Even for a Defensive Computing guy, the topic of the latest and greatest version of Adobe's Flash player plugin is pretty boring. I thought, I'd left it in the rear view mirror.
My previous suggestion here was simple: Windows users should restrict themselves to using Flash in Chrome and get on with the rest of their lives. Tracking and upgrading Flash in Firefox/Opera and Internet Explorer was too time consuming and error prone.
Since I wrote that, Flash has learned how to update itself in Firefox. But that code is new and thus has to be considered suspect. I have already seen it crash on a couple Windows XP machines. Also, it phones home very frequently and every time Firefox finds a page that needs Flash, it wants to install an old version of the plugin.
So, I was more than happy never to write about Flash again. Sadly, the topic is now begging for someone to pull it all together.
First off, anyone using an iOS device (iPhone, iPad) can go read another blog, there is no Flash for you. This used to be considered a bad thing, now, that's not so clear.
AUGUST 14th RELEASE
Yesterday was a big day for the Flash player, a new version was released that fixed a security bug. In the Security bulletin detailing the problem (APSB12-18), Adobe said
- Windows and Macintosh users running version 11.3.300.270 or earlier, should upgrade to 11.3.300.271
- Likewise, Chrome users on OS X and Windows, running version 11.3.300.270 and earlier should also upgrade to version 11.3.300.271
- Linux users on version 11.2.202.236 and earlier should upgrade to version 11.2.202.238
But, it seems that the left hand at Adobe doesn't know what the right hand is doing. Adobe has a Flash tester page (my term, not theirs) at adobe.com/software/flash/about/ (see below).
There, it says that for Chrome users on Windows and OS X the latest version of Flash is 11.3.300.265 (older than the security bulletin). Likewise, it seems back dated for Linux users of Chrome, stating that version 11.2.202.236 is the latest and greatest. As I write this, it's more than a day after the new version of Flash was released.
Brian Krebs covers this stuff too, it was on his blog that I first learned of the Flash player upgrade. He wrote that "Chrome users want to be at v. 11.3.330.270." If you're keeping score at home, that's three different reports on the latest version of Flash for Chrome.
And, they are: wrong, wrong and wrong again.
My guess is that Krebs made a typo, and that he meant to write 11.3.300.270. Too many zeros and threes.
As for the Adobe tester page, my guess is that Adobe is a big bureaucracy and something fell through the cracks, so that the page was not updated.
As for the Adobe security bulletin being wrong, my guess is that Adobe and Google crossed wires.
PEPPER FLASH
Krebs noticed something he couldn't explain; his copy of Chrome was at version 11.3.31.225. This is a big difference, as the third number is 31 rather than 300. Had he looked at my flashtester.org site, he would have seen that the last few versions were all in the 300 family.
Krebs blamed this on his copy of Chrome being "sluggish" to self-update. His Chrome is indeed slow on the uptake, but that's not why his Flash is in the 31 family rather than the 300 family.
On three Windows machines that I checked, each with the latest edition of Chrome (v21.0.1180.79), the version of Flash was 11.3.31.227.
This is the right answer.
What Adobe and Krebs missed is the fact that Chrome changed on July 31, 2012. Google explained this in an August 8th blog, The road to safer, more stable, and flashier Flash.
Chrome used to communicate with its embedded copy of the Flash player using an interface called NPAPI. But that was an old interface and, over time, it got in the way of change. Justin Schuh of Google wrote
Unfortunately, as the web evolved, the past benefits of NPAPI became liabilities ... it hamstrung future improvements. As browsers add compelling features like sandboxing, GPU acceleration, and a multi-process architecture, the legacy of NPAPI severely impedes or outright prevents us from extending those improvements to any pages with plug-in content.
It took Google over two years to migrate to a new interface, the Pepper Plugin API (PPAPI) which, among other things, is better sandboxed.
So, it seems that Flash player versions 11.3.300.x are the older NPAPI editions, while versions starting with 11.3.31.x use the newer PPAPI interface.
Chromebook and Chromebox users have been using PPAPI for almost a year. On Linux, Chrome version 20 was the first to use PPAPI. Google expects to change over soon on OS X.
Chrome 21 on Windows ships with both a PPAPI and NPAPI version of the Flash player plugin, but the PPAPI version is used by default. Google refers to it as Pepper Flash.
You can see both versions of the Flash plugin by entering "about:plugins" on the Chrome browser address bar. Then click on "Details" on the far right side of the Plug-ins page.
On Windows 7, Pepper Flash is located at
C:\Users\<userid>\AppData\Local\Google\Chrome\Application\21.0.1180.79\PepperFlash\pepflashplayer.dll
while the NPAPI edition is at
C:\Users\<userid>\AppData\Local\Google\Chrome\Application\21.0.1180.79\gcswf32.dll
Don't be confused the name "Shockwave Flash," on the Chrome Plug-ins page. That's just there to confuse people. It's Flash, not Shockwave.
Windows users can now get an ActiveX version of Flash for Internet Explorer, an NPAPI/plugin version for Firefox and Opera, an NPAPI version for Chrome and a PPAPI version for Chrome. Four, count 'em four copies of Flash. Not to mention copies that may be embedded in other software from Adobe. You can't make this stuff up.
As for other operating sytsems, the Chrome browser running on Chrome OS (i.e. on a Chromebook) is currently using Flash version 11,3,31,115.
Adobe also said yesterday that "Adobe Flash Player for Android is not affected by the vulnerability addressed in this update," so there was no new version of Flash for Android. Not that that matters to Chrome users on Android 4.0, as that browser doesn't support Flash at all.
Finally, Google also announced yesterday (see Beta Channel Update for Chrome OS) that Flash version 11.3.31.227 was part of the Beta version of Chrome. Beta? Beta??
As I said at the outset, I never wanted to blog about Flash again.
Update August 18, 2012: Brian Krebs has since updated his article. So too, Adobe has revised their security bulletin, but it is now inconsistent. On the one hand it says that the "Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79." This is true. But at the very bottom it says that Chrome users should be on 11.3.300.271 which is not true on Windows.
The Adobe tester page is still wrong when it comes to Chrome. On Windows, not only has it not been upgraded to reflect the Pepper Flash version, it is not even current for the NPAPI edition. On OS X, where there is no Pepper Flash yet, it is also reporting an old version as being current. Specifically, it says "11.3.300.265" is the latest when the right answer is 11.3.300.271.