Category Archives: Flash

New version of Google Chrome

Another new version of Google’s web browser was announced today. Version 25.0.1364.152 includes fixes for several security vulnerabilities.

Since Flash isn’t mentioned in the release notes, presumably the version of Flash included in the new version is still 11.6.602.171. Let’s see… okay, I just updated Chrome to 25.0.1364.152, and the integrated Flash is definitely still 11.6.602.171.

Google Chrome, Flash, and ‘component updater’

A few days ago, I posed a series of questions about Flash in Chrome. Since then, I’ve done some digging, and I’m now able to answer most of those questions.

  1. Q: What is the ‘component updater’?
    A: It’s a process used by Chrome to silently and automatically update certain specific components of the browser. The new, integrated Flash component falls into that category, so Flash in Chrome is updated automatically and without any notification to the user. When new versions of Chrome are released, Google may or may not refer to Flash updates in the release notes.
  2. Q: How does the component updater affect the version number of Chrome in Windows?
    A: It doesn’t. Component updates are distinct from new versions of the browser itself. You can, however, find the versions of Chrome’s components by browsing to special addresses in Chrome, as follows:

    • chrome://plugins/ – lists all plugins, along with their versions, including the integrated Flash.
    • chrome://flash/ – shows details of the integrated Flash component, including its version.
    • chrome://version/ – shows a version summary for Chrome and its major components, including the integrated Flash.
  3. Q: Has Flash been updated in my version of Chrome or not?
    A: You can’t depend on Google to announce new versions of the integrated Flash, regardless of whether the new version is packaged along with a new version of Chrome, or updated separately via the component updater. Use one of the special URLs listed above to check the version you’re using.
  4. Q: How can I determine what version of Flash is running in Chrome?
    A: Use one of the special URLs listed above.
  5. Q: What is “Windows Standalone Enterprise”?
    A: This remains a mystery. The Chrome release channels page doesn’t mention it. Perhaps it’s only available to enterprise (corporate) clients. Or possibly the Chrome announcement that referred to this channel was in error. In any case, you can’t really depend on Google’s announcements to mention new Flash versions; use one of the specials URLs above, along with Flash announcements from Adobe, to determine what version of Flash you have, and what version you need.

More security updates for Adobe Flash

On February 26, Adobe announced version 11.6.602.171 of the Flash player. As usual, Adobe says: “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” The technical details are available in Adobe Security Bulletin APSB13-08.

Microsoft simultaneously announced a Flash update for Internet Explorer 10 on Windows 8, which will be delivered via Windows Update.

Google will no doubt release a new version of Chrome that includes the Flash updates in the next day or so.

Anyone who uses Flash in their web browser should install the appropriate update as soon as possible. That includes anyone who uses Youtube. So basically just about everyone.

New version of Chrome

Version 24.0.1312.70 of Google’s web browser contains the latest version of Adobe Flash.

Update: Something funny going on here. The announcement linked above states that version 24.0.1312.70 is actually for the Linux platform. It goes on to say: “This release contains an update to Flash (11.6.602.167). This Flash update has been pushed to Windows, Mac, and Chrome Frame platforms through component updater.” But what is the ‘component updater’, and how will it affect the version number of Chrome in Windows? There’s nothing on the Chrome support site about it. My own Chrome installation reports itself as being up to date at version 24.0.1312.57. Has Flash been updated in my installation or not? How can I determine what version of Flash is running in Chrome? Comments below the announcement linked above show other users similarly confused. Meanwhile, another new version was announced on Feb 14: “The Stable channel has been updated to 24.0.1312.71 for Windows Standalone Enterprise. This build contains an updated Flash (11.6.602.167).” That version at least seems to be targeted at Windows, but what is “Windows Standalone Enterprise”? It contains the same version of Flash as 24.0.1312.70, but again my version of Chrome reports that it is up to date at 24.0.1312.57. Not much we can do at this point except wait for Google to sort out this mess.

Flash player update fixes serious security issues

Yesterday, Adobe announced an update for Flash that fixes specific security issues that are currently being exploited on the web.

Anyone who uses Flash should install the update as soon as possible.

The new version for Windows XP, Vista and 7 is 11.5.502.149. The new version for Windows 8 (available as an update from Microsoft) is 11.3.379.14.

Ars Technica has additional details.

Plugins will be safer in future versions of Firefox

Presumably in response to the recent flood of Java vulnerabilities, the developers of Firefox (Mozilla) will be adding a new layer of security to all plugins, including the notororiously insecure Java, Flash and Adobe Reader.

Essentially, the new security will consist of additional prompts when plugins are triggered. So when a web site tries to run Java code, Firefox will prompt you to make sure you really want to allow the plugin to activate and run the Java code. You will be able to control which plugins and sites are affected.

Oracle/Sun recently made similar changes to Java itself, in an attempt to improve the overall safety of Java in web browsers. However, as security researcher Adam Gowdiak points out, those changes are ineffective: Java code can still run silently, bypassing the new safeguards. He writes:

… unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings …
Our Proof of Concept code … has been successfully executed in the environment of [the] latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 … and with “Very High” Java Control Panel security settings.

That said, recent … security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

Adobe announces patches for Reader and Flash

As expected, Adobe has released new versions of its Acrobat/Reader software to coincide with Microsoft’s Patch Tuesday for January 2013. Adobe also announced new versions of Flash today.

An Adobe Reader bulletin identifies new versions for the 9, 10 and 11 series of Reader software as 9.5.3, 10.1.5, and 11.0.1 respectively. Anyone who uses Adobe Acrobat/Reader software is strongly encouraged to install the appropriate new version. As usual, the new versions address security and crashing issues.

A Flash bulletin identifies the new version of Flash as 11.5.502.146. This version is for all web browsers except Chrome and Internet Explorer 10, which now use embedded Flash code. The most recent version of Flash in Google Chrome at this time is 11.5.31.137. The most recent version in Internet Explorer 10 is 11.3.378.5. As usual, the new versions address security and crashing issues.