Adobe Security Updates For Flash and Shockwave

nlewis writes "Adobe has finally released updates for their Flash and Shockwave Players. These updates should, in theory, address the security issues outlined in this security bulletin. This issue has been mentioned here previously. Don't expect an update to the equally flawed Acrobat Reader until sometime tomorrow, though."

Not to worry about Reader!

[EkriirkE]

While we may be stuck with adobe for flash & shockwave, users should not be using reader at all. It is complete and utter bloatware.

FoxIt or Sumatra for Windows are the better, slimmer PDF reader alternatives. And Linux has its many other readers.

Re:Not to worry about Reader!

[Brian+Gordon]

Have you seen Acrobat these days? TPB says the install media is 844MB, and I've seen Add/Remove Programs list Acrobat as using over a gigabyte (on clients' machines).

The ghostscript binary is about 12MB.

Re:Not to worry about Reader!

[Taikutusu]

I honestly cannot even fathom what they could be possibly putting into the install binary to make it that large. The SumatraPDF install is 1.43MB...it'd still fit on a floppy!

That said, I really wish Sumatra would incorporate decent printing support.

Re:Not to worry about Reader!

[enrevanche]

That is a lot more than the acrobat reader which is 41 MB for the linux version and 26 MB for Windows 7 version.

Re:Not to worry about Reader!

[maxume]

Acrobat is a different product than Adobe Reader (which used to be called Adobe Acrobat Reader, but isn't anymore). Reader is a pdf viewer, Acrobat can do a bunch more.

The installer for Adobe Reader still weighs in at 30+ megabytes (and my install is taking up 180 megabytes; 60 of that is setup files, I think the updater sometimes 'works' by downloading a whole new install, it isn't clear to me why there are multiple installers).

Also, 9.x is a big improvement over versions 7 and 8.

Re:Not to worry about Reader!

[Brian+Gordon]

................obviously..

I'm not talking about Reader. I compared the size of Acrobat with ghostscript, which can also create postscript and PDF documents. It was relevant to GGP because he was talking about PDF bloat from Adobe.

Re:Not to worry about Reader!

[tyrione]

Acrobat is Acrobat Writer and Professional Pre-press publishing suite.

http://www.adobe.com/products/acrobat/

Acrobat Reader and Acrobat are not remotely the same beast.

Re:Not to worry about Reader!

[tyrione]

Does SumatraPDF and the rest remotely support the following PDF standards? http://www.adobe.com/products/acrobat/standards.html

Re:Not to worry about Reader!

[tyrione]

................obviously.. I'm not talking about Reader. I compared the size of Acrobat with ghostscript, which can also create postscript and PDF documents. It was relevant to GGP because he was talking about PDF bloat from Adobe.

Ghostscript is very nice, but it has a long way to go to support the massive list of ISO standards Adobe has garnered of late with PDF. http://www.adobe.com/products/acrobat/standards.html

Re:Not to worry about Reader!

[Serious+Callers+Only]

Does SumatraPDF and the rest remotely support the following PDF standards?

Do we need or want it to? I know I don't. PDFs are a useful format for interchange and storage of documents while preserving formatting. I don't use SumatraPDF, but I imagine it covers a subset of features which covers reading most PDFs in existence (like the reader I use).

I don't want embedded flash, or any of the other bullshit features listed on that page as standards. The first one (for example) claims to support the long-term preservation of digital documents - perhaps they use extra long-lasting bits to store the data? The PDF explaining the standard is full of obvious advice which has nothing to do with PDFs at all, and some features which belong more properly in CMS software for all documents, like signing or user tracking....

If you do feel you need those sort of misfeatures then please feel free to suffer and use the Adobe Acrobat/Adobe Reader, but I'll continue to avoid it - because it is an invasive, resource hogging, security risk which is more about getting Adobe a foothold on every desktop than it is about facilitating document exchange/storage.

The PDF format is useful. Adobe's attempts to take over everything on the corporate desktop with it are not.

Re:Not to worry about Reader!

[CrashNBrn]

Foxit is a great piece of software. Except it has far too many Regressions. It is not uncommon for the v2.0 to *outperform both v2.3 and 3.x and in some cases v2.0 is able to do things that the "improved" versions completely choke on.

As well, Foxit Reader still hasn't resolved the printing issue, where it overwhelms the printer spool - it's possibly printer driver issues, but one that other PDF software is not affected by.

(*) Outperforms in both speed and quality of the visual display.

Re:Not to worry about Reader!

[Carnildo]

Do we need or want it to? I know I don't. PDFs are a useful format for interchange and storage of documents while preserving formatting.

I don't want embedded flash, or any of the other bullshit features listed on that page as standards. The first one (for example) claims to support the long-term preservation of digital documents - perhaps they use extra long-lasting bits to store the data?

Archival PDF (the "long-term preservation" you mention) is exactly what you describe in the first paragraph: a format for interchange and storage of documents while preserving formatting. The format explicitly does not support things like Javascript or Flash, and an archival PDF has no external dependancies: all the fonts, images, and so on are embedded in the file, and the format is completely specified. That's what makes it suitable for long-term preservation: it will continue to render the same even if ECMA drops "document.write()" from the Javascript spec or the last copy of "Comic Sans" is lost.

Re:Not to worry about Reader!

[marklar1]

Ohhh, I'd worry...Adobe is so completely F'n incompetent it is scary.

On Mac OS X they've not been able to write update their programs to handle case-sensitive file systems--which have been an OS option since 03--and have caused many a user problems.

They're so f'n oblivious to end users that they don't list non-case-sensitive file systems as a requirement for reader (though they do for the Creative Suite and Reader...?).

The program is so poorly coded, that even though it does install on a case-sensitive file systems (whithout offering a waring to the end user to download or install the software), its problems aren't just working with other third party files, it can't even refer to subroutines within it's own code appropriately as they aren't consistent within their own code...so you can't, for instance open up the Preferences dialog box... there are numerous other interface and coding issues...

Extra! Extra!

[chickenarise]

Adobe sends waves of shock over the world when they flash their IT prowess by delivering much awaited security updates!

flash is perfectly secure!

[Cymeth]

they're worried about security!?

how about fixing performance so i can switch the prick of a thing on first ;)

Re:flash is perfectly secure!

[e9th]

What's annoying is that they care about neither.

When will Adobe learn?

[judolphin]

The incredibly slow, huge and intrusive Adobe Acrobat Reader updates are the main reason I (and I'm sure many others) switched to FoxIt.

That aside, to this day, the innovations created by the Adobe of twenty years ago rivals that of any company of any time: TrueType, PostScript, the PDF standard, Photoshop (which is just as much a verb as "Google")... Adobe in the 1980s almost single-handedly created the desktop publishing industry. They made the software, technologies and tools achievable for individuals and small businesses.

Adobe Updates are Exhibit A of how they've fallen from one of the great software companies ever, to the punchline of a joke.

Re:When will Adobe learn?

[Burdell]

The TrueType font spec was developed by Apple to compete with Adobe. PostScript uses a different font system (PostScript Type 1 being the most common). Adobe didn't want to license just license the Type 1 format (or at least not for a reasonable fee), and it was also somewhat complex to implement (Type 1 fonts being mostly a subset of the PostScript language), so Apple developed TrueType (and then Microsoft signed on) to compete with Adobe. Adobe eventually released the Type 1 spec for free, but the damage was done.

That was probably the beginning of the downfall of Adobe from their high-point of technical excellence.

Re:When will Adobe learn?

[microbee]

Agreed. I could not stand the stupidity of the update.

Now it keeps popping up to my face crying for an update. I said OK go ahead, and it vanished. Then half an hour later it popped up again.

I cannot believe how stupid Adobe Update is. Same thing happened before, now it's happening again.

Re:When will Adobe learn?

That aside, to this day, the innovations created by the Adobe of twenty years ago rivals that of any company of any time: TrueType, PostScript, the PDF standard, Photoshop (which is just as much a verb as "Google")... Adobe in the 1980s almost single-handedly created the desktop publishing industry. They made the software, technologies and tools achievable for individuals and small businesses.

Adobe Updates are Exhibit A of how they've fallen from one of the great software companies ever, to the punchline of a joke.

The innovations of Adobe in the 1980s continuing into the mid-1990s happened because two former Xerox-Palo Alto scientists were in charge. Now that the bean-counters from wall street have taken over the company, American "stock price" capitalism trumps over American innovation as usual. I know it better because i work in adobe.

Flash for 64-bit linux

[GF678]

I'm rather impressed Adobe even updated the alpha 64-bit plugin for Linux at the same time as all the other platforms:

http://labs.adobe.com/downloads/flashplayer10.html

I was kinda expecting they had forgotten about it, so it's nice they didn't.

Re:Flash for 64-bit linux

[jellomizer]

If you code it well, there shouldn't be to many major differences across versions for most updates. You can write code that works good enough that works for many OS's and platforms where most updates to the code can be done and tested rather easily. Flash isn't a high performance App, so I doubt there are not many special 64bit code outside the normal library set.

Re:Flash for 64-bit linux

[CajunArson]

You beat me to posting the URL, good catch. This whole incident does pose an interesting point about Linux security: Linux is becoming less secure because Firefox (sometimes on its own) or Firefox + Flash are allowing for cross-platform hijacks that no longer care about which OS you are running. Hacker's don't have to become root to do real damage now, and if Linux wants to keep its edge the next step in security is how to protect the user from the browser.

Re:Flash for 64-bit linux

Flash isn't a high performance App

I take it that you've never witnessed Flash running on Mac OS X. That pathetic excuse of a plug-in can bring a quad-core Mac Pro to its knees. Adobe can't produce efficient code, period.

Re:Flash for 64-bit linux

[AnyoneEB]

Agreed. As Google has complained about on the topic of browser sandboxing, Linux is a bit behind in protecting programs from their own exploits. On the other hand, the Ubuntu project is actively working on using AppArmor more, which can greatly limit the damage an exploited program can do by listing which files and directories each program is allowed to read/write/execute.

Re:Flash for 64-bit linux

[Tokerat]

Now if they could just be bothered to make the PPC version get more than 2 frames per second I'd be grateful...

Re:Flash for 64-bit linux

[AnyoneEB]

It can't be fixed in software? What do you suggest as an alternative? Hardware? Magic? Hardware security can have bugs, too -- and I am not really sure what hardware security has to do with the types of bugs AppArmor is designed to protect against. Anyway, it seems silly to think of hardware as fundamentally different from software. Both express complicated logic, which can easily have mistakes unless the author is very careful.

Yes, AppArmor and SELinux do nothing if your code has no exploitable bugs. Unfortunately, code occasionally does have exploitable bugs, so it makes sense to have extra layers like the IE8 sandbox to limit the damage exploits can do.

Google Chrome install?

[Brian+Gordon]

The installer doesn't work for Chrome. Flash reports that I'm using 10,0,22,87 but the latest is 10.0.32.18. That means I have to extract the plugin from the installer with winrar and install it manually....... come on, get on top of this, Google.

Re:Google Chrome install?

[BikeHelmet]

Google? You mean Adobe, right?

In other news - Adobe's installer doesn't properly install for my Firefox Portable, either - but if I use 7-zip to manually unzip it and throw it in Firefox's plugin folder, then it works fine. :D

I'm so glad they switched away from that crappy WISE installer. Those installers couldn't be unzipped by anything I know of.

Re:Google Chrome install?

[weicco]

It crashed my IE8 on XP also. So no update for me I guess.

Re:Google Chrome install?

[Brian+Gordon]

I meant Google. The installer asked me to close Chrome when I ran it, so it does recognize the browser.

Realistically, Google should be the one responsible for getting it working. Adobe has no obligation to research what new browsers are coming out.. it's Google who should work with Adobe to get it supported.

Re:Google Chrome install?

[BikeHelmet]

That makes no sense.

The installer asked me to close Chrome when I ran it, so it does recognize the browser.

Right - but not enough to actually copy the damn file.

Next thing you'll be arguing that it's Canonical's fault that Microsoft Office doesn't work on linux.

Installer failed. Move along. I'm sure Adobe will fix it eventually.

Time Travel?

[gamefaces]

Did I just go back in time to when people actually used Acrobat Reader? I did go 88 in my DeLorean earlier today... nice speeding ticket too.

Re:Time Travel?

[cffrost]

I did go 88 in my DeLorean earlier today... nice speeding ticket too.

You've got a real attitude problem, McFly. You're a slacker!

Can't install/uninstall v10 .deb package. :(

[antdude]

I think this release is bad or something is wrong with my Debian.

I downloaded
http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_10_linux.deb to upgrade my old Flash v10 in Debian, but I am getting problems:

# dpkg --install install_flash_player_10_linux.deb
(Reading database ... 162227 files and directories currently installed.)
Preparing to replace adobe-flashplugin 10.0.22.87-1 (using install_flash_player_10_linux.deb) ...
update-alternatives: error: no alternatives for iceape-flashplugin.
update-alternatives: error: no alternatives for iceape-flashplugin.
dpkg: warning: old pre-removal script returned error exit status 2
dpkg - trying script from the new package instead ...
update-alternatives: error: no alternatives for iceape-flashplugin.
update-alternatives: error: no alternatives for iceape-flashplugin.
dpkg: error processing install_flash_player_10_linux.deb (--install):
  subprocess new pre-removal script returned error exit status 2
postinst called with argument `abort-upgrade'
dpkg: error while cleaning up:
  subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
  install_flash_player_10_linux.deb

# dpkg --remove adobe-flashplugin
dpkg: error processing adobe-flashplugin (--remove):
  Package is in a very bad inconsistent state - you should
  reinstall it before attempting a removal.
Errors were encountered while processing:
  adobe-flashplugin

If I try to reinstall it, then I get the same results in the beginning.

How do I fix this? Thank you in advance. :)

Re:Can't install/uninstall v10 .deb package. :(

[mrsurb]

I had the same problem today even installing from repos... found a slightly odd workaround that worked at Ubuntu Forums.

Re:Can't install/uninstall v10 .deb package. :(

[antdude]

Thanks, but it didn't work:

# aptitude download mozilla-plugin-gnash
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
Get:1 http://ftp.debian.org/ testing/main mozilla-plugin-gnash 0.8.4-2 [67.7kB]
Fetched 67.7kB in 1s (52.8kB/s)
ANTian:/home/ant/download# dpkg --force-overwrite --install mozilla-plugin-gnash_0.8.4-2_i386.deb
(Reading database ... 162236 files and directories currently installed.)
Preparing to replace mozilla-plugin-gnash 0.8.4-2 (using mozilla-plugin-gnash_0.8.4-2_i386.deb) ...
Unpacking replacement mozilla-plugin-gnash ...
dpkg: dependency problems prevent configuration of mozilla-plugin-gnash:
  mozilla-plugin-gnash depends on gnash (= 0.8.4-2) | gnash-opengl (= 0.8.4-2); however:
    Package gnash is not installed.
    Package gnash-opengl is not installed.
dpkg: error processing mozilla-plugin-gnash (--install):
  dependency problems - leaving unconfigured
Errors were encountered while processing:
  mozilla-plugin-gnash

# apt-get install gnash gnash-opengl
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: The package adobe-flashplugin needs to be reinstalled, but I can't find an archive for it.

I need to force a reinstall or force an uninstall, but it won't let me! :(

Better Privacy

[gurps_npc]

Best add on for privacy even with Flash and shockwave. It removes the hidden LSO cookies that Flash and Shockwave puts on your computer.

Corporate Crapware.

[eddy]

Love it how you don't get to chose where it's installed (on MS Windows). It requires me to exit Opera for the installer to run, even though I don't want the plugin installed in Opera (in fact, it's blacklisted there). Guess simply allowing me to check the applications where I want it installed would be too dangerous, someone might back out at the last minute and all...

How are these updates pushed out onto the unwashed masses anyhow, will the client update itself? If not, when are people who don't care about security-bulletins going to get updated? Will there be an update to flash-authoring tools such that this is the new minimum req. version, forcing updates, or what?

Resolved!

[antdude]

From http://www.linuxquestions.org/questions/debian-26/sid-adobe-flasplugin-is-reinstall-required-but-apt-cant-find-archive-for-it-727572/ and http://www.linuxquestions.org/questions/debian-26/cant-open-synaptic-after-trying-install-flash-deb-of-ubuntu-739384/:

"... edit file /var/lib/dpkg/info/adobe-flashplugin.prerm and removed all lines after set -e. This solved the problem."

I guess deb file was for Ubuntu and not Debian. :(

I use Preview

[Tokerat]

You insensitive clod!

Automatic update

[indre1]

Does Flash get updated automatically when I start Firefox or do I have to mess around Adobe's site?

Re:Automatic update

[gmack]

In Widnows, plugins do not get updated automatically(only addons do). You will need to download from their site.

Happy sysadmin day !

[MonkeyOnATypewriter]

I know that it's offtopic but:

Hey, people, it's sysadmin day...
http://www.sysadminday.com/

some times flash pops after boot up and asks to be

[Joe+The+Dragon]

some times flash pops after boot up and asks to be updated.

Flash Player Integer Overflow Remote CodeExecution

[zukinux]

Roee Hay's blog and a movie to demonstrate it : Movie on youtube showing successful attack

GG WP!!