It may not be possible to fully and completely update the Adobe Flash player when a new version is released.
Let that sink in. I know it sounds ridiculous, but many applications include embedded copies of Flash and these hidden instances of the software are very likely to survive the standard Flash player update procedure unchanged.
Last time, I wrote about a problem with the portable edition of Google's Chrome browser. After removing the Flash player using the "Add or Remove Programs" applet in the Windows XP control panel, and then installing the new version, Chrome continued to use the old version.
This is because Chrome includes its own copy of Flash (gcswf32.dll). Despite the fact that doing so was co-operative effort between Adobe and Google, the Adobe security bulletin describing the latest Flash player bug, says nothing about updating Chrome to pick up the new version of the Flash player.
And, that's just the appetizer. Adobe's security bulletin omitted some of their own software.
It was only a couple months ago that Flash version 10.1.53.64 was released to fix some critical bug(s). Back on June 4, 2010 Adobe warned:
A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems.
The authplay.dll file is a copy of Flash embedded in the Adobe Reader and Acrobat.
During the three week period in June 2010 that Reader and Acrobat contained buggy copies of Flash, we were advised to disable (delete or rename) the authplay.dll file. We've been down this road before. Back in July 2009, Adobe also warned that the authplay.dll file in Adobe Reader and Acrobat 9 was buggy.
Yet, in the security bulletin that Adobe issued on August 10th (the one warning that Flash version 10.1.53.64 was buggy and we should all update to version 10.1.82.76) there was no mention of the authplay.dll file.
Perhaps you read about this latest update to Flash. If so, did the article mention that Reader and Acrobat were vulnerable? Probably not.
Don't take my word for it. Curious folks can get the properties of the authplay.dll* file and go to the Version tab, to see for themselves. As I write this, the latest copy of the Adobe Reader (v9.3.3) includes a buggy version of Flash (10.1.53.64).
By the way, the Adobe Reader can display information about included plugins (Help -> About Adobe Plug-Ins), but, it fails to mention Flash (tested with version 9.3.3 under Windows).
Adobe is planning an update to Reader and Acrobat "... during the week of August 16, 2010." However, the update is to fix a problem with integer math font parsing. The security bulletin says nothing about Flash or authplay.dll.
Update: August 18, 2010. According to an Adobe Product Security Incident Response Team blog posting from August 5th, the upcoming patch to Reader and Acrobat will include a new version of Flash (authplay.dll). The update is scheduled to be released August 19, 2010.
MORE EMBEDDED COPIES OF FLASH
Although the August 10th security bulletin about Flash does not mention the Adobe Reader and/or Acrobat, it does include other affected software: Adobe's AIR, Flash CS5 Professional, Flash CS4 Professional, Flash CS3 Professional, Flex 4 and Flex 3.
My count is now six applications that include hidden/embedded instances of Flash: Google's Chrome, the Adobe Reader v9.x, Adobe Acrobat v9.x, Adobe AIR, Adobe Flash Professional, Adobe Flex.
Version 8 of the Adobe Reader and Acrobat do not seem to include Flash.
I'm a blogger, not a lab, but I doubt that any of these are updated automatically when you follow the standard procedure for updating Flash in a web browser.
I was able to test that my favorite Java applet, Secunia's Onine Software Inspector, does not flag the embedded copy of Flash in the Adobe Reader. It gave Reader 220.127.116.11 a clean bill of health, despite including a vulnerable copy of Flash.
And, Secunia is well aware of the problem. On August 12th, Carsten Eiram, Chief Security Specialist at Secunia blogged that
It seems to become popular for software vendors to bundle Flash Player in their products. Adobe has been doing it for a while with Adobe Acrobat and Adobe Reader and lately Google also started bundling Flash Player with Chrome. One problem with bundling of Flash Player is that users cannot easily address vulnerabilities simply by installing a new Flash Player version when available, but instead have to wait until a new version of the product bundling Flash Player is released ... Ironically, ... Adobe has still not issued updated versions of Adobe Acrobat and Adobe Reader even though it can hardly come as a surprise to them that an update for Flash Player was issued.
Sometimes I feel like Fred Flintstone. Shouldn't these problems have been fixed by now?
*The "authplay.dll" file is typically found at
C:\Program Files\Adobe\Reader 9.0\Reader\
for the Adobe Reader or
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\