X

A heads-up on the Adobe Flash player

You may need to upgrade to the latest version of the Flash player. If so, this posting details the safest way to do so.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio
Michael Horowitz
6 min read

The free Flash player from Adobe is one of the most popular pieces of software on the planet. It's a web browser add-on that runs in Windows, Mac OS X and assorted versions of Linux and Unix. A large percentage of web pages include Flash-based content. It's all but guaranteed to be installed on the computer you are reading this on.

There are a few things you need to know about it.

The current version of the Flash player is 9.0.115.0. Older versions suffer from critical security problems, so if you are not using version 9.0.115.0 you need to upgrade. You can see which version of the Flash player your web browser is using at Adobe's Flash tester page (my terminology). You need to run this test in every web browser installed on your computer because they might be using different versions of the Flash player.

Screenshot from www.adobe.com/products/flashplayer/

Uninstall First

Before installing a new version of Flash you should uninstall the old version(s). I say this both because removing software with known security bugs is a good thing in general and because Adobe recommends it in one of their TechNotes which says "Before you install Flash Player for any Windows browser, uninstall all previous versions" (see Troubleshoot Adobe Flash Player installation for Windows).

Over the years, the Flash installer has not un-installed old versions. Thus, there may be a slew of old, buggy copies of the Flash player on your computer.

Although the Flash player appears in the list of installed software in the Windows Control Panel "Add or Remove Programs" list, removing it from there doesn't always work. And, it may not tell you that it didn't work.

Update. January 30, 2008: According to Adobe, removing the Flash player via the Windows Control Panel should be the first approach. This will work for recent versions of the Flash player, but not for older versions. If your browser(s) continue to use an old version of Flash after removing it via the Control Panel, then try the un-installer.

Update. February 4, 2008: On a Windows XP machine running IE7, I was not able to remove the Adobe Flash Player 9 ActiveX using the Add/Remove Programs applet in the Control Panel. Clicking the button did nothing. The computer was using Flash version 9,0,45,0 which is fairly recent. The downloadable Flash uninstaller, dated December 3, 2007 did remove the Flash player.

The official way to remove the Flash player is with an un-installer program that you can downloadfrom Adobe. Another one of their TechNotes says"Due to recent enhancements to the Adobe Flash Player installers, you can now remove the player only by using the Adobe Flash Player uninstaller."

How would someone know this? It seems a techie has to tell you. One just did.

No one told Ian "Gizmo" Richards, the man behind the Support Alert newsletter. The just-released January 24th edition warned about the Flash security problems and the need to upgrade to version 9.0.115.0, but it didn't mention Adobe's Flash Player un-installer program. This is not a criticism of Mr. Richards, to my mind, Adobe hasn't done enough to publicize either the non-standard uninstall process or the need to upgrade to version 9.0.115.0 in the first place.

For example, a search on CNET's own news.com for "flash player" turns up my previous blogs, but nothing in the news section about the need to upgrade the Flash player. Lockergnome also doesn't seem to have mentioned this. Neither did Good Morning Silicon Valley or InfoWorld. ComputerWorld mentioned the need to upgrade, but said nothing about un-installing old versions. Brian Krebs at WashingtonPost.com mentioned both the needed upgrade and the un-installer, but only mentioned the un-installer in passing.

On top of this, the Adobe Flash player un-installer is incomplete. I documented two instances where the Adobe uninstaller left behind an old buggy copy of the Flash player (see Problems updating the Flash player in Firefox? Here's Help). I first reported this to Adobe roughly a month ago. Since then, they have not released a new version of their un-installer. The latest version, with these two problems, is dated December 3, 2007.

Adobe is hurting their reputation by failing to reliably un-install their own software. Since they are not helping you, you need to help yourself.

Secunia Software Inspector

One way to get an inventory of old copies of the Flash player that may still be floating around your computer is the online Secunia Software Inspector.*

This free service from Secunia runs as a Java applet and scans your computer looking for software (not just Flash) with known security vulnerabilities. By default, it only checks software installed in the standard or official location. In response to a communication from me, Secunia recently changed their search pattern for the Flash player and they are now more likely to find all live copies. Still, to get a full accounting, I suggest running a "thorough system inspection" - it's a checkbox under the blue Start button. This looks for software in "non-default locations". To me, if you're going to run a scan for insecure software at all, you might as well do the most thorough scan possible.

The downside to the Secunia Software Inspector is the need for Java, another web browser add-on. Your computer not only needs to have Java installed, (many don't) Secunia also requires a recent version (1.5.0_12 or later). At my javatester.org website you can check whether Java is installed on your computer and which version you have. Java is like Flash in that different browsers on the same computer can be using different versions. Thus you need to test the Java version in all of your web browsers.

If dealing with Java is too much for you, Secunia has a similar program, their Personal Software Inspector, that you can download and install. It runs on Windows XP, Vista, 2000 and 2003.

The Flash player is just a file. In Windows, it may be a DLL file or it may be an OCX file. The file names have changed many times. Old versions that Secunia finds can be removed simply by deleting the file that Secunia identifies.

After removing the old versions, verify that each of your web browsers is no longer using Flash at Adobe's flash tester page. Internet Explorer should offer to install the ActiveX version of Flash when it finds it missing. Firefox will offer links to the plug-in version of Flash. In both cases the installation process is pretty standard.

If this doesn't work (which has happened to me a few times) you can download Flash at www.adobe.com/go/getflashplayer. This page auto-detects your web browser and offers the correct version of Flash for that browser.

Cheat Sheet

The cheat sheet below, for Windows users, summarizes the necessary steps:

  • Go to my javatester.org web site and check if Java is installed.
  • If it is, and it's from Sun Microsystems and is version 1.5.0_12 or later, then run the online Secunia Software Inspector. Opt for a "thorough system inspection" (it's a checkbox under the blue Start button).
  • If Java is not installed, or is not from Sun or is too old, then there are two options. Either upgrade to the latest version of Java (here too, un-install any old versions first) or download and install the Secunia Personal Software Inspector. If you opt to download Secunia's software, then after installing it, check the Settings section. You may want to change some of the default options. For example, it wants to run all the time in the background.
  • If the only versions that Secunia detects are 9.0.115.0, then all is well. You're done.
  • If there are versions older than 9.0.115.0 they should be removed (covered in the next few steps).
  • Download, install and run Adobe's Flash un-installer program from here.
  • After running it, repeat the Secunia search to verify that all versions of Flash were in fact removed. If any versions were not removed, delete the files that Secunia identifies.
  • From every web browser on your computer visit Adobe's Flash tester page. At this point, no web browser on your computer should report that it is using Flash. Instead they should offer to install the missing Flash player.
  • Install the latest version of the Flash player in every web browser on your computer. If the automatic installation at the Flash tester page fails, then manually install it from www.adobe.com/go/getflashplayer.

The Secunia Software Inspectors are Windows-only. Mac users can download and run a Mac version of Adobe's Flash player un-installer. Linux users get no assistance from either Secunia or Adobe.

It's a shame that Adobe makes this so difficult.


*Regardless of Flash, being familiar with and regularly using the Secunia inspector is a great step towards Defensive Computing.

See a summary of all my Defensive Computing postings.