Adobe updates Flash again in a Patch Tuesday of its own


Earlier this year, Adobe switched from a strictly quarterly patch cycle – updating on the second Tuesday of every third month – to a monthlyish cycle, or cadence, to borrow Adobe’s own metaphor.

I say monthlyish, because the company doesn’t necessarily patch every month, and doesn’t necessarily patch only on the second Tuesday.

Speaking personally, I’d have avoided the word cadence to describe this approach. I’d simply have said, “We issue patches on the second Tuesday of most months, but also at any another time when it’s important or urgent.”

Anyway, it seems as though something urgent from a security point of view came up in the past few days.

Adobe Flash Player has been patched again just one week after the official Patch Tuesday release.

Just like the monthlyish update, this one addresses a bunch of RCE bugs.

RCE stands for Remote Code Execution, and because Flash objects are almost always embedded into untrusted web pages from outside your organisation, this means potential drive-by installs.

(A drive-by install is where you innocently load a deliberately-damaged data file and end up unknowingly running executable code buried inside it, without any of the usual system warnings.)

Incidentally, finding out whether you need the update or not isn’t quite as intuitive as you might expect. I assumed that the Adobe Flash Player Install Manager application, which wins the prize for Longest Software App Name On My Mac by a quite considerable margin, might be the place to start:

It turns out you can use the Install Manager to sort out Flash Player vulnerabilities, but only by removing the software entirely, which seems to be the Install Manager software’s main and only option:

That confused me, because I expected to find a Manage Your Adobe Flash Player Installation option somewhere in the Adobe Flash Player Install Manager software. I suspect – and here’s some free consulting advice for Adobe – that others might have similar thoughts.

Adobe’s own recommendation to check your version of Adobe Flash Player is:

Access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Personally, I’d prefer an off-line option. There’s something intellectually unappealing about deliberately putting yourself in the way of a possible Flash-based drive-by attack in order to see if you need to patch against possible Flash-based drive-by attacks.

Nevertheless, the About Flash Player page is easy enough to check and tells you what you need to know.

These days, the default option for Flash Player updates is automatic, though I feel slightly happier with “Notify me”:

Having said that, I have to admit that most of the time I respond to the notifications by updating straight away. Given that I now know how to remove Flash Player quickly and easily if something goes wrong (by using the Install Manager application), perhaps I’ll switch to full-auto mode.

All I have to do now is to figure out how [*].

Let me see. The Adobe Flash Player Install Manager application sounds like a good place to start…

[*] It’s more obvious than I’m letting on. There’s a Flash applet in System Preferences on the Mac and in Control Panel on Windows.