Category Archives: Flash

Flash 21.0.0.197

According to the announcement, the latest version of Flash – released on March 23 – fixes a specific bug that was causing problems for some Flash games.

A review of the release notes seems to show that Flash 21.0.0.197 doesn’t contain any security fixes, so this isn’t an urgent update. Unless of course you’re having trouble running Flash games in your browser.

The announcement for 21.0.0.197 contains at least one error: it shows the new PPAPI version of Flash, used in Chrome, Opera, and other Chromium-based browsers, as 21.0.0.286. My own tests, as well as the official release notes, shows that the new PPAPI version is actually 21.0.0.197. I reported the discrepancy to the author.

There is no new version of Flash for Internet Explorer and Edge on Windows 8.x and 10; the latest is Flash 21.0.0.182.

As usual, Chrome will update itself with the new version of Flash.

Emergency update for Flash

If you use a web browser with Flash enabled, you should stop what you’re doing and update Flash.

According to the associated Adobe security bulletin, Flash 21.0.0.182 fixes twenty-three security vulnerabilities, including one (CVE-2016-1010) that is being actively exploited on the web.

The release notes for Flash 21.0.0.182 provide additional details. The new version fixes several bugs that are unrelated to security, and adds some new features.

As usual, Chrome will update itself with the new version of Flash, and Internet Explorer and Edge on newer versions of Windows will be updated via Windows Update.

Patch Tuesday for February 2016

Thirteen security updates from Microsoft this month address over forty issues in Windows, Internet Explorer, Edge, Office, server software and .NET. Six are flagged as Critical.

In keeping with their recent practise of tagging along with Microsoft, Adobe also just released several updates, most notably for Flash. The latest version of Flash is now 20.0.0.306. As usual, Internet Explorer on Windows 8.1 and 10 and Edge on Windows 10 will get their new Flash via Windows Update, and Chrome will update itself with the latest Flash. The associated security bulletin gets into all the technical details. A total of 22 vulnerabilities are addressed in the new version.

More Flash updates

The latest version of Flash is 20.0.0.286, for most browsers. Microsoft Edge and Internet Explorer on newer versions of Windows are apparently still stuck at Flash 20.0.0.272.

Sadly, the information on the Adobe site related to these updates is inconsistent, confusing, or just missing.

The About Flash page doesn’t seem to agree with the announcement page. The former shows “Internet Explorer (embedded – Windows 8.x) – ActiveX 20.0.0.286”, while the latter shows “Flash Player 20 for Internet Explorer on Windows 8.1: 20.0.0.272”.

The Flash runtime announcement says “Security update details can be found here: Security Bulletin (APSB16-01)”. But the APSB16-01 bulletin is for the previous Flash updates. The linked URL is also wrong; it points to an even older bulletin: APSB15-32. And to top it off, the security bulletin that should exist (APSB16-02) for this update currently generates an error.

Hopefully Adobe will fix this mess ASAP.

Meanwhile, although the announcement doesn’t mention any security fixes in the new versions, it’s safe to assume they exist, so you should update Flash in any browser where it’s enabled.

As usual, Internet Explorer on new versions of Windows will receive these updates via Windows Update, and Chrome will get its new Flash automatically.

Update 2016Feb02: I reported the announcement and bulletin problems (noted above) to the author of the announcement. He replied that the About page would be fixed, and that he had fixed the link to the bulletin on the announcement page. Unfortunately, that link now goes to the bulletin for the previous Flash release. The author claims that bulletin still applies, but it really doesn’t, since it recommends the previous version of Flash.

Update 2016Feb04: According to the author of the announcement, there were effectively no changes in this Flash update. Certainly there were no security fixes. A link to the previous security bulletin was included simply because it was the most recent bulletin. The link text will be changed to make this more clear.

Flash 20.0.0.267 fixes numerous security issues

There’s a holiday present from Adobe in the form of yet another new version of Flash. This one fixes at least nineteen security vulnerabilities – including one that is currently being exploited on the web – as well as a few other bugs. There are additional details in the release notes.

As usual, Chrome and Internet Explorer will get the new version via their own update mechanisms.

If you use Flash in a web browser, push that plate of turkey leftovers to the side and install the new Flash ASAP.

Update 2016Jan02: On January 1, Adobe released another version of Flash, this time just for the ActiveX version used in older versions of Internet Explorer on Windows 7 and earlier. According to the updated release notes, Flash 20.0.0.270 includes one change: “Fixed loading problem with Flash Player in embedded applications”.

Firefox 43.0.1

A single minor change seems to be the only reason for the Firefox 43.0.1 release yesterday. The release notes describe the change as preparation “to use SHA-256 signing certificate for Windows builds”. This does not appear to be a security-related change, so there’s no hurry to update.

Mozilla has improved the look of Firefox’s release notes pages, but there has been no functional improvement. For instance, while there is a link to the ‘complete list of changes‘, that link goes to the Bugzilla bug tracking system, which is not easy to parse for non-technical users. Worse, it shows all changes in Firefox 43, not just 43.0.1, and there’s no way to search for changes to 43.0.1 only.

As usual, there was no proper release announcement for this version. There wasn’t even a vaguely-corresponding post on the Mozilla blog.

On my test computer, when the Firefox 43.0.1 update finished installing, Firefox displayed a web page with a brief video and an underlying announcement, about Firefox 43’s new privacy features, and ‘new’ Pocket integration. Which seems weird, because Pocket integration was also announced for Firefox 38.0.5 in June.

In other Firefox-related news, Mozilla recently pointed to an announcement from Netflix in a blog post titled ‘Firefox Users Can Now Watch Netflix HTML5 Video on Windows‘. This is an important change, because it’s no longer necessary for Firefox users to install and use Flash to watch Netflix content.

Adobe’s plans for Flash

Adobe’s plans to phase out Flash continue. Early in 2016, the software used to create Flash video will be renamed from Flash Professional to Adobe Animate CC. The new software will still be able to produce Flash videos, but it will focus more on HTML5 video.

The ubiquitous and notoriously insecure Flash player – the one that lets you play Flash video in your browser – will continue to be developed and supported by Adobe for at least the next five (and maybe ten) years. But Adobe is making it easier for video producers to move away from Flash and toward HTML5.

Meanwhile, Google has announced that they will start blocking Flash-based advertisements, which should provide the necessary motivation for advertisers to move away from Flash.

References

Patch Tuesday for December 2015

Another month, another pile o’ patches from Microsoft and Adobe. This month Microsoft is pushing out twelve updates, affecting 71 vulnerabilities in Windows, Internet Explorer, Edge, Office, .NET and Silverlight. Eight of the updates are flagged as Critical.

Microsoft has also published a few security advisories since the last monthly update.

Adobe’s chimed in this month with a new Flash (aside: how weird would it be if they didn’t?) The new version addresses at least 78 security vulnerabilities in the veritable piece of swiss cheese we know as the Flash player. The new version is designated 20.0.0.228 on most platforms, but the version designed for use in Firefox and Safari on Windows and Mac is 20.0.0.235.

Patch Tuesday for November 2015

It’s that time again. This month’s crop of updates from Microsoft addresses security problems in the usual suspects, namely Windows, Office, .NET and Internet Explorer. Adobe joins the fun with yet another batch of fixes for Flash, and Google releases another version of Chrome with the latest Flash.

The Microsoft security summary bulletin for November 2015 gets into all the technical details. There are twelve separate bulletins with associated updates. Four of the updates are flagged as Critical. One of the updates affects the Windows 10 web browser Edge. A total of 53 vulnerabilities are addressed.

Flash 19.0.0.245 includes fixes for at least seventeen vulnerabilities. As usual, Internet Explorer in recent versions of Windows will be updated via Windows Update. Chrome gets the new Flash via its internal updater. Anyone still using a web browser with Flash enabled should install the new Flash as soon as possible.

Chrome 46.0.2490.86 includes the latest Flash (see above) and fixes a security issue in its embedded PDF viewer.