Posts in Category "Security"

FlashPlayerUpdateService.exe Application Error

It’s no question that after getting back from paternity leave, my highest priority was to help resolve a crash that occurred in the update service used by the new Flash Player Background Updater. Many users, including numerous readers of my blog, have reported that they get crash dialogs saying “FlashPlayerUpdateService.exe has stopped working”. I’m happy to say that we were able to resolve this issue and a fix is now available for immediate download.

I’d like to take the time to thank all of my readers and the people who reported the issue in our Flash Player installation forums. It is thanks to your detailed info that we were able to isolate and eliminate the issue.

As a reminder, if you encounter any issues with Flash Player installations, please report them in the Flash Player installation forums.

A few of you have asked me why I couldn’t forward those bug reports myself. The reason is pretty simple: I’m just one of the engineers working on this team. By reporting the issue on the forums, you will get significantly more eyes on the issue right away. We will be able to route your report directly to an engineer who is available to work on the issue. And ultimately, a fix will be available sooner. It is not because I wouldn’t want to personally work on the issue. Thanks for your understanding.

Responses to comments will be delayed

Dear Readers of my blog,

Today, I became a first time father of a baby boy. Although this is a very exciting time in my private life, it is also a time when I will be unable to respond to your comments, questions and suggestions in a timely manner.

If you have questions or issues with Flash Player in general, please post to the Flash Player forums.
If you have questions or issues with Flash Player installers, updating mechanisms or policies around these, please post to the Flash Player installation forums.

Thank you for your understanding and I’ll make sure to get back to you as soon as possible.

Catch you on the flip side. :-)

-Stephen

Changes to Adobe Flash Player Background Updater

Since we first released the new Background Updater for Flash Player, there were two major things that many people mentioned as having the potential for some improvement.

 

The first thing that many of you (as well as other blogs) mentioned was the desire to deploy Flash Player updates through this new updating mechanism on internal networks that have restricted access to the internet. A little more than a week ago, we documented the process how to achieve this and the response so far has been very positive. It’s very exciting to see how many bright people are out there that have this already implemented, or even wrote scripts to automatically mirror the official Adobe backend.

 

The second thing that was mentioned a lot was the desire to not have the installer configure a scheduled task and service if the Background Updater wasn’t chosen as the update mechanism by the user. I’m happy to say that this has officially changed in today’s update to Flash Player 11.2. When you download and install this version, you will notice that when you select the option to be notified of updates or to disable updates, the installer will no longer install a task or a service. If you change your mind, you can always go to the Flash Player Settings Manager in the Windows Control Panel. If you select to be automatically updated, we will again install the service and the task for you.

 

This second point was heavily driven by your feedback on my previous blog post that introduced the Background Updater. Give yourselves a pat on the back on our behalf and thank you for sharing your thoughts with us. Well done!

IT Admin: Deploying Flash Player via Background Updater

When it came to updating Flash Player, IT administrators used to face a common problem: The users on the systems are usually regular users, but they were prompted to update Flash Player. Since they don’t have administrator rights, an update would always fail. This circle repeated itself once every 7 days, on average, until the IT administrator pushed an update to Flash Player to all affected systems.

A workaround was to set AutoUpdateDisable=1 in a mms.cfg file and to push this file to all systems. The user wouldn’t be prompted to update anymore, but it didn’t make it easier to update Flash Player.

Today, I’d like to introduce a new way to update Flash Player in a corporate environment: With the introduction of Adobe’s Flash Player Background Updater, we made it easier for IT administrators to push updates to Flash Player. A detailed description is available in the Flash Player Administrator Guide. In general though, the way to do this is pretty simple. This is what you need:

  1. A server with the following configuration:
    1. Open port 80 for HTTP requests.
    2. Open port 443 for HTTPS requests.
  2. A valid SSL certificate for HTTPS access on port 443.
  3. The ability to store files on the server in an Adobe-specified folder structure.
  4. The ability to deploy mms.cfg configuration files to clients on the network.

Once these prerequisites are fulfilled, you can start mirroring the official builds from Adobe. For the latest and most up-to-date instructions on how to do this, please refer to the Flash Player Administrator Guide (p17-19).

I’d like to highlight a particularly informative blog post by Tyrone Wyatt. In his post, Tyrone explains how he managed to automate the mirroring of Flash Player builds onto his internal server. I did not get a chance to test this out for myself yet, but it seems like all the right ingredients are present to make this work on virtually any network. If you need some inspiration on how to automate your mirroring of Flash Player installers, I recommend you read Tyrone’s blog post.

The fact that we added this functionality for IT administrators was due to feedback that we received on this blog. Thanks to all of you who requested this feature!

Your opinion is important to us, so don’t hesitate to add your comments in the comment section!

Adobe Flash Player Background Updater for Mac now in Beta!

After releasing Adobe Flash Player Background Updater for Windows in Flash Player 11.2 just about a week ago, I’m happy to say that we just released a beta version of the same updating mechanism for Mac.

The feedback for this feature on Windows has been predominantly positive and we are excited about all the feedback we got from the community. If you have followed the comments in my previous post, you are aware that some aspects of the updater had potential for improvement. This feedback was great and will allow us to make the product even better in the future.

Ideally, we can get this type of feedback during the beta program. Therefore, I encourage everyone to try the Background Updater on Mac and provide us with as much feedback as possible.

Here is how you can test it out:

1. Go to our Labs website

2. Download the latest beta release build for Mac (version 11.3.300.214)

3. Leave your system connected to the internet for at least one hour after the installation.

4. After approximately one hour, go to http://www.adobe.com/software/flash/about/ and verify the version of Flash Player. It should now read 11.3.300.217.

 

If the version still displays 11.3.300.214, try restarting your browser. The browser can keep old versions of Flash Player in memory until it is closed. A restart will guarantee that it will load Flash Player from your hard drive.

 

Let us know if the update was successful. You can leave feedback in the comments or in the Adobe Flash Player beta forums.

I’m excited to hear what you have to say! Smile

Hello, Adobe Flash Player Background Updater (Windows)!

This week was another exciting week for Adobe’s Flash Player: We officially shipped Adobe Flash Player 11.2. One feature that I’m going to highlight today is one that I personally worked on: the Background Updater for Windows.

I wrote a fairly detailed DevNet article about the bits and pieces that make this updater work. It was also mentioned in Peleus Uhley’s blog post, highlighting the impact that this new updater can have on Flash Player Security.

Since the release, I have been scanning forums and reading blog posts about this feature, and I’d like to answer some of the questions that were mentioned there.

1. I’m very interested in the Background Updater, but I’m using Mac OS. When will Adobe release a Background Updater for Mac?

A Background Updater for Mac OS is currently in development and will be released in an upcoming release of Adobe Flash Player.

2. Will I ever get to see a Flash Player notification again that asks me to update Flash Player?

Yes. For new features and/or releases that require the acceptance of new terms of use, Adobe may need to notify users before an installation can be performed.

3. Why does the updater install the service and scheduled task even though I chose the option to disable updates during the installation?

If you chose to turn of all updates, the Background Updater will be turned off! If you are familiar with network analyzing tools, I encourage you to verify that there is no network traffic initiated by the Background Updater service. The scheduled task and the service are being installed in the event that you choose to enable the Background Updater at a later point. As mentioned in my DevNet article, you can do this by going to the Flash Player Settings Manager in the Windows Control Panel.

4. Yet another background updater? Isn’t that consuming a ton of resources?

I’m very happy to say: NO! By using the Windows Task Scheduler, we are able to run the Background Updater only once per hour for a few milliseconds. The Background Updater will usually launch, check if it is time to do an update check and then shut itself down. Only if an update is available will the updater stay running for a longer period of time to allow for the download to complete and the installation to start.

5. I have a third-party tool that tells me that the Background Updater is running every hour. This despite the fact that Adobe claims that after a successful update check, the next check will be deferred for 24 hours. Why?

The fact that the process starts every hour does not mean that it will perform an update check every hour. Rather, it will first check to see if it is time for the next update check. If it isn’t, it will shut itself down again after only a few milliseconds. If you are familiar with network analyzers, I encourage you to verify that there is no network traffic caused by the Background Updater in the 24 hours that the update check is deferred.

6. I have the Background Updater disabled, but the service still starts every hour. Why?

The Background Updater will launch every hour and will check if it is enabled. If it isn’t, no network traffic will ever be generated by the Background Updater and it will shut itself down after only a few milliseconds, saving valuable CPU and memory resources. This allows you to enable the Background Updater from the Flash Player Settings Manager in the Windows Control Panel at a later point without having to reinstall Flash Player.

 

If you have any other questions, please leave them in the comments and I’ll be happy to answer them!

Adobe Flash Player for Firefox gets a sandbox

This week is quite an exciting one: Adobe has officially released a pre-release version of Flash Player for Firefox with a sandbox. The concept of a sandbox, or protected mode, has been around for many years, but it is fair to say that Google Chrome’s sandbox has helped make this concept better known among end-users. Another product that has successfully implemented a sandbox is Adobe Reader X: We have yet to hear about a case where an exploit was able to break out of the sandbox.

The fact that the Reader sandbox held up so far is a good indicator that the Flash Player version could hold up for some time as well. Let’s keep our fingers crossed. Fingers crossedSmile

A sandbox is supposed to lock an application into a restricted space so that even if a vulnerability is found in the software, it cannot be exploited to do damage on the system. So if you were to visit a website that is hosting a malicious Flash file, it will not actually be able to break out of Flash Player’s sandbox and do damage to the system. Creating a sandbox is usually achieved by dropping the application to a low-integrity process. Being low-integrity, it can’t access the system in uncontrolled ways.

Peleus Uhley wrote some very interesting blog posts on sandboxing that go into a little more technical detail:

http://blogs.adobe.com/asset/2012/02/flash-player-sandboxing-is-coming-to-firefox.html

http://blogs.adobe.com/asset/2010/12/the-year-of-the-sandbox-isnt-over-yet.html

I encourage everyone to give the pre-release a shot and try the sandbox out for yourself. If you run into any issues with Protected Mode for Flash Player, please feel free to leave your feedback in the pre-release forums.

If you are a security researcher and you have feedback that is valuable to our security minded folks at Adobe, please use one of our security notification methods.