Category Archives: Flash

Flash 14.0.0.145 fixes more security vulnerabilities

These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.

The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.

As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.

Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.

Flash 14.0.0.125 fixes security issues

Another new version of Flash was released today. Version 14.0.0.125 closes six security vulnerabilities found in previous versions.

If Flash is enabled in your web browser, you should update it as soon as possible.

As usual, the embedded Flash in Internet Explorer on Windows 8.x is updated via Windows Update, while the embedded Flash in Chrome will update itself automatically.

Stop Firefox from showing embedded media automatically

My browser of choice these days is Firefox, despite its recent problems with bloat, performance and the user interface.

I recently made a change to the way Firefox handles embedded content like Java, Flash, Shockwave and Silverlight. By default, Firefox displays embedded media automatically; when you visit a web page that contains embedded media, it plays immediately after loading.

To change this behaviour, do the following:

  1. Go to the Firefox Add-ons page. How you do this depends on the version of Firefox, but one method that always works is to enter ‘about:addons’ in the address bar.
  2. In the menu on the left, click ‘Plugins’.
  3. To the right of each listed plugin, there’s a button. Clicking that button drops down a list with these options: ‘Ask to Activate’, ‘Always Activate’ and ‘Never Activate’.
  4. Change the activation setting for each plugin. ‘Never Activate’ disables a plugin completely. ‘Always Activate’ means that the associated media will run without any user intervention (the default behaviour). ‘Ask to Activate’ will prompt the user before playing the associated media. I set the following plugins to ‘Ask to Activate’: all Java plugins, all Flash plugins, all Shockwave plugins, and all Silverlight plugins.

Once you’ve made these changes, visiting a web page that includes embedded media shows grey blocks where the media would normally appear. A link appears in the middle of each block: ‘Activate Adobe Flash’, ‘Activate Java’, etc. Clicking the ‘Activate’ link pops up a small dialog that allows you to activate the media this time only, or permanently for that particular web site.

This has several benefits:

  • Malicious code in Java, Flash and other media files no longer runs automatically when I visit sites that use them. This makes web surfing much safer.
  • Pages that contain embedded media load faster. If I decide that I want to actually watch some embedded media on a site, I only have to click the ‘Activate’ link.
  • I can now see exactly what kind of media is embedded on a web page, which is especially useful for determining the relative popularity of different kinds of media.

Adobe Shockwave is also a target

Another increasingly popular target for malicious hackers is Adobe Shockwave. But what is Shockwave, and how does it related to Adobe Flash?

Like Flash, Shockwave is a media platform, and Shockwave media is most commonly found on the web. The two platforms do many of the same things, but the software for creating Shockwave media is both more powerful and more expensive. Flash media is much more common.

In any case, since Shockwave is a target, and since the Shockwave player is commonly installed on the computers of regular users (usually in the form of a browser plugin), I’m adding it to the Software Versions page on this web site.

Update 2014May22: Now comes word that Shockwave contains a version of the Flash player that is over a year out of date. None of the security updates and features added to Flash in the past fifteen months are present in Shockwave’s bundled Flash. Because of this, we recommend disabling Shockwave in your web browser immediately.

Adobe Patch Tuesday for May 2014

Adobe has settled into a routine of publishing updates for its software on the second Tuesday on each month, in line with Microsoft’s practices. Today Adobe announced updates for Flash and Reader/Acrobat.

Both the Flash bulletin and the Reader/Acrobat bulletin are a bit light on details, saying only that the updates address critical vulnerabilities in the software.

The release notes for the new version (13.0.0.214) of Flash go into more details, although most of the information is about new features.

As usual, Google Chrome and Internet Explorer on Windows 8.x will be updated automatically and via Windows Update, respectively.

Adobe releases Flash 13.0.0.206

A new version of Flash, announced earlier today, addresses several security vulnerabilities, one of which (CVE-2014-0515) is being actively exploited on the Internet.

As with most Flash vulnerabilities, Adobe says that the ones addressed in this update “could potentially allow an attacker to take control of the affected system.”

The security bulletin associated with this update provides additional details regarding the security fixes.

Google Chrome will auto-update with the new version of embedded Flash, and Internet Explorer on Windows 8.x will receive Flash updates via Windows Update.

Anyone using Flash in a web browser should install the new version of Flash as soon as possible.