Why you should care about automatic updates for Flash Player

Why you should care about automatic updates for Flash Player

Summary: In the last six weeks, Adobe has issued three separate critical updates to Flash Player, each one in response to a serious security issue. This is why the automatic-updating feature that Adobe has included in its latest update is so important.

SHARE:

If it seems like you’re being asked to install a new Flash Player update every few weeks, It's not just your imagination.

After a post-holiday lull, the Flash update machine kicked back into overdrive with a February 15 update, followed by another update 18 days later and yet another 23 days later. (I’ve got a complete list of Adobe's long history of Flash Player updates at the end of this post.)

Related:

In general, each of these releases is in response to a serious security issue. Flash-based attacks are still  among the most popular ways to infect PCs. A Kaspersky study from August 2011 highlighted the unfortunate role of Flash Player in the malware ecosystem:

For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone. Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs. [emphasis added]

This is why the automatic-updating feature that Adobe has included in the 11.2.202.228 update, released this week, is so important. If you allow people to decide whether they want to install updates or not, a nontrivial number will just say no, because it’s a hassle. They will ignore prompts and warnings. They will continue using outdated software for which one or more critical updates is available.

The only way to get consistently high update numbers is to deliver and install those updates automatically. Chrome has been very successful with auto-updates. Firefox has moved steadily in that direction as well, and Internet Explorer will begin automatic version updates this year (security updates are already delivered automatically through Windows Update).

Unless you have a foolproof alternative update strategy, you should install this update and enable this feature right away. If you want to check the current settings, open the Flash Player Settings Manager in Control Panel and go to the Advanced tab, as shown here.

(I had to click a UAC prompt to get to these settings, by the way. I recommend that you set up employees and family members with standard user accounts. If you do, they won’t be able to tinker with auto-updates.)

If you’re not confident about Adobe’s updater, there’s a worthy alternative in Ninite Updater, which also checks for updates (security and otherwise) in other products that are frequently attacked, including Oracle Java, Adobe Acrobat, iTunes, and QuickTime. (For more details, see “My seven favorite Windows 7 utilities.”)

Thanks to Ninite Updater ($10 per PC per yearI saw this message yesterday and was able to apply all three of Adobe’s latest updates with two clicks.

Adobe Flash Player Updates - an updated list

Last October, I did a study of Adobe’s track record (How many Flash Player updates is too many?). The following list contains the most recent updates as of March 29, 2012.

Flash Player 10  was released in October 2008. I can’t find any details about updates to the 10.0 release, so my census starts with version 10.1, which was released On June 10, 2010.The primary source is this list at adobe.com.

All of the following updates are for Windows; you’ll find minor variations in version numbers and release dates if you look at other platforms, although the general timeline is the same. In addition, Adobe is still releasing updates for Flash Player version 10, so there’s a corresponding 10.x update for each of the 11.x updates in the following list.

  • Flash Player 10.1.53.64 – June 10, 2010 (10.1 initial release)
  • Flash Player 10.1.82.76 – August 10, 2010
  • Flash Player 10.1.85.3 – September 20, 2010
  • Flash Player 10.1.102.64 – November 4, 2010
  • Flash Player 10.2.152.26 – February 8, 2011 (10.2 initial release)
  • Flash Player 10.2.152.32 – March 8, 2011
  • Flash Player 10.2.153.1 – March 21, 2011
  • Flash Player 10.2.159.1 – April 17, 2011
  • Flash Player 10.3.181.14 – May 12, 2011 (10.3 initial release)
  • Flash Player 10.3.181.16 (Windows only) – May 31, 2011
  • Flash Player 10.3.181.22/23 – June 5, 2011
  • Flash Player 10.3.181.26 – June 14, 2011
  • Flash Player 10.3.181.34 – June 28, 2011
  • Flash Player 10.3.183.5 – August 9, 2011
  • Flash Player 10.3.183.7 – August 26, 2011
  • Flash Player 10.3.183.10 – September 21, 2011
  • Flash Player 11.0.1.152  – October 3, 2011 (11.0 initial release)
  • Flash Player 11.1.102.55 - November 10, 2011
  • Flash Player 11.1.102.62 - February 15, 2012
  • Flash Player 11.1.102.63 - March 5, 2012
  • Flash Player 11.2.202.228 - March 28, 2012

To repeat what I said last fall: Wow, that is indeed a lot of updates.

There have been 21 separate releases of the Flash Player for Windows in the past 22 months, since Flash Player 10.1 was officially released. There was a long gap between November 4, 2010 and February 8, 2011. Coincidentally, there was a nearly identical gap from November 10, 2011 to February 15, 2012. But the pace has picked back up.

Topics: Software, Enterprise Software, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Wonder why Apple says no to Flash?

    Now you know why.
    http404
    • huh?

      Because Adobe like to keep their products secure?
      MickCreates
    • Apple said no to Flash because...

      ...they are far too busy patching Safari. http://www.theregister.co.uk/2012/03/13/safari_5_1_4/
      techvet
    • They didn't do it for security but overhead reasons

      They didn't do it for security but overhead reasons and haven't said "No to Flash" on OS X just iOS. Even then they didn't say "No to Flash", they said "No to Browser Plugins period". Microsoft are going in the same direction.
      bradavon
      • We're talking large corporate plug-ins

        Like Java and Adobe. Mozilla will still keep their small developer plug-ins that make their browser customizable. That's the major strength of their browser and Microsoft ain't gonna dictate to them what they can do. Not without a major court fight..
        ScorpioBlack
    • Yes...

      Apple has your security at heart. Just kidding. It was to prevent flash apps on their mobile system, thereby creating a need for an app store...and massive Apple profits.
      kstap
      • Bull

        They did it because Flash was such a big resource hog it would've drained the iPad's battery time down by about 2/3rds and slowed down page loading to unacceptable levels. Even Android, which allows Flash, is having tons of issues with it.

        Having Flash on the iPad wouldn't have made any difference as far as their app store was concerned, so knock off with the FUD.
        ScorpioBlack
    • Flash runs on osx

      It doesn't run on Ios, it sure runs on Osx.
      sjaak327
  • Im shocked, shocked I tell you, to hear that Flash has yet another batch of

    security holes. I dont think adobe could care less about people not installing updates, but rather their motivation here is to hide or at least obscure from the public just how many security patches they need. Im doubt theres going to be any let up in the rate security holes found in adobe products and patches going forward. Best to just uninstall flash, air, reader, etc.
    Johnny Vegas
  • How about a list of Microsoft updates to Windows for the same period?

    Might be an interesting comparison...
    deaf_e_kate
    • Maybe ...

      One of these plays videos (Flash) and the other runs "everything under the sun" (Windows).

      What other media player has as many updates as Flash?
      Quicktime?
      WMP?
      lehnerus2000
    • Maybe Silverlight or QuickTime

      You're welcome to go count the security-related updates for Silverlight and QuickTime, both of which are in the same ballpark as Flash. Or for Java, another Runtime.

      We'll wait.
      Ed Bott
  • Ed, UAC for update?

    You said that you needed to click through a UAC prompt to get to the settings dialog. Do you also get a UAC dialog (and for standard accounts have to enter administrator username and password) when the automatic updates come in?

    My account is a non-admin account, as are all the other users on the PCs. If I need to do an admin task, I always "run as admin" and enter the username and password or if I am going to be doing a lot of admin tasks, I'll briefly log in as administrator.
    wright_is
  • Alternative to Ninite Updater

    I've been using Secunia PSI for several years now, it's free for personal use and it does a good job in reminding you when an update is needed for those that doesn't have any sort of auto-updating features.
    JJ_z
    • Ninite works great as well

      Ninite works great as well - in fact, I'd say it does better than PSI does most of the time. It detected a lot of updates PSI didn't detect, and was a bit more successful at installing them.

      I think PSI actually looks at a broader range of software, but it only finds security updates. Ninite installs all updates, even non-security ones.

      Personally, I'm using both now, as they seem to work together.
      CobraA1
  • Auto Updates

    Absolutely Not Going To Happen On My System & Here's A Few Reasons Why..

    01) I don't want companies who insist that their apps have to start up immediately when the system restarts to have that ability. (I have 56 tasks on start up instead of 76)
    02) The School I attend still lives in the world of XP and isn't able to keep up with the rapid changes.
    03) I need the ability to decide on which updates are required for my needs. I don't need to have updates shoved down that may break my system because it conflicts with other updates or what else is being run on my system such as when Microsoft release WinXP SP3 which broke Lenovo's ThinkVantage Software.
    04) Bandwidth issues especially with Comcast and AT&T as well as others being capped.

    And yes, I understand that updates are important and do apply them but only after I look at what they are wanting to change or fix.
    toolman30044
    • Sounds Like You Will Benefite a lot from Soluto

      Got check it out.
      MrElectrifyer
  • Wish MS would encourage and help vendors use Windows Update

    It would be nice to get all updates via the same process. Adobe and MS should be working together to make this happen.
    otaddy
    • Yea right let's have more collusion

      'taint happenin', pal... ;)
      ScorpioBlack
    • RE: Wish MS would encourage and help vendors use Windows Update

      [i]It would be nice to get all updates via the same process.[/i]

      Secunia has already tried this route and it was met with deaf ears. Look to the Windows 8 app store for a solution.
      Rabid Howler Monkey