Defensive Computing

Adobe just released version 10 of the free Flash Player Web browser plug-in. The new version (10.0.12.36) replaces version 9,0,124,0 (yes, those are commas, not periods) and includes an important fix for a security flaw known as "clickjacking," as well as fixes for other problems.

Everyone should update their copy of the Flash Player, and this post explains how to do so on Windows machines (the Flash Player also runs on OS X and Linux).

Updating the Flash Player on a Windows machine is unusually cumbersome. In part, this is because the Internet Explorer version is packaged very differently from the Firefox/Opera/Chrome version, so the Flash Player needs to be installed separately into each browser.*

Another reason for the unusual hassle is that for many years, installing a new version didn't remove old versions. Then too, if all goes well, you should be able to remove recent versions of Flash in the normal way, but all doesn't always go well. For example, on the Windows XP computer I'm writing this on, version 9,0,124,0 of the Flash Player plug-in is installed and working fine, yet it doesn't show up in the "Add or Remove programs list" in the control panel.

Thus, the safest approach is to use Adobe's Flash Player uninstaller program.

I've written about this before, so rather than rehash it fully, what follows is a seven-step cheat sheet.

Step 1: To get the lay of the land, use Adobe's Flash tester page to see which version is currently being used by your Web browsers. I say "browsers" because this needs to be done in each installed Web browser.

Uninstalling

Step2: Download the Adobe Flash Player uninstaller here. If you've done this before, do it again. The Windows uninstaller was last updated on October 15, 2008.

Step 3: Shut down all running programs, then run the uninstaller. Below are the uninstall details.

A detailed report from the Adobe Flash un-installer program

Step 4: Check the output from the uninstaller to see if you need to restart Windows. Here is what Adobe says about this:

"Internet Explorer users may have to reboot to clear all uninstalled Flash Player ActiveX control files. If you're not certain, select the "Show Details" button in the Flash Player uninstaller. If there are any log lines that begin with "Delete on Reboot..." then you'll need to reboot BEFORE running the Flash Player installer again."

Step 5: Adobe's Flash Player uninstaller is limited in a few ways. For one, it does not deal with portable versions of Firefox (see Portable Firefox and the Flash Player). It also doesn't handle other software, such as Dreamweaver, that includes its own copy of the Flash Player. Then too, there used to be a bug with its not searching for installed copies of Flash in places used by very old browsers.

The best way to get a true inventory of all instances of the Flash Player is to run the Secunia Online Software Inspector and turn on the checkbox to "Enable thorough system inspection." Expect it to take awhile.

Installing

Step 6: In Internet Explorer, first make sure that only one copy of IE is running. Then get the new version of the Flash Player at www.adobe.com/go/getflash. Look for a checkbox about also installing the Google toolbar. If there is one, I suggest turning it off on the theory that the less software installed the better.

The Flash Player installs like any other ActiveX control. Adobe warns, however, that "if you don't have administrator access, then you may not be able to install Flash Player successfully."

Step 7: For Firefox, Opera, and Chrome, Adobe also warns that you "may require administrative access to your PC" (see Flash Player installation instructions). Start any of these browsers, go to www.adobe.com/go/getflash, and download a file called install_flash_player.exe.

Downloading the Flash Player installer for the plug-in version of the Flash Player

Close all Web browsers, then run the installation program. Finally, start each non-IE Web browser on your computer and verify the installation at the Flash tester page.

Here's the pot of gold at the end of the rainbow:

The latest and greatest Flash Player

If you have any problems, see Troubleshoot Adobe Flash Player installation for Windows. You can also download flash at adobe.com/shockwave/download/alternates/.

To answer the question you may be thinking, yes, in an ideal world this posting would not be needed, let alone be so long.

*Adobe refers to the Firefox/Opera/Chrome version of the Flash Player as the "plug-in" version. In Internet Explorer, the Flash Player is an ActiveX control. You'll see them listed separately in the list of installed software in the control panel.

See a summary of all my Defensive Computing postings.

NASA confirmed this week that a computer on the International Space Station is infected with a virus. (See "Houston, we have a virus" at The Register.)

The malicious software is called W32.TGammima.AG, and technically it's a worm. The interesting point, other than how NASA could let this happen, is the way the worm spreads--on USB flash drives.

Randy Abrams, director of technical education at ESET, alerted me about this. Touching on both interesting points, he said:

To start with, no computer going into space should have autorun enabled. Simply disabling autorun would have almost certainly rendered the worm inert. Given that age of the worm, and its low risk ranking, it is probable that current (antivirus) software was not being used either.

(Credit: NASA)

Malicious software spread by USB flash drives and other removable media takes advantage of a questionable design decision by Microsoft. Windows is very happy to run a program automatically when a USB flash drive is inserted into a PC. How convenient, both for end users and for bad guys.

Abrams blogged about this back in December, and I wrote about it in March. In that posting, I described how to disable autorun for Windows XP and Windows 2000 and I just revised it to include Vista.

In his December blog, Abrams writes, "Fundamentally, there are two types of readers here. The first type will disable autorun and be more secure. The second type will eventually be victims."

Don't be a victim, disable autorun (also known as autoplay) for all devices. It may be a bit inconvenient going forward, but to me, the added safety is well worthwhile.

See a summary of all my Defensive Computing postings.

Old versions of Adobe Flash Player, perhaps the most widely used software in the world, contain known bugs that are being actively exploited online. If you are using any version of Flash Player, other than the latest, you should update to version 9.0.124.0 as soon as possible.

Early reports from Symantec said the bug being exploited was a new one. Turns out this is not the case. On Thursday, Adobe said

"Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0."

You can see which version of Flash Player is being used by your Web browser at the Adobe Flash tester page. You need to check every Web browser installed on your computer.

For instructions on updating Flash Player, see Time to update the Flash Player. Here's how. If you use the portable version of Firefox, see Portable Firefox and the Flash Player for instructions on updating Flash Player.

See a summary of all my Defensive Computing postings.

I had no intention on focusing so much on the Flash Player and Firefox, but there just seems to be a lot to say. This time the topic is installing the latest version of the Adobe Flash Player in a portable version of Firefox.

I'm a huge fan of portable applications; I all but live in the portable versions of both Firefox and Thunderbird, both downloaded from portableapps.com. This posting was written in an airport and traveling is one reason to like portable applications. I normally work on a Windows XP desktop computer and before leaving on a trip, all I have to do is copy a single folder from the desktop machine to my XP based laptop computer to bring along my copy of Firefox. Copying another folder gives me all my email. When I return from the trip, copying the folders back is all it takes to pick up where I left off.

The Firefox folder includes not only the program, but also my bookmarks, my preferred configuration options, the website passwords that Firefox saves for me and the customization I made to the toolbar (such as adding the New Tab button and removing the Home button). It also includes my extensions, for the most part.

This all works fine, with the slight exception of the Flash Player plugin. Adobe doesn't do portable. Neither the Flash Player installer nor the uninstaller is the least bit aware of, or concerned with, portable versions of Firefox.

A few days ago, when I updated my desktop computer to the latest version of the Flash player, it didn't take. Although the Flash Player installer ran fine, my portable copy of Firefox kept using the old version, according to the Adobe Flash tester page.

Confused, I ran a scan with the free online Secunia Software Inspector (highly recommended) and it reported that the new version of Flash was happily living on the hard disk at C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll.

But, I had run a normal Secunia scan rather than a "thorough" scan. The normal scan looks for applications in their normal location. Anyone using a portable application needs to use the "thorough" option when scanning with Secunia for old software. A thorough scan showed that the portable version of Firefox was indeed still using the older software.

It also, convienently, showed the file name and location of both the new Flash Player on the C disk and the old copy on the X disk where the portable copy of Firefox resided.

What To Do?

There are a couple of ways to deal with this.

If, as in my case, the computer has the latest copy of the Flash Player on the C disk, copying the appropriate DLL from the C disk to the X disk will get the portable Firefox using the latest version of Flash.

Specifically, copy file NPSWF32.dll from C:\WINDOWS\system32\Macromed\Flash to X:\FirefoxPortable\App\firefox\plugins. The full path for your portable copy of Firefox will be different, but wherever it resides, copy the Flash Player DLL into the \App\firefox\plugins folder. Again, a "thorough" Secunia scan will point you to the right place.

If the computer in question doesn't have a normally installed copy of Firefox, then simply delete or rename the file with the old version of the Flash Player (Secunia will find it). The next time you visit a web page that needs Flash, such as the Adobe Flash tester page, Firefox will prompt you to install the missing plugin and you'll get the latest version.

Finally, be aware that a portable copy of Firefox that doesn't have it's own installed version of the Flash Player will pick up a copy from the C disk, if a normally installed copy of Firefox exists. But, if the portable Firefox has an old version of Flash in its plugin folder, it will use that even if a newer version of Flash is on the C disk - which is what prompted this posting in the first place.

It's a pain, but to me, well worth it for the advantages of portable web browsing.

Note: The Secunia Software Inspector requires a recent version of Java. You can see which, if any, version of Java is installed on your computer at my JavaTester.org site.

See a summary of all my Defensive Computing postings.

My last posting was about upgrading the Adobe Flash Player, a Web browser plug-in. Adobe Systems just released a new version that fixes critical bugs in older versions, so everyone should update to the latest version.

Adobe's Flash tester page displays the version of the Flash Player being used by your Web browser. Sometimes though, the Firefox results may not be what you think they should be. I've run across a couple instances in which Firefox was not using a newly installed version of the Flash Player.

The rules for where or how Firefox loads plug-ins have changed over time, and all software vendors may not have a perfect understanding of them. Then too, many uninstallers leave files behind; it's almost the rule rather than the exception. If your copy of Firefox isn't doing what it's supposed to do, there are two ways to find out from where it picked up a particular plug-in.

Start Firefox, and in the address bar, enter "about:config" without the quotes (see above). In the filter bar, enter "plugin", again without the quotes. Double-click on "plugin.expose_full_path." This should change the value from "false" to "true" and the status from "default" to "user set."

Go back to the address bar, and enter "about:plugins" (no quotes). As shown below, the file name in the Shockwave Flash section has the name and the full path of the file Firefox is using for the Flash Player.

If there is no Shockwave Flash section, try visiting a Web site that uses Flash. Adobe's Flash tester page is a good choice.

You can also use the excellent Process Explorer program from Microsoft to see which DLL Firefox is using for the Flash Player. In Process Explorer, click on the running instance of Firefox, click the button to show the lower pane, then use the button next to it to ensure that you are viewing DLLs rather than Handles.

Sort the list of DLLs by company name so that Adobe files appear near the top. The current flash DLL is NPSWF32.dll. To see where it came from in the local file system, either hover the mouse over the name of the DLL or double-click on it to open a properties window that shows the file location.

This detective work is especially important when dealing with portable versions of Firefox. More on that soon.

See a summary of all my Defensive Computing postings.

If you are reading this on a computer, it's a sure bet that Adobe's Flash Player is installed. A couple days ago, Adobe released a new version of the Flash Player web browser plugin and there are few things you need to know to upgrade correctly.

To confirm that you need an upgrade, point your browser to adobe.com/products/flash/about. The just-released version of the Flash Player is 9.0.124.0. The prior version, 9.0.115.0, was released in December 2007. Each web browser installed on your computer is a free agent (so to speak) so you need to check each one to know if an upgrade is needed.

If you need to upgrade, don't, not yet.

Uninstall First

The Flash installer has a long history of not removing older versions. Since it's never good to have buggy software on your computer, the first step to upgrading the Flash Player is removing any and all prior versions. Windows users can get a report of all copies of the Flash player from the free online Secunia Software Inspector. I suggest opting for the "thorough system inspection". Recently, on a brand new computer, Secunia found a copy of the downright ancient Flash Player version 6.

Firefox users on Windows will have two copies of the Flash player. Adobe packages Flash as an ActiveX control for Internet Explorer and as a "plugin" for Firefox, Opera, Netscape and Mozilla.

There are three ways to uninstall the Flash player, the normal way, the manual way and the recommended way.

For Windows users, the normal way is, of course, the "Add or Remove Programs" thingy in the Control Panel. In the past, this has not been reliable.

Instead, I suggest downloading Adobe's Flash Player uninstaller which, quoting Adobe, "will remove Adobe Flash Player from all browsers on the system." A new version of the uninstaller was released on April 8th. Good thing too, as the prior version had some issues. You can read about the Flash Player uninstaller here. There is a version for Windows, a version for Mac OSX and another version for Mac OS8 and OS9. Linux users can find both install and un-install instructions at the Adobe Flash Player for Linux Readme

The Flash uninstaller needs some care and feeding. Adobe warns that it can not remove in-use files, so they advise quitting ALL running applications. They also warn that "Internet Explorer users may have to reboot to clear all uninstalled Flash Player ActiveX control files. If you're not certain, select the "Show Details" button in the Flash Player uninstaller. If there are any log lines that begin with "Delete on Reboot..." then you'll need to reboot BEFORE running the Flash Player installer again."

Below is a screen shot of the Flash Player uninstaller:

After running the uninstaller, I suggest that Windows users run a "thorough" scan with the Secunia Software Inspector to insure that all versions were really removed. Any instance of the Flash Player that was left behind is a candidate for manual removal. As show below, Secunia points you directly to the offending file(s).

In my experience, the Flash Player has always been a single file. Renaming or deleting the file should logically uninstall it. If you opt to rename it, be sure to change the file type. I got burned recently when I changed the file name but left the file type unchanged. For example, to rename x.dll, use x.dll.DONTUSEME rather than x.DONTUSEME.dll.

Installing

You can get the latest version of the Flash Player at www.adobe.com/go/getflash. The web page detects your operating system and browser and offers the correct version of the software automatically.

Internet Explorer users get an option that Firefox users (on Windows) do not - also installing the Google Toolbar. There is no need to install the Google software. In general, if software companies offer to throw-in extra stuff for free, it's to their benefit, not yours.

The install process, in Windows, is very different for Internet Explorer and Firefox. The Internet Explorer installation is done within the browser. The Flash Player is an ActiveX control, so you will likely have to approve the yellow toolbar warning and then again approve the installation in a pop-up window.

The Firefox install starts with downloading an installer file (install_flash_player.exe). Then you have to shut down Firefox and run the installer. When it's done, you should see something like the screen shot above. At this point, I suggest taking Firefox on a visit to the Adobe Flash tester page to insure that everything went according to plan.

As I write this, I've upgraded just a couple machines. One Windows XP machine had version 9.0.28.0 of the Flash Player and, in the interest of research, I installed the latest version directly on top of the old version. It failed, as you can see in the screen shot below. However, re-running the installer worked fine.

The Flash Player may well be the most widely used software in the world. Make sure your copy is up to date.

Update April 11, 2008: Someone commented below that the Flash uninstaller failed to remove old copies of version 6 and 7 that a "thorough system inspection" with the Secunia Software Inspector found. I can't confirm this, so if you find these old versions of the Flash player, please let me know your experience, either with a comment below or send me an email at my personal website, michaelhorowitz.com.

Update April 12, 2008: If Firefox seems to be using the wrong version of the Flash Player, or any other plugin, see Tracking down Firefox plugins.

See a summary of all my Defensive Computing postings.

Many Windows users are annoyed by the Autoplay feature. But Leo Notenboom recently explained why it is dangerous, rather than annoying.

Many of us, when we run across an unknown USB flash drive (a.k.a. thumb drive, pen drive, memory stick, etc.) will stick it in a computer to see what's on the thing. It's at this point that Autoplay can screw you big time.

Unlike with CDs, Autoplay on a USB flash drive will run a program immediately, no questions asked. Quoting Leo "USB Thumbdrives or flash drives are a non-obvious but easy way to spread malware." The only thing most malicious software needs is for you to run the program. The Windows Autoplay feature, for flash drives, hands this service to the bad guys on a silver platter.

The question posed to Leo was "I found a USB thumb drive, plugged it in and now my system won't work. What happened?" His answer: the computer was probably infected with some type of malicious software.

Windows XP

To disable Autoplay totally, Leo suggests a free program from Microsoft for Windows XP called TweakUI. TweakUI is needed for Windows XP Home Edition users, but XP Professional can do this without the extra software (TweakUI will work on XP Professional).

The downloaded program, TweakUiPowertoySetup.exe, is only 146K. When you run the program it installs immediately, no questions asked, no decisions to be made. It does not create a desktop icon for itself, so you find it with Start -> All Programs -> Powertoys for Windows XP. To turn off AutoPlay system-wide, run TweakUI, start at My Computer -> Autoplay -> Types -> turn off the checkboxes.

Disabling Autoplay in Windows XP Professional with Group Policy

Windows XP Professional can disable Autoplay using the built-in Group Policy feature (see above). To invoke the Group Policy Editor, click the Start button, then Run and enter "gpedit.msc" without the quotes. Go to Computer Configuration -> Administrative Templates -> System. Scroll down to "Turn off Autoplay" and double click on it. It starts out in a "Not Configured" state. Click on the "Enabled" radio button, then for  "Turn off Autoplay on"   select "All drives".

Windows 2000

Windows 2000 does not, by default, Autoplay on USB flash drives. Nonetheless, it supports Group Policies that can be used to disable Autoplay system-wide. Quoting the operating system itself:

"By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. If you enable this policy, you can also disable Autoplay on CD-ROM drives, or disable Autoplay on all drives."

Disabling Autoplay in Windows 2000 with Group Policy

The procedure to disable Autoplay system-wide is very much like that in XP Professional. Click the Start button, then Run, and enter "gpedit.msc" without the quotes. Go to Computer Configuration -> Administrative Templates -> System. Scroll down to "Disable Autoplay" and double-click on it.

At this point, the terminology couldn't be any worse. What does it mean to disable the policy that disables Autoplay? Do two wrongs make a right? As shown above, enable the policy and then "Disable Autoplay on All drives."

Windows Vista

As with Windows XP, the expensive versions of Vista (Business and Ultimate) include a Group Policy editor. To run it, click the Start button and in the search box type "gpedit.msc" without the quotes. Browse to Windows Components, then to AutoPlay Policies. Change the value of "Turn off Autoplay" to enabled.

The cheap versions of Vista, such as Home Premium, can do this in the Control Panel. Under Hardware and Sound, click on "Play CDs or other media automatically." Then uncheck the checkbox for "Use AutoPlay for all media and devices."

Is This Enough?

I have seen reports online that the above measures are not sufficient to fully protect you from autorun/autoplay in all instances. I can't evaluate these claims for myself, but even if they are true, there is no doubt that you are safer disabling autorun as described above than you are not disabling it.

Update: March 16, 2008: Just for good luck, make a Restore Point before changing the Autoplay default. See Four tips to using System Restore on Windows XP.

Update: March 17, 2008: Added section on Windows 2000.

Update: August 27, 2008: Added section on Windows Vista.

See a summary of all my Defensive Computing postings.

Bug is a dirty word in the software world. After all, it means "mistake" and no one wants to admit they made a mistake. Instead of calling the fix for a mistake by its rightful name, a bug fix, software companies refer to "patches" or "updates". Soft words. Happy words.

The bug itself is called a "hole" or a "vulnerability". Initially, bugs were called "issues" but eventually people caught on. Did you happen to notice that Mitt Romney recently "suspended" his campaign (a soft word), as if he was taking the weekend off, rather than actually stopping (a harsh word).

But getting back to software, below I go over a slew of important bug fixes released in the last few days. I also describe the latest updates to Java and the Flash player even though they weren't released this week. As more and more Windows users get their Windows fixes automatically, the bad guys are naturally going to attack other software on your computer. Thus, it's important to install the fixes described below. This is a Defensive Computing blog after all.

Recent Bug Fixes

Firefox released version 2.0.0.12 on February 7th to fix ten bugs, three of which are considered critical. Firefox runs on Windows, Macs, Linux and more. Mozilla, the company behind Firefox, doesn't say if any of the bugs are specific to an operating system, so all Firefox users should upgrade.

The usual Help -> About displays the currently installed version. You can force Firefox to check for updates with Help -> Check for Updates.

Firefox normally checks for updates often enough that you don't need to be concerned. From what I've seen, looking at website usage statistics, the vast majority of Firefox users are using the latest version. That means most Firefox users have it configured to automatically check for updates. To see how your copy of Firefox is configured, do Tools -> Options -> Advanced -> Updates tab. When updates are found, Firefox can either apply them automatically or to ask you before applying them. All in all, the self-updating of Firefox works great.

The Adobe Acrobat Reader was updated on February 6th to fix security problems on Windows and Macs. Interestingly, Adobe says they support Mac OS X Leopard up through version 10.5.1. That was as of February 7th, but Apple updated Leopard to version 10.5.2 just four days later (see below for more on updates to OS X). Adobe hasn't yet said if this latest update to the Reader works on the latest version of Leopard.

The latest and greatest Acrobat Reader is version 8.1.2. If you are running version 7, the latest edition, 7.0.9, has known bugs but Adobe has not yet issued fixes for. They intend to. According to Adobe Reader 8.1.2 Release Notes the latest version of the Adobe Reader is available on Windows 2000, XP, Vista, 2003 Server, as well as Macs, Linux and Solaris.

In both versions 7 and 8, the usual Help -> About displays the current version and you can check for updates with Help -> Check for updates. Most likely you will find available updates. Version 7 dealt with this well, displaying the all the available updates and letting you pick and chose those to install. Version 8 has, by default, done away with displaying information about each available update. I mention this because there are updates that version 8 users may not want or need.

If you are using version 8, then after checking for updates, click on the "Show details" link before downloading anything. You may also want to click on the "preferences" link to configure self-updates. In terms of security, you don't need the update that installs dictionaries for spell checking for multiple languages. You also don't need the Photoshop Album Starter Edition.

Depending on how your copy of the Adobe Reader is configured, it may notify you of the need to update itself as soon as the program starts up.

According to Adobe, bug fixes are also needed if you are running "Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions". For more see Security update available for Adobe Reader and Acrobat 8 and the Secunia advisory.

Apple's QuickTime was updated on February 6th to fix a security problem. The latest version is 7.4.1. The update affects Mac OS X v10.3.9, v10.4.9, v10.5, Windows Vista and Windows XP SP2. You can download it here and see the Secunia advisory . Apple has a software update service for both Macs and Windows, but I'm not familiar with it.

Skype was updated on February 5th to fix a security problem that only affects Windows users. The new version of Skype for Windows is 3.6.0.248. You can download the latest Skype software here. For more, see the Secunia advisory or read about the problem from Skype.

Windows users can check for software that is missing bug fixes using the online Secunia Software Inspector .

Not So Recent Bug Fixes

Java was updated a few weeks ago, but there was confusion about the need for the latest version, 1.6.0_04. I wrote about this on February 8th, see Sun's Java sloppiness.

Update. February 13, 2008: Sun provides recent copies of Java for Windows, Linux and Solaris here but not for Macs. At this Java.com download page, Sun links to Apple's web site, where the available versions of Java are very old. Specifically, this page offers downloads of Java version 1.5.0_08 and 1.4.2_12. More recent was the December 13, 2007 release by Apple of Java for Mac OS X 10.4 which offers up versions 1.5.0_13 and 1.4.2_16. Despite the title, it seems as if these versions of Java are supported on Leopard (10.5). I am not a Mac user so I can't test this myself. If and when Apple will release a version of Java in the 1.6.x family is anyone's guess. For more see developer.apple.com/java/.

To see which version of Java is installed on your computer, you can use my javatester.org web site. Be sure to check in every web browser that you use.

The confusion included Secunia recommending version 1.6.0_04, while Sun recommended version 1.6.0_03. Since writing about this on the 8th, I've been in contact with Sun. I'll have more to say on this later, but suffice it to say that version 1.6.0_04 contains many updates but only one that might be considered a security update. Sun's position is that version 1.6.0_03 is secure for normal consumer usage.

If you are running version 1.6.0_03, it may not be worth the trouble to update to the latest version. If you have an earlier version of the 1.6 family however, then you should update and, if you're going to update, you might as well go for 1.6.0_04. The last version of the previous 1.5 family is 1.5.0_14. According to Secunia, this version is secure, but earlier versions of 1.5.x are not.

Before updating Java, I suggest removing older versions. Windows users can do this with the usual Add/Remove programs thingy in the Control Panel (I say "thingy" because when discussing Java, the normal term, "applet", has a specific non-Windows meaning).

The latest version of Adobe Flash player was released in mid-December. I mention it here because it fixed a number of critical security bugs, everybody has a copy and didn't get a lot of publicity.

To see which version of the Flash player is installed on your computer, go to www.adobe.com/products/flash/about/. The latest is version 9,0,115,0. As with Java, you need to check this in all web browsers on your computer as different browsers can be using different versions.

I wrote about updating the Flash player on January 28th, see A heads-up on the Adobe Flash player. For safety, old version(s) should be manually un-installed before installing a new version. Unfortunately, removing the Flash player can be problematical. My blog posting has more on this, but after removing the Flash player, check with the above web page, that each browser on your machine is, in fact, not able to access Flash. Adobe has a dedicated Flash Player un-installer, if need be.

The latest version of the Flash player is available at www.adobe.com/go/getflashplayer.

Operating Systems Too

Both Windows and the Mac OS X were also just updated.

Updates to Mac OS X were released yesterday (February 11th). The latest Leopard is now 10.5.2. For more, see this from Apple docs.info.apple.com/article.html?artnum=307109 and Apple updates Leopard, Tiger with security updates from fellow CNET blogger Robert Vamosi. I couldn't find any references to recent Tiger (10.4) bug fixes at Apple's web site.

All users of Mac OS X should read Mac OS X: Updating your software from Apple.

Update: February 13, 2008: The title says it all: Rush Limbaugh begs Steve Jobs for bug fixes.

The latest Microsoft bug fixes roll out today, February 12th, otherwise known as "Patch Tuesday". Some fixes are for Windows, some are for Microsoft Office. Specifically, there are bug fixes for Windows 2000, XP, Vista and Server 2003 as well as Office 2000 and 2003 and Office for the Mac 2004.

For the gory details see Microsoft Security Bulletin Advance Notification for February 2008 from Microsoft and Microsoft fixes 17 flaws in 11 patches; 6 are critical by CNET blogger Robert Vamosi.

I need your help here. The latter article starts with "Microsoft on Tuesday released its February 2008 security bulletin, which includes eleven bulletins, six of which are deemed Critical by Microsoft, while five are deemed Important."

The latest soft word in the bug field seems to be "bulletin". I missed the memo. What's a bulletin? Is it a bug? A bug fix? A description of the bug? How can the February bulletin include eleven bulletins?

See a summary of all my Defensive Computing postings.

The free Flash player from Adobe is one of the most popular pieces of software on the planet. It's a web browser add-on that runs in Windows, Mac OS X and assorted versions of Linux and Unix. A large percentage of web pages include Flash-based content. It's all but guaranteed to be installed on the computer you are reading this on.

There are a few things you need to know about it.

The current version of the Flash player is 9.0.115.0. Older versions suffer from critical security problems, so if you are not using version 9.0.115.0 you need to upgrade. You can see which version of the Flash player your web browser is using at Adobe's Flash tester page (my terminology). You need to run this test in every web browser installed on your computer because they might be using different versions of the Flash player.

Screenshot from www.adobe.com/products/flashplayer/

Uninstall First

Before installing a new version of Flash you should uninstall the old version(s). I say this both because removing software with known security bugs is a good thing in general and because Adobe recommends it in one of their TechNotes which says "Before you install Flash Player for any Windows browser, uninstall all previous versions" (see Troubleshoot Adobe Flash Player installation for Windows).

Over the years, the Flash installer has not un-installed old versions. Thus, there may be a slew of old, buggy copies of the Flash player on your computer.

Although the Flash player appears in the list of installed software in the Windows Control Panel "Add or Remove Programs" list, removing it from there doesn't always work. And, it may not tell you that it didn't work.

Update. January 30, 2008: According to Adobe, removing the Flash player via the Windows Control Panel should be the first approach. This will work for recent versions of the Flash player, but not for older versions. If your browser(s) continue to use an old version of Flash after removing it via the Control Panel, then try the un-installer.

Update. February 4, 2008: On a Windows XP machine running IE7, I was not able to remove the Adobe Flash Player 9 ActiveX using the Add/Remove Programs applet in the Control Panel. Clicking the button did nothing. The computer was using Flash version 9,0,45,0 which is fairly recent. The downloadable Flash uninstaller, dated December 3, 2007 did remove the Flash player.

The official way to remove the Flash player is with an un-installer program that you can download from Adobe. Another one of their TechNotes says "Due to recent enhancements to the Adobe Flash Player installers, you can now remove the player only by using the Adobe Flash Player uninstaller."

How would someone know this? It seems a techie has to tell you. One just did.

No one told Ian "Gizmo" Richards, the man behind the Support Alert newsletter. The just-released January 24th edition warned about the Flash security problems and the need to upgrade to version 9.0.115.0, but it didn't mention Adobe's Flash Player un-installer program. This is not a criticism of Mr. Richards, to my mind, Adobe hasn't done enough to publicize either the non-standard uninstall process or the need to upgrade to version 9.0.115.0 in the first place.

For example, a search on CNET's own news.com for "flash player" turns up my previous blogs, but nothing in the news section about the need to upgrade the Flash player. Lockergnome also doesn't seem to have mentioned this. Neither did Good Morning Silicon Valley or InfoWorld. ComputerWorld mentioned the need to upgrade, but said nothing about un-installing old versions. Brian Krebs at WashingtonPost.com mentioned both the needed upgrade and the un-installer, but only mentioned the un-installer in passing.

On top of this, the Adobe Flash player un-installer is incomplete. I documented two instances where the Adobe uninstaller left behind an old buggy copy of the Flash player (see Problems updating the Flash player in Firefox? Here's Help). I first reported this to Adobe roughly a month ago. Since then, they have not released a new version of their un-installer. The latest version, with these two problems, is dated December 3, 2007.

Adobe is hurting their reputation by failing to reliably un-install their own software. Since they are not helping you, you need to help yourself.

Secunia Software Inspector

One way to get an inventory of old copies of the Flash player that may still be floating around your computer is the online Secunia Software Inspector.*

This free service from Secunia runs as a Java applet and scans your computer looking for software (not just Flash) with known security vulnerabilities. By default, it only checks software installed in the standard or official location. In response to a communication from me, Secunia recently changed their search pattern for the Flash player and they are now more likely to find all live copies. Still, to get a full accounting, I suggest running a "thorough system inspection" - it's a checkbox under the blue Start button. This looks for software in "non-default locations". To me, if you're going to run a scan for insecure software at all, you might as well do the most thorough scan possible.

The downside to the Secunia Software Inspector is the need for Java, another web browser add-on. Your computer not only needs to have Java installed, (many don't) Secunia also requires a recent version (1.5.0_12 or later). At my javatester.org website you can check whether Java is installed on your computer and which version you have. Java is like Flash in that different browsers on the same computer can be using different versions. Thus you need to test the Java version in all of your web browsers.

If dealing with Java is too much for you, Secunia has a similar program, their Personal Software Inspector, that you can download and install. It runs on Windows XP, Vista, 2000 and 2003.

The Flash player is just a file. In Windows, it may be a DLL file or it may be an OCX file. The file names have changed many times. Old versions that Secunia finds can be removed simply by deleting the file that Secunia identifies.

After removing the old versions, verify that each of your web browsers is no longer using Flash at Adobe's flash tester page. Internet Explorer should offer to install the ActiveX version of Flash when it finds it missing. Firefox will offer links to the plug-in version of Flash. In both cases the installation process is pretty standard.

If this doesn't work (which has happened to me a few times) you can download Flash at www.adobe.com/go/getflashplayer. This page auto-detects your web browser and offers the correct version of Flash for that browser.

Cheat Sheet

The cheat sheet below, for Windows users, summarizes the necessary steps:

• Go to my javatester.org web site and check if Java is installed.
• If it is, and it's from Sun Microsystems and is version 1.5.0_12 or later, then run the online Secunia Software Inspector. Opt for a "thorough system inspection" (it's a checkbox under the blue Start button).
• If Java is not installed, or is not from Sun or is too old, then there are two options. Either upgrade to the latest version of Java (here too, un-install any old versions first) or download and install the Secunia Personal Software Inspector. If you opt to download Secunia's software, then after installing it, check the Settings section. You may want to change some of the default options. For example, it wants to run all the time in the background.
• If the only versions that Secunia detects are 9.0.115.0, then all is well. You're done.
• If there are versions older than 9.0.115.0 they should be removed (covered in the next few steps).
• Download, install and run Adobe's Flash un-installer program from here.
• After running it, repeat the Secunia search to verify that all versions of Flash were in fact removed. If any versions were not removed, delete the files that Secunia identifies.
• From every web browser on your computer visit Adobe's Flash tester page. At this point, no web browser on your computer should report that it is using Flash. Instead they should offer to install the missing Flash player.
• Install the latest version of the Flash player in every web browser on your computer. If the automatic installation at the Flash tester page fails, then manually install it from www.adobe.com/go/getflashplayer.

The Secunia Software Inspectors are Windows-only. Mac users can download and run a Mac version of Adobe's Flash player un-installer. Linux users get no assistance from either Secunia or Adobe.

It's a shame that Adobe makes this so difficult.

*Regardless of Flash, being familiar with and regularly using the Secunia inspector is a great step towards Defensive Computing.

See a summary of all my Defensive Computing postings.