Update your Flash player now--and do it right

On December 18, give or take,* Adobe Systems released a security bulletin that basically says old versions of the Flash player are buggy as heck (see Flash Player update available to address security vulnerabilities). Specifically, versions 9.0.48.0 and earlier contain nine different bugs that Adobe calls critical. Simply viewing a Web page is all it takes for a bad guy to take control of your computer. This is true on Macs and Linux too. The only way to be safe is to upgrade to the newest version, 9.0.115.0.

These bugs in the Flash player will, no doubt, be a huge target for the bad guys since almost every computer (Windows, Macs and Linux) has some version of Flash installed.

What follows are my suggestions and experiences about updating the Flash player.

The right way

What do I mean by the right way?

I read a number of articles on this topic before writing this posting and none mentioned the fact that you have to update the Flash player for both Internet Explorer and Firefox. The two browsers use separate and independent copies of Flash. You can see this in the screenshot above from the Add/Remove Programs applet in the Windows XP control panel. The ActiveX version is used by Internet Explorer, the plug-in version is used by Firefox.

The right way also means uninstalling the prior version of Flash before installing the new version, not installing any other software other than the Flash player and being 100 percent sure that all old versions of the software have been removed, even those in nonstandard locations.

What version of Flash do you have?

If you haven't updated the Flash player recently, your computer is probably at risk. Still, before bothering to upgrade, you might as well check which version you have installed. Also, knowing how to check provides a way to verify that an uninstall of the Flash player worked. (More on this below.)

Sample output from:
www.macromedia.com/software/flash/about/

For years, I have been using www.macromedia.com/software/flash/about/ to display the currently installed version of the Flash player. A screenshot is above showing the output from today before I upgraded. When Adobe purchased the original Flash vendor, Macromedia, it made its own copy of this Web page www.adobe.com/products/flash/about/. The two pages appear to be identical.

Sample output from:
kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507

In researching this posting, I ran across a similar page (see screenshot above) at kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507. I don't get good vibes from this page, however. For one, the fact that it still shows Flash as being a Macromedia product rather than an Adobe product makes me wonder if it has been abandoned. Also, there is a whole section on this page about what to do if it reports the wrong version. But if you already knew the version, there would be no need for this Web page at all. :-(

Download the new version?

The security bulletin from Adobe suggests going to the Adobe Player Download center to install the latest version. I wouldn't, for a couple reasons.

For one, installing the latest version of Flash has never uninstalled the old buggy versions. From my Defensive Computing standpoint, I want to always ensure that old buggy software is fully removed. The uninstall procedures are discussed below.

Another reason is that the Adobe Download Center tries to pawn off additional software on Internet Explorer users. (They don't do this with Firefox.) As shown above, the default is to also install the Google Toolbar.

Again speaking defensively, it's best not to install software unless you absolutely need it. There is always the chance it will break something else, and, new software just becomes something else that needs care and feeding. The Google Toolbar in particular, has its own very recent security bug. See Trend Micro and Aviv Raff for more on this.

Out with the old

I suggest starting with the Adobe Flash player unintall program. Removing old versions of the Flash player using the standard Add or Remove Programs applet in the Windows XP Control Panel failed more often than it worked in my tests.

Adobe has instructions on how to uninstall the Adobe Flash Player plug-in and ActiveX control that include a link to download its uninstall program. There is an uninstall program for Windows and one for Macs, but no mention of Linux at all. The program uninstalls both the Internet Explorer and Firefox versions of the Flash player. In fact, it even uninstalled a copy used by a portable version of Firefox.

The instructions warn that it cannot remove files in use, so be sure to shut down all applications before running the uninstaller. I had no problems with the uninstalls.
Update: Actually, I did. See my next posting.

Firefox upgrade procedure

Initially, this posting detailed a host of problems trying to use the Control Panel Add or Remove Programs applet in Windows XP to remove the Firefox version of the Flash player. After getting completely inconsistent results on three different machines, it became obvious the Adobe Flash player uninstaller was the way to go.

After running the uninstaller, go back to the tester page to verify that the Flash player was uninstalled correctly. If it was, you should see something like the below, prompting you to install the plug-in. Click on the green squiggly thing and the procedure is self-explanatory.

Internet Explorer upgrade procedure

Uninstalling the ActiveX version of the Flash player via the Control Panel was just as error-prone as the Firefox plug-in version. On one machine, the entry in the Add/Remove programs list was quickly removed, but the software was not. Another machine was not at all happy with the request, as shown below.

As with Firefox, start at the tester page to verify that the ActiveX version of the Flash player is no longer installed. To install a new copy of the Flash player, look for a yellow stripe at top of the tester Web page window and click on it. Then, in the pop-up menu, click on "Install ActiveX control." Finally, in the Security Warning window (shown below), click on the Install button. That should do it.

Note that if you are running Internet Explorer in restricted mode with DropMyRights, this won't work and won't tell you why. It has to be run unrestricted.

When you see the below, you are done. Should something go wrong, see Troubleshoot Adobe Flash Player installation for Windows from Adobe.

THIS MEANS YOU ARE DONE

For extra credit, run the Secunia Software Inspector and turn on the checkbox for a "thorough system inspection." This is a great way to ensure there are none of the old, vulnerable versions of the Flash player anywhere on your computer, even in nonstandard locations.

Whew.

My next posting goes into great detail about the problems I had updating the Flash player in one particularly stubborn copy of Firefox. If you are having similar problems, my eventual solution may help you, too.

*Give or take? December 18 is the "release date" of the security bulletin from Adobe. However, if you browse all the security bulletins from Adobe for Flash, you will see that this particular one was originally posted December 11 and has not been updated since. Then again, both those dates could be wrong, at least according to this blog which seems to be from an Adobe employee whose initials are JD. When was the latest version of Flash really released? I'm just a blogger, not a reporter.

I don't use the Windows version of Opera or Safari, so if anyone knows if they too need to updated separately, please leave a comment below. Thanks.

Update: April 11, 2008. For the latest on the Flash Player see Time to update the Flash player. Here's how.

See a summary of all my Defensive Computing postings.

[john55440]

Thanks for the detailed information! I have updated Flash before, but have never uninstalled the old version first. In addition, I wasn't even aware of the current Flash security update.

[harveybook]

Great, often overlooked, information to keep machines running securely. I immediately updated all my machines with the easy-to-follow instructions.

[A_N_Onymous]

I always fetch the latest Adobe Flash player using the following batch file:

wget http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_active_x.msi
wget http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player.exe

I then compare them to the versions I have stored as "install_flash_player_9,0,115,0.exe" and "install_flash_player_9,0,115,0_active_x.msi" -- if they're different, I know Adobe has updated the player. That way I don't have to download them again and again for all the machines I have to maintain.

[boomslang]

This doesn't even begin to address all the plugin locations where Flash gets installed if you are running Adobe's Creative Suite of programs. You will find that the offending .dll is plastered everywhere if you run Secunia's Personal Software Inspector.

[heads-up]

After the uninstall, I installed with IE6 successfully. Then closed IE and opened Opera
(9.24) but the About Flash (www.adobe.com/products/flash/about/) page did not show Flash as being installed. Following the link to their Player Download Center, I downloaded and ran the install_flash_player.exe (which prompted me to close Opera) after which the About Flash page confirmed success in Opera. Took longer to write this note than to do the whole thing.

I suspect that if I had used Opera first, the installer probably would have taken care of IE at the same time, saving a step.

[mhinnewyork]

On Windows, Opera uses the "plugin" version of the Flash player, same as Firefox. This version is installed separately from the ActiveX version for IE. It's a pain.

[paulgj]

It seems that using the Adobe flash installer results in only one copy of the NPSWF32.dll file (into C:\WINDOWS\system32\Macromed\Flash) whereas installing it through the Firefox plugin prompt installs an additional copy of the file to C:\Program Files\Mozilla Firefox\plugins.

[Daboniel]

The latest version of Shockwave does NOT work with WIN2000SP4. DO NOT download it or it will simply quit working. You will get ""Installing compatibility components" and then it errors out and says, "Could not load the DLL Library C:\WINNT\system32\Kernel32.dll
(GetSystemWow64DirectoryA). The specified procedure could not be found." Then you will have to uninstall it and go to http://www.filehippo.com/download_shockwave/3090/ and look for version 10.2.0.023 which is, seemingly the last version that will work with 2000.

There are a lot of people still on 2000. I was going to upgrade to Vista, and bought 3 upgrade disks for three computers to upgrade, only to find out your Motherboard Bios has to have ACPI version 2.0. Most mother boards over a year old (almost ALL computers running WIN2000) will have version 1.0. Check this using BIOS Agent before investing in Vista or you will be ripped off like I was.

God Bless!
dab

[--2die4--]

[sfx023]

[egor66]

Have the latest flashplayer in stalled and it is working but not on msn my space?it just keep saying to get an update running vista 32bit serivce pack one all up to date