Flash, Reader, Shockwave patches

Topic

New Reply

EP just wrote with the latest:Adobe has released new security updates this September 2013 for Adobe Reader, Acrobat,Flash Player and Shockwave Player.
[See the full post at: Flash, Reader, Shockwave patches]

Reply | Quote

Replies

The latest update for Adobe Reader XI is 11.0.04. However, Adobe wrongly notifies that there is an update for 11.0.03 (at least, an Adobe update icon appears in my Windows XP SP3 system tray, as well as my Windows Vista Home Basic SP2 notification area).

This confused me, since my Readers are currently at 11.0.03 already.

So I went to my usual resource: the Downloads page for Adobe Reader for Windows (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows). This page has updates (confirmed that 11.0.04 is the latest), as well as full versions, and add-ons. Re the latter, if you haven’t done so, you may want to check out / install add-ons like Adobe Reader XI Spelling Dictionary Pack or Adobe Reader XI Font Packs – Asian and Extended Language Pack (similar add-ons exist for other versions like Reader X or Reader 9).

I like downloading the (standalone) update file from there, so I can update several machines.

BTW, this is not the first dumb mistake Adobe has made for updates – at least it’s a harmless one, though confusing.

But they sure make it hard to notify them about such mistakes: the feedback form is gone.

The Adobe webpages have evolved and improved, though the website is still a morass and information is scattered all over (e.g. info on Flash Player). I have to compliment the Security Bulletin for Adobe Reader and Acrobat that Woody linked to: concise and useful info, especially the Solution links to update.

More evidence of improvement: In the last year, Adobe has provided informative Release Notes, for more info and links to files.

Go to Downloads page, select an update, e.g. 11.0.04 and go to its page, and there is a link to Release Notes for Acrobat and Reader:
http://helpx.adobe.com/acrobat/release-note/release-notes-acrobat-reader.html

This is a CUMULATIVE page, with links to ALL release notes (for all versions & updates). Navigating to a specific Release Note, e.g. http://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotes/11/11.0.04.html, one can read about changes in that release – and very useful are the links to files for Windows and Macintosh installers / updaters.

Reply | Quote

Private message to Woody (not for publication):

Couldn’t help it: after an absence, I’m back with wordy comments. Commented in the past as wl and guest, mostly re Adobe Reader, Flash Player, and Shockwave. The dumb Adobe update icon notifying about an update – but giving the wrong detail – set me off. At least gave me a chance to mention the Release Notes, which are useful.

What happened to the Testing Tech link at the top of your page? The page is empty. The links were useful, especially the Do Not Track info….

Reply | Quote

May as well mention another major patch / update: the JRE (Java Runtime Environment) (plugin) has an update to Version 7 Update 40.

Check your version and download update:
http://java.com/en/

Read more about the update and release notes:
https://blogs.oracle.com/java/entry/java_se_7_update_40

http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html

Expect another update in about 3 months, if not earlier (i.e. out-of-band or critical update):

“JRE Expiration Date
The expiration date for JRE 7u40 is 12/10/2013. After this date, Java will provide additional warnings and reminders to users to update to the newer version.”

Reply | Quote

Leaving older versions on your system after an update causes security risks.

They should be removed or uninstalled before updating – UNLESS you have software that needs the older versions (e.g. badly written applications written for a specific JRE version).

Uninstallers for Flash Player and Shockwave:
http://www.adobe.com/shockwave/download/alternates/
(This is a favorite page for me: a hub to download Adobe Web Players, for many different platforms / OS’s).

“Why should I uninstall older versions of Java from my system?”
http://java.com/en/download/faq/remove_olderversions.xml

Reply | Quote

@WL –

The Testing link at the top of the page disappeared after I started having problems with Windows 8 — not sure what happened, but with DNT apparently now dead, it doesn’t matter much. Sigh.

Reply | Quote

Woody —

Maybe DNT is dead, but at least until Google implements AdID, Abine’s DoNotTrackMe Extensions for all major browsers, and Ghostery and NoScript for Firefox, are all still alive and kicking. The Tech Press makes no distinction between the voluntary DNT and the Abine DoNotTrackMe Extension, and this is misleading.

Users DO have an option to opt-out from unwanted tracking while online.

At least for now…

Reply | Quote

@RC –

Also, DuckDuckGo works well. http://www.infoworld.com/t/web-services/duckduckgo-going-straight-226778

Reply | Quote

On the same search terms, Google typically got ten times the returns of DDG in my brief and unscientific tests. This is not a mature Search Engine.

The enhanced privacy is not worth the reduced functionality.

This is also why I never got interested in Comodo DRagon Browser, or any other “secure” browser.

Reply | Quote

I think it’s been about a year ago that I first heard about & started using DDG, could be wrong, old age CRS. 😉

Anyway, off to the right side of your results list or at bottom of page, they give you links to Google,Bing,etc.

I love DDG but there’s also ‘StartPage’ or ‘Ixquick’ you can check out.

Reply | Quote

Looks like Flash Player got ANOTHER emergency update to the “Windows ActiveX (Internet Explorer) plugin only”, since the update mentioned in the September 10th Security Bulletin APSB13-21 in Woody’s original post (September 14).

So, the latest IE (non-Win8) version is 11.8.800.175, which will go automatically to Windows users who chose the Flash Update setting of “”Allow Adobe to install updates (recommended)”.

For those of us who chose the Flash Update setting of “Notify me to install updates” (similar to Woody’s recommendation for Microsoft / Windows updates),
“update options will receive an update notification dialog within 7 days from today (please note that Windows users will need to restart their system to receive the notification dialog.)”

Since I have this setting and didn’t restart my computer until this morning (30th), I didn’t get the notification till then. So, this comment is a heads up for those in a similar situation – or those who chose “Never check for updates (not recommended)”.

Reference:
9/19/2013 – Flash Player 11.8 Release Announcement
http://forums.adobe.com/thread/1300160?tstart=0

(The following is for those who want to know more about Flash Player announcements and releases – and more critique of Adobe’s poor documentation.)

This experience helped me understand why the Security Bulletin SEEMED inaccurate, and I learned a few things.

I repeat: this bulletin was issued September 10; Woody’s original post is dated September 14. And even more dates appear below.

I was confused when I read “Users of Adobe Flash Player 11.8.800.94 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.8.800.168.”. But when I visited the Flash Player test page (http://www.adobe.com/software/flash/about/), it said the latest IE (non-Win8) version was 11.8.800.174.

I attributed the difference to the usual sloppiness in Adobe webpages. And I have noticed that versions of Flash Player have gotten “out of sync” for IE versus other browsers in the past – but this happened infrequently. (Of course Chrome has to be different, so its plugins are rarely in sync version-number-wise, but I’ll reserve that annoying topic for another comment…)

After discovering the “9/19/2013 – Flash Player 11.8 Release Announcement” page, I noticed that there were discussions / webpages for more “Flash Runtime Announcements”: http://forums.adobe.com/community/flashplayer/announcements?view=discussions. Good for those who like to know the latest (e.g. also betas) ….

I found a “9/13/2013 – Flash Player 11.8 Release Announcement” posted September 17 for the emergency update 11.8.800.174 for IE (non-Win8).

So, 2 emergency updates within 9 days of the original update.

Another discovery:
“Release Notes | Flash Player® 11.8 AIR® 3.8”
http://helpx.adobe.com/en/flash-player/release-note/fp_118_air_38_release_notes.html

And more release notes for earlier / other versions:
“Flash Player Release Notes”
http://www.adobe.com/support/documentation/en/flashplayer/releasenotes.html

The former (11.8) page is a cumulative document organized by reverse chronological DATE. It is irksome that version numbers are not used – I guess it makes for a more streamlined document (even though there are “only” 9 platform-browser permutations). But it takes quite a bit of work to connect the dots, especially since the dates SEEM tied to when the Flash Player download page is updated, not the date of the file (which can also be DIFFERENT than the announcement – which might also be posted later, e.g. September 13 announcment but posted September 17).

So, discussing only the Flash Players for IE, non-Win8: the 3 most recent entries in the Release Notes are applicable: September 24, 13, and 10th. These correspond to the Flash Runtime Announcements dated September 19, 13, and 10th (and Security Bulletin APSB13-21 dated September 10). File dates for the full installers (I use a downloader program that preserves the SERVER’s original date/time) are September 16 for 11.8.800.175 versions (.exe & MSI) and September 13 for 11.8.800.174 versions (.exe & .MSI). I didn’t start investigating until recently, so I didn’t get the 11.8.800.168 versions, but September 10th is consistent for the Release Notes entry and the Flash Runtime Announcement (9/10/2013 – Flash Player 11.8 Release Announcement) (but see annoyance below….)

Okay, the THREE 11.8.800.174 dates are consistent: September 13. But the 11.8.800.175 dates are September 16, 19, and 24! So, it took a while to correlate the September 10 & 13th entries to the .168 & .174 versions, to confirm (by elimination) that the September 24th entry of the Release Notes gave details for the .175 version (excuse me for not trusting the latest entry corresponds to the latest version – not after seeing so many mistakes on other Adobe pages). Like I said, there are “only” nine platform-browser permutations; including those version numbers would eliminate confusion.

(Give Microsoft credit: they actually have ONE page where one can find the multiple KB [Knowledge Base] numbers that correlate to each single MS [Microsoft Security Bulletin] number for that month’s Windows updates, c.f. http://technet.microsoft.com/en-us/security/bulletin/ms13-sep, see the Affected Software tables.)

To be fair, the “9/19/2013 – Flash Player 11.8 Release Announcement” does say “We anticipate updating our Flash Player download page (http://get.adobe.com/flashplayer) on Tuesday, September 24th.” But one has to know this document exists and correlate the 24th there with the 24th on the Release Notes!

Here’s the annoyance mentioned above: I do have the 11.8.800.168 versions for Windows x Firefox, Mozilla, Netscape, Opera (and other plugin-based browsers). The file date on the .exe and .MSI files is September 2! (sigh) So, this version existed on Adobe download servers for 8 days before the related September 10th date. And probably available for download (early) for those in the know – if you remember your “permalinks” (since the Adobe Flash and Shockwave player installer files have no [full, only major] version numbering).

Consistency in dating, releasing, and documentation would make details “self-relating”, offering some bit of self-documentation. Instead of requiring auditing / forensic investigation skills to correlate information …. And just put all the necessary details on the one / same page!

Reply | Quote

Okay, to be fair, after taking a closer look at the “Release Notes | Flash Player® 11.8 AIR® 3.8” webpage, at the bottom of the long page is the “Runtime Version(s) History” table, which relates release date with version with security bulletin. This would have helped with connecting the dots.

But the critique in my earlier comment is still valid.

One should not have to look at the whole (long) document to reach the bottom table, to relate the version number back with the date entries at the top (like the “prior reference missing” problem in a newspaper article). And missing is an entry for the non-Win8 IE / ActiveX version 11.8.800.175, while this IS mentioned in the “Released Versions” table higher up.

While the page’s author is loathe to mention versions numbers for the release date entries at the top of the page, that doesn’t stop his inconsistency of mentioning the version (number) that the September 24 version / entry fixes:
“3631555 – [Windows][IE] ExternalInterface.call() does not work normally since flash player 11.8.800.168”.

Consistency please!

Reply | Quote