Updating Flash yet again

Yet again, there are critical bug fixes that need to be installed for Adobe's Flash. It never ends.

The prior version of Flash, released all of a month ago, had 11 serious bugs, some of which " ... could cause the application to crash and could potentially allow an attacker to take control of the affected system."               

For Windows users, Flash is probably the most annoying software to update. Rather than being a stand-alone application, Flash is embedded in other applications. Many other applications. Each with it's own update procedure and release schedule.

For example, versions 9 and 10 of the Adobe Reader include Flash and typically their embedded copy is updated well after the copy used by web browsers.

And, speaking of browsers, Internet Explorer, Firefox and Chrome will each use different copies of Flash on a Windows machine. Chrome users typically get the latest version of Flash a few days before it's available for IE and Firefox.

And each application updates itself differently. What a mess.

In terms of software updating, an iPad is far more advanced than Windows. To start with, all iPad applications self-update the same way. Notification of an available update is automatic and non-intrusive. You can even update a group of apps with a single tap on an "Update all" button. I think it's safe to predict that Windows users will never have it that easy.

And it's not just three web browsers and a PDF Reader that Windows users need to be concerned with when Adobe releases a new version of Flash. AIR will need to be updated, if it's installed. So too, Acrobat and AOL Instant Messenger. Developers running Flash Professional CS5, Flash CS4 Professional and Flex 4 are also impacted.

How do you even know which version of Flash is embedded inside AIR and/or AIM? Beats me.

Adobe Acrobat and Reader users can check the properties of the authplay.dll file. Currently, Adobe Reader version 9.4.4 includes Flash version 10.2.159.1 from April 13, 2011. The Adobe announcement of the bugs in this version of Flash made no mention at all of the embedded version in Acrobat and Reader.

When this has come up previously, the suggestion has been to rename the authplay.dll file to disable the vulnerable copy of Flash inside the Adobe Reader and Acrobat. Probably a good idea.

ONE APPROACH

Here's how I handle Flash maintenance.

I simplify things by not using the Adobe Reader. There are many reasons for this (see Seven reasons to use an alternate PDF viewer in Windows) and one of them is avoid yet another embedded copy of Flash.

Another simplification comes from avoiding Internet Explorer. Here again, I avoid IE for a number of reasons, eliminating its ActiveX copy of Flash being one of them.

AIR, like Java, should not be installed without a pressing need for an application that requires it. Few do.

Google's Chrome browser does not need any simplifying, it does a great job of keeping both itself and its embedded copy of Flash up to date. In fact, a case can be made that non-techies should use Chrome for this reason alone.

I think of it as a car that never needs gas. Just run the browser and it self-updates; no fuss, no muss. It even updates itself when logged on as a restricted user without a password prompt.

To verify that Chrome is up to date, click the wrench, then About Google Chrome. The current version is 11.0.696.68 and it includes Flash version 10.3.181.14. The prior version of Chrome was 11.0.696.65 and it included Flash 10.2.154.28. Before that, Chrome version 11.0.696.60, included Flash version 10.2.154.27.  

The copy of Flash used by Firefox needs to be manually updated. There are a number of different approaches and the one that is often recommended, visiting the Flash Download Center should be avoided. It's much more complicated than necessary.

I start by un-installing the old copy of the Flash Player plugin via the Windows control panel. If anything goes wrong here, Adobe has a program that you can download to un-install old versions of Flash.

Then, running Firefox, I visit Adobe's Flash Tester page (my term, not theirs), the page that reports the version of Flash used by the browser. Firefox prompts to install the missing Flash Player and in a couple clicks, all is done. A normally installed instance of Firefox can share a single copy of Flash with portable versions.

But who can remember www.adobe.com/software/flash/about/? Not me. So I created flashtester.org mainly to provide an easy to remember name for the Adobe page that is needed so often.

EXTRA DEFENSIVE STEPS    

This being a Defensive Computing blog, there are a couple extra points to be made.

When it comes to Flash, Chrome is ambidextrous. That is, it can use either its own embedded copy of Flash, or, the "plugin" version used by Firefox and Opera.

It defaults to using the copy it ships with. Nonetheless, since Google has done such a great job of keeping the embedded copy of Flash updated, I prefer to configure Chrome to always use Google's version of Flash and never use the Firefox plug-in version.

To do this, enter "about:plugins" (no quotes) in the Chrome address bar (my term, not theirs).  Then, click on the word "details" that's all by itself on the far right side of the resulting web page. As shown below, this will display information about each available copy of Flash.

chrom_flash_config.jpg

Adobe stores the Firefox version of Flash in different locations on different versions of Windows. However, it should be somewhere under C:\Windows and the file name is NPSWF32.dll. Chrome's copy of Flash is gcswf32.dll.

Another defensive step regarding Flash is not to believe what you are told.

The latest version introduced a pop-up notification for Mac users when Flash needs updating. This brings Macs up to par with Windows, or so the rest of the tech press will have you believe.

The fact is, this pop-up warning is sometimes wrong. And, it's incomplete. The statement that Flash needs to be updated begs the question: which copies? There is no inventory of all the copies of Flash on a Windows machine. Is it checking the IE ActiveX copy? The Flash plug-in copy? The copy in Chrome? The copy in Reader?  

Worse still, is that bad guys may spoof this warning and trick the unwary into installing malicious software. There is no way for non-techies to easily verify the source of the pop-up window (techies can use Process Explorer).

For web browsers, the best way to see if Flash needs updating is to visit Adobe's Flash tester page (or flashtester.org) with every installed browser.

Dealing with the other programs that include embedded copies of Flash reminds me of a Marx Brothers movie.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
4 high-growth tech fields with top pay
Shop Tech Products at Amazon