Newsletter Archives

  • Today’s the day – Flash EOL has arrived

    Today’s the day – Flash EOL has arrived

    Back in 2017, Adobe announced it was “planning to end-of-life Flash”. Yes, this has been posted about before… Well, the time has now come. Pop-ups have been seen in those machines still using it, for a bit now.

    If you have questions about what happens next, Adobe has a page full of questions and answers here.

    If you’re looking for articles on how to uninstall, check out Martin Brinkmann’s ghacks post.

    (and yes, only half the world is having New Year’s Eve already – Happy New Year to all)

  • About that Flash-zapping patch, KB 4577586? One leeetle problem. It doesn’t remove Flash.

    Earlier today Microsoft released KB 4577586, the “Update for the removal of Adobe Flash Player: October 27, 2020.” As Susan notes in the entry below, it’s only available if you manually download and install it from the Microsoft Catalog.

    Now comes word from Lawrence Abrams at BleepingComputer that the patch doesn’t do anything of the sort:

    In our tests, though, Adobe Flash Player remained installed after installing the update… When we checked the Adobe Flash Player component in Microsoft Edge, it was still installed after installing the update.

    Let’s hear it for Microsoft’s testers – the unpaid ones, at least.


  • Out of band update for Adobe Flash Player Nov. 19, 2018

    Adobe Security Bulletin APSB18-44, dated November 20, 2018 is rated Priority 1.
    Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player and earlier versions.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

    Microsoft has issued an out-of-band patch for Flash Player on Nov. 20th. KB 4477029, 2018-11 Security Update for Adobe Flash Player Windows 8.1 and Windows 10 based systems, is available through Windows Update and the MS Catalog.

    For those using Windows 7, Vista, and XP,  MacOS X, or Linux, Flash Player version can be downloaded from

    Thx  @Lars220

  • How to remove the built-in version of Flash in Win10 and 8.1

    An interesting contribution from @ch100:

    Warning!!! Only for advanced users and for those accepting a certain degree of risk if they don’t understand the procedure and don’t follow correctly.

    Optional first step

    Disable Adobe Flash in Internet Explorer and Edge. This is not mandatory, but would make the clean procedure below even cleaner, although it has only cosmetic relevance.

    Main procedure

    Step 1. Log into Windows with an administrator account

    Step 2. Verify your version of the Flash components.

    Under C:\Windows\servicing\Packages, check for

    Adobe-Flash-For-Windows-Package~31bf3856ad364e35~amd64~~<version number>

    Adobe-Flash-For-Windows-WOW64-Package~31bf3856ad364e35~amd64~~<version number>

    Adobe-Flash-For-Windows-onecoreuap-Package~31bf3856ad364e35~amd64~~<version number>

    The version number for Adobe Flash packages on Windows 10 1803 is 10.0.17134.1. It’s different on other versions of Windows 10.

    There are additional packages referring to Language Packs installed on the system, but we are not concerned with them now, as they will be removed at the same time with the main packages.

    Do nothing with those language packages (e.g. those flagged as en-us or other variations), but monitor for them to disappear from the folder when the uninstall is complete.

    The screenshots below are from Windows 10 1803, but the procedure is relevant for all Windows 10 (and for Windows 8.1, although not tested).

    Step 3. Type regedit in the search box and start the Registry Editor.

    Step 4. Give your machine full control over the requisite keys.

    Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

    Right click on each of:

    Adobe-Flash-For-Windows-onecoreuap-Package~31bf3856ad364e35~amd64~~<version number>

    Adobe-Flash-For-Windows-Package~31bf3856ad364e35~amd64~~<version number>

    Adobe-Flash-For-Windows-WOW64-Package~31bf3856ad364e35~amd64~~<version number>

    For each of those keys:

    4a. Right-click on the key name and choose Permissions. Give Administrators Full Control (screenshot) and click OK.

    4b. Back in the main Regedit screen, on the right, change the Visibility value from 2 to 1.

    4c. Still on the main Regedit screen, delete the subkey call Owners.

    See the before and after shots for Steps 4b and 4c.



    Step 5. Open a command prompt, Run As Administrator

    dism /online /remove-package /packagename:Adobe-Flash-For-Windows-Package~31bf3856ad364e35~amd64~~10.0.17134.1

    dism /online /remove-package /packagename:Adobe-Flash-For-Windows-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1

    dism /online /remove-package /packagename:Adobe-Flash-For-Windows-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.17134.1

    Step 6. You’re done. No more Adobe Flash in registry and under the Packages folder. Everything is also gone from:



    All that’s left is any copy of Adobe Flash that you’ve installed manually, most frequently as a plugin for Firefox. Manually installed Adobe Flash can be uninstalled as per normal procedure, from Programs and Features.

  • Patch Lady – Flash update out on June 7th

    Be aware that today a Flash update has been released.  For those of you on Windows 7 you will need to either look to a prompt or go to the Adobe flash page for your update.  For those on 10, and 8.1 you get your update from Microsoft.

    Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.

    Generally speaking it’s wise to ensure these flash updates are installed as soon as possible.  Kirsty’s got the links for you here:


  • Adobe Flash patch KB 4074595 pushed out the Windows Update chute

    Doncha just love Flash?

    A few hours ago, Microsoft pushed the first round of February 2018 patches. The KB 4074595 patch fixes two security holes in Adobe Flash Player, CVE-2018-4877 and CVE-2018-4878.

    Microsoft has a few details in Security Advisory ADV180004.

    Adobe’s Security Bulletin APSB18-03 says:

    Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users.  These attacks leverage Office documents with embedded malicious Flash content distributed via email.

    Adobe goes on to say it’s a remote code execution hole. Critical Priority 1. Impacts and earlier versions (February 6, 2018). New version is

    Adobe’s version checker is here.

    Microsoft’s patches are for Windows 8.1 and Win10, all versions. All of those versions need to have Internet Explorer (and, in the case of Win10, Edge) fixed to plug the holes in the embedded versions of Flash.

    Adobe’s patches cover everything other than IE 11 and Edge. Chrome is fixed automatically, by default, when you re-start Chrome.

    Liam Tung at ZDNet reports:

    Researchers at Cisco Talos said hackers known as Group 123 were using the zero-day Flash flaw and Excel sheets to deliver the ROKRAT remote-administration tool.

    Cisco researchers found Group 123’s Excel sheets contained an ActiveX object that was a malicious Flash file that downloaded ROKRAT from a compromised web server. Notably, it was the first time this group has been seen using a zero-day exploit, suggesting the targets were carefully selected and high value.

    FireEye, which calls Group 123 TEMP.Reaper, said it had observed the group interacting with their command-and-control infrastructure from North Korean IP addresses. Most of the group’s targets were South Korean government, military and defense industry organizations, it said.

    If you haven’t yet disabled Flash, now would be a very good time to do so. Chris Hoffman at How-to-Geek has detailed instructions. If you absolutely have to have Flash, restrict it to one browser — I use Chrome to do the dirty deed — and only use it manually, under duress.

    If you can’t or won’t throttle Flash, get the update applied. Yet another Patch Wednesday.

    Thx CAR, Günter Born.

  • Recently updated topics you may have missed

    It’s possible you may have missed recent security updates that have been made to Chrome, Firefox, Thunderbird, Java and Flash Player. The following topics have now been updated with the US-Cert alerts, with links:

    Chrome Security Update: US-CERT (Browser)

    Mozilla Security Update: US-CERT (Firefox)

    Mozilla Security Update: US-CERT (Thunderbird)

    Oracle Security Update: US-CERT (Java etc)

    1000002: Links to Flash update resources

    Subscribers to those topics should have received emails with details of the new posts. However, we have had some reports that some people are currently not receiving those emails. If your subscription emails aren’t working, please let us know.

    Also updated recently is AKB3000005: On the subject of Botnets, which was posted last month, but promptly disappeared in a backup-reset of the site.

  • Adobe Flash player security update is out

    A week late, but what the heck. APSB17-32.

    Details on the Adobe site.

  • Flash patches for Internet Explorer and Edge due today

    Many thanks to those of you who sent me copies of the email Microsoft distributed yesterday.

    This is going to be interesting.

    InfoWorld Woody on Windows

  • The latest on disabling Flash

    I received an email from a reader who asked me about all the talk about Flash. He pointed out the fact that there are more than 400 mentions of Flash on this site. What, he wanted to know, is the latest status of Flash – what’s the best way to disable it, and if you must use it, which browser should have it enabled?

    The question takes on greater urgency when you recall that Microsoft hasn’t yet updated Internet Explorer or Edge for the latest bunch of Flash fixes. Adobe posted fixes last Tuesday. Microsoft hasn’t released any fixes this month, so those fixed holes still affect IE and Edge.

    What say ye? What’s the best recommendation for Flash, given the current state of affairs?

  • Updates from Adobe

    This just in from ER –

    I read these recent Adobe security bulletins for January 2017 that mention new Flash Player and Acrobat Reader security updates.

    Adobe security bulletin APSB17-01 features new updates for Acrobat & Acrobat Reader:

    Adobe security bulletin APSB17-02 features new updates for Flash Player 24 and a bonus for Linux users, they can finally update to the new version 24 of flash since Adobe had been issuing flash player 11.2 security updates to linux users  for several years.

  • What’s really happening with Flash in the latest version of Chrome

    No matter what you may have read, the latest version of Chrome doesn’t block Flash. But it does put another much-deserved nail in Flash’s coffin.

    InfoWorld Woody on Windows