Sophos Cloud Optix
Typically Adobe updates its ubiquitous Flash Player plugin quarterly in line with Microsoft’s monthly Patch Tuesday updates. This week they have jumped the gun by one week, and so should you.
Adobe have fixed 7 critical remote execution vulnerabilities in Flash Player for not just Windows and Mac, but also Linux and Android.
Users of Flash Player for Windows and Mac should update to 11.5.502.110, Linux to 11.2.202.251, Android 4 to 11.1.115.27 and Android 3 to 11.1.111.24.
To determine which version of Flash you are running you can visit http://www.adobe.com/software/flash/about/.
This may sound easier than it really is for Windows users. There are separate downloads for Firefox/Safari and Internet Explorer 9 and earlier.
The easiest way, regardless of platform (except for Google Chrome users) is to visit http://get.adobe.com/flashplayer. If you use both Internet Explorer 9 or earlier and Firefox/Safari you will need to download it for each browser.
If you don’t want to be annoyed by the “bloatware” addons that Adobe offers to install by default when downloading from get.adobe.com you can get the plain versions at http://www.adobe.com/products/flashplayer/distribution3.html (Thanks Brian Krebs for the tip!).
Google Chrome users were automatically updated by the latest Chrome update and should not need to take any action, other than acknowledging the restart of Chrome for the fix.
Flash Player remains one of the most exploited plugins used in drive by web attacks, so it is sensible to update as soon as possible.
IT administrators can consider this a dry run for next week’s Patch Tuesday. Stay vigilant my friends…
So much for the automatic update service! This morning, it told me there was an update available, but when I clicked the "Update" button, it just launched Firefox and navigated to the "Update Flash" page. There wasn't even a link to download the IE version!
Hi Richard,
As Adobe explained in the following forum post, since this update to Flash Player is a version upgrade i.e. 11.4 to 11.5, the update will be delivered within 7 days. This update is also a security update.
http://forums.adobe.com/message/4827339
What you encountered is expected behavior. As an Internet Explorer 9 user on Windows 7, I do not even receive an “Update Flash” page. When I read Adobe’s forum post linked to above, I simply downloaded the update as Chester mentioned from:
http://www.adobe.com/products/flashplayer/distrib…
and updated manually. I don’t consider waiting up to 7 days an appropriate course of action.
The current update mechanism can be a little confusing since I would expect a security update to be installed within 24 hours. The current update process is explained/clarified in the forum thread linked to below:
http://forums.adobe.com/message/4483381#4483381
Adobe used to have a bug report open for this:
https://bugbase.adobe.com/index.cfm?event=bug&…
but it is now closed. An unverified related bug report is the following:
https://bugbase.adobe.com/index.cfm?event=bug&…
While many users including myself voted for the first bug report mentioned above, Adobe did not change how the update mechanism worked i.e. an update within 24 hours if it is a security update and regardless if it is also a version number upgrade e.g. 11.4 to 11.5.
It seems their intended functionality is for a 24 hour update only when the version number does not change (as mentioned above) and the update is a security update. I have seen this method successfully work on my PCs.
Today, I have already manually updated all of my PCs.
I really can’t see this behavior changing. My only advice is to check this Sophos blog regularly to be notified about such updates and act as necessary. You can also check the Adobe security blogs if you wish:
http://blogs.adobe.com/psirt/
http://blogs.adobe.com/asset/
I hope this helps. Thank you.
This is expected behaviour from Adobe's point of view, but not from an end-user's!
Maybe I'm expecting too much, but I would expect an "automatic update service" to, at the very least, update something automatically. Waiting between 7 and 30 days to install a critical security update when I've already told it to install updates silently ASAP is not acceptable.
I guess I'll have to stick to checking the Mozilla Plugin Check page daily: https://www.mozilla.org/en-US/plugincheck/
Hi Richard,
I agree that it is expected behavior from Adobe’s perspective and not an end users. I wasn’t trying to defend their strategy. I was simply trying to show how Adobe’s update schedule works and how it is far from perfect.
I also agree that security updates should be installed automatically and in a very short time. This was my reason for voting for the first bug report that I linked to above in order to accelerate the deployment of security updates. That report got a lot of votes and yet Adobe did not change this behavior.
Yes, I think you are right checking with the Mozilla Plugin Check page as often as you wish.
Thank you.
it's just another organisation that wants to mess about with the population.
Maybe it's just me, but the new version I just installed for Firefox and IE is 11.5.502.110 but the newest version I'm seeing on http://www.adobe.com/products/flashplayer/distrib… is 11.4.402.287.
Hi saturnjct,
That’s strange when I visit that page, I see version 11.5.502.110 nearest the top.
Try refreshing the page and also clearing the cache (browsing history) of your web browser.
I am not trying to be patronizing by saying the above. I find the same thing happens to me on this blog when the number of comments does not update.
I hope this helps. Thank you.