Adobe Security Updates For Flash and Shockwave

nlewis writes "Adobe has finally released updates for their Flash and Shockwave Players. These updates should, in theory, address the security issues outlined in this security bulletin. This issue has been mentioned here previously. Don't expect an update to the equally flawed Acrobat Reader until sometime tomorrow, though."

Not to worry about Reader!

[EkriirkE]

While we may be stuck with adobe for flash & shockwave, users should not be using reader at all. It is complete and utter bloatware.

FoxIt or Sumatra for Windows are the better, slimmer PDF reader alternatives. And Linux has its many other readers.

Re:

[Brian Gordon]

Have you seen Acrobat these days? TPB says [thepiratebay.org] the install media is 844MB, and I've seen Add/Remove Programs list Acrobat as using over a gigabyte (on clients' machines).

The ghostscript binary is about 12MB.

Re:

[Taikutusu]

I honestly cannot even fathom what they could be possibly putting into the install binary to make it that large. The SumatraPDF install is 1.43MB...it'd still fit on a floppy!

That said, I really wish Sumatra would incorporate decent printing support.

Re:

[tyrione]

Does SumatraPDF and the rest remotely support the following PDF standards? http://www.adobe.com/products/acrobat/standards.html [adobe.com]

Re:Not to worry about Reader!

[Serious Callers Only]

Does SumatraPDF and the rest remotely support the following PDF standards?

Do we need or want it to? I know I don't. PDFs are a useful format for interchange and storage of documents while preserving formatting. I don't use SumatraPDF, but I imagine it covers a subset of features which covers reading most PDFs in existence (like the reader I use).

I don't want embedded flash, or any of the other bullshit features listed on that page as standards. The first one (for example) claims to support the long-term preservation of digital documents - perhaps they use extra long-lasting bits to store the data? The PDF explaining the standard is full of obvious advice which has nothing to do with PDFs at all, and some features which belong more properly in CMS software for all documents, like signing or user tracking....

If you do feel you need those sort of misfeatures then please feel free to suffer and use the Adobe Acrobat/Adobe Reader, but I'll continue to avoid it - because it is an invasive, resource hogging, security risk which is more about getting Adobe a foothold on every desktop than it is about facilitating document exchange/storage.

The PDF format is useful. Adobe's attempts to take over everything on the corporate desktop with it are not.

Re:

[Carnildo]

Do we need or want it to? I know I don't. PDFs are a useful format for interchange and storage of documents while preserving formatting.

I don't want embedded flash, or any of the other bullshit features listed on that page as standards. The first one (for example) claims to support the long-term preservation of digital documents - perhaps they use extra long-lasting bits to store the data?

Archival PDF (the "long-term preservation" you mention) is exactly what you describe in the first paragraph: a format fo

Re:

[enrevanche]

That is a lot more than the acrobat reader which is 41 MB for the linux version and 26 MB for Windows 7 version.

Re:

[maxume]

Acrobat is a different product than Adobe Reader (which used to be called Adobe Acrobat Reader, but isn't anymore). Reader is a pdf viewer, Acrobat can do a bunch more.

The installer for Adobe Reader still weighs in at 30+ megabytes (and my install is taking up 180 megabytes; 60 of that is setup files, I think the updater sometimes 'works' by downloading a whole new install, it isn't clear to me why there are multiple installers).

Also, 9.x is a big improvement over versions 7 and 8.

Re:

[Brian Gordon]

................obviously..

I'm not talking about Reader. I compared the size of Acrobat with ghostscript, which can also create postscript and PDF documents. It was relevant to GGP because he was talking about PDF bloat from Adobe.

Re:

[tyrione]

................obviously.. I'm not talking about Reader. I compared the size of Acrobat with ghostscript, which can also create postscript and PDF documents. It was relevant to GGP because he was talking about PDF bloat from Adobe.

Ghostscript is very nice, but it has a long way to go to support the massive list of ISO standards Adobe has garnered of late with PDF. http://www.adobe.com/products/acrobat/standards.html [adobe.com]

Re:

[marklar1]

Ohhh, I'd worry...Adobe is so completely F'n incompetent it is scary.

On Mac OS X they've not been able to write update their programs to handle case-sensitive file systems--which have been an OS option since 03--and have caused many a user problems.

They're so f'n oblivious to end users that they don't list non-case-sensitive file systems as a requirement for reader (though they do for the Creative Suite and Reader...?).

The program is so poorly coded, that even though it does install on a case-sensitive fil

Re:Not to worry about Reader!

[tyrione]

Acrobat is Acrobat Writer and Professional Pre-press publishing suite.

http://www.adobe.com/products/acrobat/

Acrobat Reader and Acrobat are not remotely the same beast.

I use Preview

[Tokerat]

You insensitive clod!

Re:

[CrashNBrn]

Foxit is a great piece of software. Except it has far too many Regressions. It is not uncommon for the v2.0 to *outperform both v2.3 and 3.x and in some cases v2.0 is able to do things that the "improved" versions completely choke on.

As well, Foxit Reader still hasn't resolved the printing issue, where it overwhelms the printer spool - it's possibly printer driver issues, but one that other PDF software is not affected by.

(*) Outperforms in both speed and quality of the visual display.

Extra! Extra!

[chickenarise]

Adobe sends waves of shock over the world when they flash their IT prowess by delivering much awaited security updates!

flash is perfectly secure!

[Cymeth]

they're worried about security!?

how about fixing performance so i can switch the prick of a thing on first ;)

Re:

[e9th]

What's annoying is that they care about neither.

When will Adobe learn?

[judolphin]

The incredibly slow, huge and intrusive Adobe Acrobat Reader updates are the main reason I (and I'm sure many others) switched to FoxIt.

That aside, to this day, the innovations created by the Adobe of twenty years ago rivals that of any company of any time: TrueType, PostScript, the PDF standard, Photoshop (which is just as much a verb as "Google")... Adobe in the 1980s almost single-handedly created the desktop publishing industry. They made the software, technologies and tools achievable for individuals and small businesses.

Adobe Updates are Exhibit A of how they've fallen from one of the great software companies ever, to the punchline of a joke.

Re:When will Adobe learn?

[Burdell]

The TrueType font spec was developed by Apple to compete with Adobe. PostScript uses a different font system (PostScript Type 1 being the most common). Adobe didn't want to license just license the Type 1 format (or at least not for a reasonable fee), and it was also somewhat complex to implement (Type 1 fonts being mostly a subset of the PostScript language), so Apple developed TrueType (and then Microsoft signed on) to compete with Adobe. Adobe eventually released the Type 1 spec for free, but the damage was done.

That was probably the beginning of the downfall of Adobe from their high-point of technical excellence.

Re:

[microbee]

Agreed. I could not stand the stupidity of the update.

Now it keeps popping up to my face crying for an update. I said OK go ahead, and it vanished. Then half an hour later it popped up again.

I cannot believe how stupid Adobe Update is. Same thing happened before, now it's happening again.

Re:

[Anonymous Coward]

That aside, to this day, the innovations created by the Adobe of twenty years ago rivals that of any company of any time: TrueType, PostScript, the PDF standard, Photoshop (which is just as much a verb as "Google")... Adobe in the 1980s almost single-handedly created the desktop publishing industry. They made the software, technologies and tools achievable for individuals and small businesses.

Adobe Updates are Exhibit A of how they've fallen from one of the great software companies ever, to the punchline of a joke.

The innovations of Adobe in the 1980s continuing into the mid-1990s happened because two former Xerox-Palo Alto scientists were in charge. Now that the bean-counters from wall street have taken over the company, American "stock price" capitalism trumps over American innovation as usual. I know it better because i work in adobe.

Flash for 64-bit linux

[GF678]

I'm rather impressed Adobe even updated the alpha 64-bit plugin for Linux at the same time as all the other platforms:

http://labs.adobe.com/downloads/flashplayer10.html [adobe.com]

I was kinda expecting they had forgotten about it, so it's nice they didn't.

Re:

[jellomizer]

If you code it well, there shouldn't be to many major differences across versions for most updates. You can write code that works good enough that works for many OS's and platforms where most updates to the code can be done and tested rather easily. Flash isn't a high performance App, so I doubt there are not many special 64bit code outside the normal library set.

Re:

[Anonymous Coward]

Flash isn't a high performance App

I take it that you've never witnessed Flash running on Mac OS X. That pathetic excuse of a plug-in can bring a quad-core Mac Pro to its knees. Adobe can't produce efficient code, period.

Re:

[CajunArson]

You beat me to posting the URL, good catch. This whole incident does pose an interesting point about Linux security: Linux is becoming less secure because Firefox (sometimes on its own) or Firefox + Flash are allowing for cross-platform hijacks that no longer care about which OS you are running. Hacker's don't have to become root to do real damage now, and if Linux wants to keep its edge the next step in security is how to protect the user from the browser.

Re:

[AnyoneEB]

Agreed. As Google has complained about [google.com] on the topic of browser sandboxing, Linux is a bit behind in protecting programs from their own exploits. On the other hand, the Ubuntu project is actively working on using AppArmor [wikipedia.org] more, which can greatly limit the damage an exploited program can do by listing which files and directories each program is allowed to read/write/execute.

Re:

[AnyoneEB]

It can't be fixed in software? What do you suggest as an alternative? Hardware? Magic? Hardware security can have bugs, too -- and I am not really sure what hardware security has to do with the types of bugs AppArmor is designed to protect against. Anyway, it seems silly to think of hardware as fundamentally different from software. Both express complicated logic, which can easily have mistakes unless the author is very careful.

Yes, AppArmor and SELinux do nothing if your code has no exploitable bugs. Unfor

Re:

[Tokerat]

Now if they could just be bothered to make the PPC version get more than 2 frames per second I'd be grateful...

Google Chrome install?

[Brian Gordon]

The installer doesn't work for Chrome. Flash reports [adobe.com] that I'm using 10,0,22,87 but the latest is 10.0.32.18. That means I have to extract the plugin from the installer with winrar and install it manually....... come on, get on top of this, Google.

Re:

[BikeHelmet]

Google? You mean Adobe, right?

In other news - Adobe's installer doesn't properly install for my Firefox Portable, either - but if I use 7-zip to manually unzip it and throw it in Firefox's plugin folder, then it works fine. :D

I'm so glad they switched away from that crappy WISE installer. Those installers couldn't be unzipped by anything I know of.

Re:

[Brian Gordon]

I meant Google. The installer asked me to close Chrome when I ran it, so it does recognize the browser.

Realistically, Google should be the one responsible for getting it working. Adobe has no obligation to research what new browsers are coming out.. it's Google who should work with Adobe to get it supported.

Re:

[BikeHelmet]

That makes no sense.

The installer asked me to close Chrome when I ran it, so it does recognize the browser.

Right - but not enough to actually copy the damn file.

Next thing you'll be arguing that it's Canonical's fault that Microsoft Office doesn't work on linux.

Installer failed. Move along. I'm sure Adobe will fix it eventually.

Re:

[weicco]

It crashed my IE8 on XP also. So no update for me I guess.

Time Travel?

[gamefaces]

Did I just go back in time to when people actually used Acrobat Reader? I did go 88 in my DeLorean earlier today... nice speeding ticket too.

Re:

[cffrost]

I did go 88 in my DeLorean earlier today... nice speeding ticket too.

You've got a real attitude problem, McFly. You're a slacker!

Can't install/uninstall v10 .deb package. :(

[antdude]

I think this release is bad or something is wrong with my Debian.

I downloaded
http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_10_linux.deb [macromedia.com] to upgrade my old Flash v10 in Debian, but I am getting problems:

# dpkg --install install_flash_player_10_linux.deb
(Reading database ... 162227 files and directories currently installed.)
Preparing to replace adobe-flashplugin 10.0.22.87-1 (using install_flash_player_10_linux.deb) ...
update-alternatives: error: no alternatives for iceape-flashplugin.
update-alternatives: error: no alternatives for iceape-flashplugin.
dpkg: warning: old pre-removal script returned error exit status 2
dpkg - trying script from the new package instead ...
update-alternatives: error: no alternatives for iceape-flashplugin.
update-alternatives: error: no alternatives for iceape-flashplugin.
dpkg: error processing install_flash_player_10_linux.deb (--install):
  subprocess new pre-removal script returned error exit status 2
postinst called with argument `abort-upgrade'
dpkg: error while cleaning up:
  subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
  install_flash_player_10_linux.deb

# dpkg --remove adobe-flashplugin
dpkg: error processing adobe-flashplugin (--remove):
  Package is in a very bad inconsistent state - you should
  reinstall it before attempting a removal.
Errors were encountered while processing:
  adobe-flashplugin

If I try to reinstall it, then I get the same results in the beginning.

How do I fix this? Thank you in advance. :)

Re:

[mrsurb]

I had the same problem today even installing from repos... found a slightly odd workaround that worked at Ubuntu Forums [ubuntuforums.org].

Re:

[antdude]

Thanks, but it didn't work:

# aptitude download mozilla-plugin-gnash
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
Get:1 http://ftp.debian.org/ [debian.org] testing/main mozilla-plugin-gnash 0.8.4-2 [67.7kB]
Fetched 67.7kB in 1s (52.8kB/s)
ANTian:/home/ant/download# dpkg --force-overwrite --install mozilla-plugin-gnash_0.8.4-2_i386.deb
(Reading database ... 162236 files and di

Resolved!

[antdude]

From http://www.linuxquestions.org/questions/debian-26/sid-adobe-flasplugin-is-reinstall-required-but-apt-cant-find-archive-for-it-727572/ [linuxquestions.org] and http://www.linuxquestions.org/questions/debian-26/cant-open-synaptic-after-trying-install-flash-deb-of-ubuntu-739384/ [linuxquestions.org]:

"... edit file /var/lib/dpkg/info/adobe-flashplugin.prerm and removed all lines after set -e. This solved the problem."

I guess deb file was for Ubuntu and not Debian. :(

Better Privacy

[gurps_npc]

Best add on for privacy even with Flash and shockwave. It removes the hidden LSO cookies that Flash and Shockwave puts on your computer.

Corporate Crapware.

[eddy]

Love it how you don't get to chose where it's installed (on MS Windows). It requires me to exit Opera for the installer to run, even though I don't want the plugin installed in Opera (in fact, it's blacklisted there). Guess simply allowing me to check the applications where I want it installed would be too dangerous, someone might back out at the last minute and all...

How are these updates pushed out onto the unwashed masses anyhow, will the client update itself? If not, when are people who don't care about security-bulletins going to get updated? Will there be an update to flash-authoring tools such that this is the new minimum req. version, forcing updates, or what?

Automatic update

[indre1]

Does Flash get updated automatically when I start Firefox or do I have to mess around Adobe's site?

Re:

[gmack]

In Widnows, plugins do not get updated automatically(only addons do). You will need to download from their site.

some times flash pops after boot up and asks to be

[Joe The Dragon]

some times flash pops after boot up and asks to be updated.

Happy sysadmin day !

[MonkeyOnATypewriter]

I know that it's offtopic but:

Hey, people, it's sysadmin day...
http://www.sysadminday.com/ [sysadminday.com]

Flash Player Integer Overflow Remote CodeExecution

[zukinux]

Roee Hay's blog [blogspot.com] and a movie to demonstrate it : Movie on youtube showing successful attack [facebook.com]

GG WP!!