Shockwave Flash has crashed - 27.0.0.170 - VMWare

Report · Oct 16, 2017

I have a customer base that connected to vCloud Director. Since the release of 27.0.0.170 we are receiving the Shockwave Flash has crashed.

All browser / All Windows OS (7 & 10)

Reverting to version 27.0.0.159 fixes the issue.

[moderator: Added 'VMWare' to title to aid other users who are having the same issue in finding this topic]

Report · Oct 16, 2017

Thanks, and sorry for the inconvenience. We're aware of the issue and are investigating to see if we can provide some relief.

For background, to address the security issue discovered in the wild that prompted this release [1], we more tightly enforce rules in the initial validation of the SWF bytecode. For some reason, the SWF that VMWare uses is failing those validation checks.

This has always been the case, but weren't treating the validation failure as fatal, and would apply some more nuanced heuristics. We're now aborting immediately at the validation failure to ensure that we're addressing the entire set of possible related issues.

It's not immediately clear why it happens to be this particular SWF, but it's old, and there's the possibility that a compiler bug or third-party toolchain created some invalid bytecode that wouldn't normally exist in an equivalent SWF compiled from a newer toolchain.

We're now looking to see if we can be a little more surgical and allow this content to run normally again, now that we've made it through the immediate priority of addressing the vulnerability being abused in the wild. We'll be happy to update the thread as we have new information about the availability of a fix, etc. In the meantime, we'd strongly recommend using Flash Player 27.0.0.170 for general browsing, and keeping a dedicated VM or browser with Flash Player 27.0.0.156 for the specific task of accessing this content.

[1] Adobe Security Bulletin APSB17-32 - https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

Report · Oct 16, 2017

Thank you very much. Is there a timeline for an updated release that handles the validation for VMWare?

Report · Oct 16, 2017

Without a fix committed and tested, any guess I gave you about when the patch would land wouldn't be very meaningful. The target would be to drop something as soon as possible in a beta as pain relief and shoot for November's patch Tuesday as the mainstream release vehicle, but the most important thing is that we maintain the integrity of the mitigation we've deployed for the security issue.

Report · Oct 17, 2017

I am one of the UI managers at VMware. How can we help you with this? Can we instrument our code or do anything else to help isolate the issue?

Report · Oct 17, 2017

Thanks for reaching out! I think we're actually okay at this point.

We checked in a candidate fix late yesterday. The builds ran overnight, so we'll start evaluating them today. Assuming that both the functional fix and original security mitigation pass muster (I'm fairly confident they will), it should land in a beta early next week. We have some external operational constraints that preclude doing a drop sooner.

In terms of what happened, there's a java-style idiom that you use (presumably for library versioning) that uses undefined functions (i.e. functions with blank bodies) that are called repeatedly. When compiled, this resulted in bytecode that was getting flagged. We've been able to safely make affordances for it. This approach seems to be pretty rare (the number of distinct SWFs impacted appears to be very small at this point), but whenever we ding a relatively obscure edge case like this, it's invariably an important enterprise application that breaks.

Report · Oct 17, 2017

Hi,

How do you revert to version 27.0.0.159 when I don't have it. I uninstalled and reinstalled flash but doesn't help.

Also looking at this workaround Shockwave Flash crashes with vSphere Web Client 6.x (2151945) | VMware KB didn't help, same issue.

I can't wait until November to have see if something works.

Thank you

Report · Oct 17, 2017

The archived versions can be found at https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html

Report · Oct 17, 2017

thanks upn0rth. I downloaded it. Uninstalled the current version, rebooted and installed 27.0.0159 and worked again in Chrome.

Report · Oct 18, 2017

Like madmax, we too are not in a position to wait for November. We have 2000 users unable to access their vApps + VM consoles through vCloud Director right now. Downgrading flash to the vulnerable version in our enterprise is not an option.

Report · Oct 18, 2017

Has this issue been assigned a bug in https://tracker.adobe.com?

A comment on the Chrome bug

774862 - Chrome crashes when accessing vSphere Web Client and other VMware products using Flash int...

references this Adobe bug FP-4198653...

Tracker

Report · Oct 18, 2017

I can confirm that 27.0.0.180 allows access to vCloud. The install was downloaded from Adobe Flash Player 27 Beta page.

Download Adobe Flash Player 27 Beta for Desktops - Adobe Labs

Report · Oct 18, 2017

Interesting. Its release notes state:

Known Issues

Oct 17, 2017

Flash Player Flashplayer quits unexpectedly when logging into VCD (Virtual Cloud) Portal(FP-4198649)

Report · Oct 18, 2017

27.0.0.180 fixes the vCloud/vSphere crash and is now available from the labs page link, posted in comment #11

Report · Oct 23, 2017

I don't see any 27.0.0.180 in that web page in commment #1. It shows 170 which is the one causing all the trouble:

https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

Report · Oct 23, 2017

27.0.0.180 is a beta release, which fixes the VMWare crashing issue. Since it's a beta release, it's not listed on the security bulletin page.

Report · Oct 23, 2017

@ m_vargas Any idea when 27.0.0.180 is going to go from beta to production? We don't really want to uninstall 170 and then install a beta product, I would rather keep it production and just get a new build for production release. Do you have an ETA?

Report · Oct 23, 2017

We're aiming for an update posted to adobe.com on Wednesday, barring unforeseen issues between now and then. We can't speak to when Google (Chrome) or Microsoft (Win8.x/10 for IE/Edge) would release the update.

Report · Oct 19, 2017

does it also fix the same problem with vmware vcenter flash client?

Report · Oct 19, 2017

I can confirm, beta version 27.0.0.180 fixed this problem for vCenter web client in Chrome. (Windows 7)

Report · Oct 19, 2017

I have MS Windows 10 Pro.

When i try to install Adobe Flash Player 27.0.0.180 (beta) for Internet Explorer (Active X) i get the error:

It's about i have last version of Adobe Flash Player in my IE...

Report · Oct 19, 2017

Microsoft embeds Flash Player in IE and Edge on Windows 10, as such, the standalone installer does not work, and all Flash Player updates for IE/Edge are released by Microsoft via Windows Update. You'll need to use a different browser until this fix is in the release channel and Microsoft releases the update.

Report · Oct 19, 2017

Thanks for answer, m_vargas.

But for what this distributive is made?

Report · Oct 19, 2017

That's for Windows 7 and below.

I thought there was a comment on the labs page about the ActiveX Control being for Windows 7 and below, but don't see it. I have submitted a query to the folks who maintain that page.

Report · Oct 20, 2017

Correct. and unless you have Firefox installed, you don't need flash activeX nor the ( flash plugIn for Firefox) starting from Windows 8.1

Shockwave Flash has crashed - 27.0.0.170 - VMWare

1 Correct answer