of the Flash Player being used by your Web browser. Sometimes though, the Firefox results may not be what you think they should be. I've run across a couple instances in which Firefox was not using a newly installed version of the Flash Player.
The rules for where or how Firefox loads plug-ins have changed over time, and all software vendors may not have a perfect understanding of them. Then too, many uninstallers leave files behind; it's almost the rule rather than the exception. If your copy of Firefox isn't doing what it's supposed to do, there are two ways to find out from where it picked up a particular plug-in.
Start Firefox, and in the address bar, enter "about:config" without the quotes (see above). In the filter bar, enter "plugin", again without the quotes. Double-click on "plugin.expose_full_path." This should change the value from "false" to "true" and the status from "default" to "user set."
Go back to the address bar, and enter "about:plugins" (no quotes). As shown below, the file name in the Shockwave Flash section has the name and the full path of the file Firefox is using for the Flash Player.
If there is no Shockwave Flash section, try visiting a Web site that uses Flash. Adobe's Flash tester page is a good choice.
You can also use the excellent Process Explorer program from Microsoft to see which DLL Firefox is using for the Flash Player. In Process Explorer, click on the running instance of Firefox, click the button to show the lower pane, then use the button next to it to ensure that you are viewing DLLs rather than Handles.
Sort the list of DLLs by company name so that Adobe files appear near the top. The current flash DLL is NPSWF32.dll. To see where it came from in the local file system, either hover the mouse over the name of the DLL or double-click on it to open a properties window that shows the file location.
This detective work is especially important when dealing with portable versions of Firefox. More on that soon.
See a summary of all my Defensive Computing postings.
