Update your Flash player now--and do it right

On December 18, give or take,* Adobe Systems released a security bulletin that basically says old versions of the Flash player are buggy as heck (see Flash Player update available to address security vulnerabilities). Specifically, versions 9.0.48.0 and earlier contain nine different bugs that Adobe calls critical. Simply viewing a Web page is all it takes for a bad guy to take control of your computer. This is true on Macs and Linux too. The only way to be safe is to upgrade to the newest version, 9.0.115.0.

These bugs in the Flash player will, no doubt, be a huge target for the bad guys since almost every computer (Windows, Macs and Linux) has some version of Flash installed.

What follows are my suggestions and experiences about updating the Flash player.

The right way

What do I mean by the right way?

I read a number of articles on this topic before writing this posting and none mentioned the fact that you have to update the Flash player for both Internet Explorer and Firefox. The two browsers use separate and independent copies of Flash. You can see this in the screenshot above from the Add/Remove Programs applet in the Windows XP control panel. The ActiveX version is used by Internet Explorer, the plug-in version is used by Firefox.

The right way also means uninstalling the prior version of Flash before installing the new version, not installing any other software other than the Flash player and being 100 percent sure that all old versions of the software have been removed, even those in nonstandard locations.

What version of Flash do you have?

If you haven't updated the Flash player recently, your computer is probably at risk. Still, before bothering to upgrade, you might as well check which version you have installed. Also, knowing how to check provides a way to verify that an uninstall of the Flash player worked. (More on this below.)

For years, I have been using www.macromedia.com/software/flash/about/ to display the currently installed version of the Flash player. A screenshot is above showing the output from today before I upgraded. When Adobe purchased the original Flash vendor, Macromedia, it made its own copy of this Web page www.adobe.com/products/flash/about/. The two pages appear to be identical.

In researching this posting, I ran across a similar page (see screenshot above) at kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507. I don't get good vibes from this page, however. For one, the fact that it still shows Flash as being a Macromedia product rather than an Adobe product makes me wonder if it has been abandoned. Also, there is a whole section on this page about what to do if it reports the wrong version. But if you already knew the version, there would be no need for this Web page at all. :-(

Download the new version?

The security bulletin from Adobe suggests going to the Adobe Player Download center to install the latest version. I wouldn't, for a couple reasons.

For one, installing the latest version of Flash has never uninstalled the old buggy versions. From my Defensive Computing standpoint, I want to always ensure that old buggy software is fully removed. The uninstall procedures are discussed below.

Another reason is that the Adobe Download Center tries to pawn off additional software on Internet Explorer users. (They don't do this with Firefox.) As shown above, the default is to also install the Google Toolbar.

Again speaking defensively, it's best not to install software unless you absolutely need it. There is always the chance it will break something else, and, new software just becomes something else that needs care and feeding. The Google Toolbar in particular, has its own very recent security bug. See Trend Micro and Aviv Raff for more on this.

Out with the old

I suggest starting with the Adobe Flash player unintall program. Removing old versions of the Flash player using the standard Add or Remove Programs applet in the Windows XP Control Panel failed more often than it worked in my tests.

Adobe has instructions on how to uninstall the Adobe Flash Player plug-in and ActiveX control that include a link to download its uninstall program. There is an uninstall program for Windows and one for Macs, but no mention of Linux at all. The program uninstalls both the Internet Explorer and Firefox versions of the Flash player. In fact, it even uninstalled a copy used by a portable version of Firefox.

The instructions warn that it cannot remove files in use, so be sure to shut down all applications before running the uninstaller. I had no problems with the uninstalls.
Update: Actually, I did. See my next posting.

Firefox upgrade procedure

Initially, this posting detailed a host of problems trying to use the Control Panel Add or Remove Programs applet in Windows XP to remove the Firefox version of the Flash player. After getting completely inconsistent results on three different machines, it became obvious the Adobe Flash player uninstaller was the way to go.

After running the uninstaller, go back to the tester page to verify that the Flash player was uninstalled correctly. If it was, you should see something like the below, prompting you to install the plug-in. Click on the green squiggly thing and the procedure is self-explanatory.

Internet Explorer upgrade procedure

Uninstalling the ActiveX version of the Flash player via the Control Panel was just as error-prone as the Firefox plug-in version. On one machine, the entry in the Add/Remove programs list was quickly removed, but the software was not. Another machine was not at all happy with the request, as shown below.

As with Firefox, start at the tester page to verify that the ActiveX version of the Flash player is no longer installed. To install a new copy of the Flash player, look for a yellow stripe at top of the tester Web page window and click on it. Then, in the pop-up menu, click on "Install ActiveX control." Finally, in the Security Warning window (shown below), click on the Install button. That should do it.

Note that if you are running Internet Explorer in restricted mode with DropMyRights, this won't work and won't tell you why. It has to be run unrestricted.

When you see the below, you are done. Should something go wrong, see Troubleshoot Adobe Flash Player installation for Windows from Adobe.

For extra credit, run the Secunia Software Inspector and turn on the checkbox for a "thorough system inspection." This is a great way to ensure there are none of the old, vulnerable versions of the Flash player anywhere on your computer, even in nonstandard locations.

Whew.

My next posting goes into great detail about the problems I had updating the Flash player in one particularly stubborn copy of Firefox. If you are having similar problems, my eventual solution may help you, too.

*Give or take? December 18 is the "release date" of the security bulletin from Adobe. However, if you browse all the security bulletins from Adobe for Flash, you will see that this particular one was originally posted December 11 and has not been updated since. Then again, both those dates could be wrong, at least according to this blog which seems to be from an Adobe employee whose initials are JD. When was the latest version of Flash really released? I'm just a blogger, not a reporter.

I don't use the Windows version of Opera or Safari, so if anyone knows if they too need to updated separately, please leave a comment below. Thanks.

Update: April 11, 2008. For the latest on the Flash Player see Time to update the Flash player. Here's how.

See a summary of all my Defensive Computing postings.