A pillar of Defensive Computing is keeping software up to date, especially the popular software often targeted by bad guys.
Adobe recently released a new version (10.0.45.2) of the Flash player web browser plug-in and yesterday I updated my computer to the latest version. On Windows computers, this needs to be done twice, once for Internet Explorer and then again for other browsers.
After updating the Flash player, I always verify it at Adobe's Flash tester page. So, imagine my surprise when, after turning on the computer this morning, there was a warning (shown below) that an update to my Flash Player was available.
I think not.
To verify that I actually was up to date, I turned to one of my favorite online applications, the Secunia Online Software Inspector (OSI). The report below shows that the computer had the latest version installed (Note: NPAPI is the Firefox/Chrome/Opera version, ActiveX is the IE version).
Could it be that Adobe found an old version of Flash hanging around? At times, updating to the latest version of the Flash Player does leave behind the old software.
Not this time. I've been down that road often and Secunia's Online Software Inspector always reports on the old versions. The computer was clean.
The warning window has a link to read more about this update. While, technically, the page does offer more about the update, that's not its purpose. Instead it offers more information about every update ever released. Nothing on the page points to the current update.
The warning window also links to a security bulletin that recommends updating to the version that was already installed.
I can only guess that Adobe checked yesterday, found that the Flash player was old and instead of issuing the warning then and there, waited until the next reboot. Again, that's just speculation.
The bigger lesson here, the Defensive Computing lesson, is that you should never trust this warning message.
It's not that Adobe isn't trustworthy, but that you can't be sure where the warning came from*.
It would be a simple trick for bad guys to create a scam warning that looks exactly like the real one and trick you into visiting a malicious website. Adobe makes it easier on the bad guys by not reporting either the installed version(s) of the Flash player or what the latest version is.
Instead of clicking anywhere in this warning, the safer approach is to go to the Flash tester page to see if you really need an update. Again, Windows users need to do this for both Internet Explorer and whatever alternate web browser they use.
All told, a sad state of affairs.
*In my case (Windows XP SP3), Process Explorer showed that the warning window came from program NPSWF32_FlashUtil.exe running out of C:\WINDOWS\system32\Macromed\Flash
NOTE: You can change how often Adobe checks for new versions of the Flash Player.