Warning about Flash Update

Flash Player is a built-in component of IE and Edge on Windows 8 and higher.  Installation and updates are handled by Microsoft via Windows Update.  Similarly, Flash Player on Google Chrome is built into the browser and delivered via their auto-updater. 

If you also have Flash Player installed for Firefox (or other NPAPI browsers), then you would have needed to use our installers and auto-update mechanism, but you can always just open the Flash Player icon in the control planel and look at the Updates tab to check to see if you need an update, and install it.

The reality is that the technical hurdles that need to be overcome in order for attackers to install malware on modern browsers and operating systems is very high.  It's much easier to attack the human in the system and coax them into installing something malicious on their behalf.  

Please, always download Flash Player from https://get.adobe.com/flashplayer and ignore prompts on webpages to download updates, particularly on Edge, where there isn't a legitimate installer available.  If you don't have Windows Update set to automatically apply updates, then you might need to check for and apply updates manually. 

It's just way more likely that either you need to activate Flash in the browser (see: https://helpx.adobe.com/flash-player.html) because it's being blocked by default, or you're running into something sketchy.

ATT: jeromiec83223024

Thank you. This is very helpful. One question though. I checked the updates tab and it is set to “Allow Adobe to Install Updates and is NPAPI version 32.0.0.414 and PPAPI version 32.0.0.387.  I clicked on “Check now” and the chart says Windows Edge 32.0.0.387  Firefox 32.0.0.5414   chrome 32.0.0.414. Seems to indicate that I’m up to date. NEW QUESTION: Based on my settings should updates be installed without asking me to take action? Also, the download link I received took me to (based on saved screen shots)  https://get3.adobe.com/flashplayer/update/ppapi/ After clicking to download, while showing initializing bar, it went to https://get3.adobe.com/flashplayer/download/?installer=FP_32_for_Opera_and_Chromium_-_PPAPI &os=Windows%2010&browser_type=KHTML&browser_dist=Chrome&d=McAfee_Security_Scan_... (apparently cut off) and then I got the alert in Edge.  I copied the first URL into Firefox and downloaded it there with Norton saying it was safe.

As a double check, I pasted the URL you provided into Firefox and downloaded – it was at https://get.adobe.com/flashplayer/download/?installer=FP_32_for_Firefox_-_NPAPI&os=Windows%2010&brow...  I note that this URL differs from the one I got in Edge. (I don’t recall if I remembered to cancel the McAfee.) I then tried the previously copied and pasted URL  https://get3.adobe.com/flashplayer/update/ppapi/  and got to https://get3.adobe.com/flashplayer/download/?installer=FP_32_for_Opera_and_Chromium_-_PPAPI&os=Windo...  This seems to be identical to what I got in Edge (allowing for the cut off in the screen print) and differs a bit from the one I got using your URL, but not sure if that’s because it was taken from Edge which uses a different version than Firefox. Norton flags it as safe.  Can you clarify?

I then tried your URL in Edge (and this time know I declined McAfee) and got to  https://get.adobe.com/flashplayer/download/?installer=FP_32_for_Opera_and_Chromium_-_PPAPI&os=Window...  

It's a bit confusing for me, but I sense that there are some differences between Edger and Firefox URLs possibly because of the different versions. The one thing I do note, however, is that when I use your URL, I don’t get the number “3” after “get”, but I don’t know it’s significance. However, I once again checked the download as I did it and Norton declares it safe.

Flash Player installer files usually have same file name from one release to another.  One difference would be the major version number included in the file name, however, Adobe hasn't incremented Flash Player's major version number in quite a while, so it's normally the same file name.

I kind of have to question that. I have never had it pop up and ask if I wanted to replace the old file before. Either way, I won't ever do an update except off the webpage from now on...short time or not.

This is FYI information that may be helpful. No need for comments unless you know something to the contrary. I decided to contact Norton to inquire as to whether I might have any malware or virus that wasn’t being detected (on the possibility that they had not been aware of it and so it wasn’t blocked or found on scans). I was advised that if my program shows “Protected” I am “clean” and if not, it would say “At risk” and advise to “fix it”. When I raised the concern that it might be a program that was not in their system, the technician guided me to my control panel to check the programs. Nothing installed since about August (when the issue first arose) was in the list with a few exceptions that seemed logical (e.g. Microsoft Updates and a handful of other programs I have. The technician said that virus and malware are programs and thus would appear in the listing. I did however note that there was an Adobe Flash for June 2020 (per Adobe site, last update) and another for August – I neglected to ask why both showed – I’m now going to try to check this out on the Internet, but if anyone knows anything about this, a relevant comment would be appreciated. One interesting point of note. Avoiding too much detail, I went back to the listing so I could view it in more detail and had a different view – couldn’t see install dates and unable to change back. Contacted Norton and they did a screen share – OF NOTE ISTHAT Edge flagged the program as possibly harmful to my computer. So, it appears that Edge may flag any non-MS product as possibly harmful.

Screenshots are always helpful when talking about particular messages or warnings, but I'm pretty sure that Edge tells you that anything you download that's executable (like an installer) is potentially harmful.  It's the generic "caveat emptor" warning.  Make sure you really, really trust the source of that executable.  It's valid advice, and one of the reasons that we promote automatic updates so heavily. 

The meta issue here is that as an industry, we've made it pretty hard for malicious actors to actually install software without your express consent.  It's a large part of why we plug automatic updates so hard.  Humans are now the weak link in the chain.  It's easier for an attacker to trick you into installing malware on their behalf than it is to install it themselves, plus it's generally better ROI.  

Along those lines, Google Chrome (on Mac/Win/Linux) and Microsoft Edge (and IE) on Win8+ both include Flash Player as a built-in component.  The updates are distributed through the browser's built-in update mechanism.  There's nothing to download or install.  That doesn't stop bad actors (and poorly maintained websites) from recommending that you download and install updates from time to time, but where notices come from content on the web, we don't really have any control. 

Also, just to clarify the confusion about why you're seeing different downloads, there are a couple flavors of browser plug-in interfaces: NPAPI (Netscape Plug-In Application Programming Interface), PPAPI (Pepper Plug-in API) and ActiveX (Microsoft).  Depending on the lineage of the given browser, they use one of the three major plug-in interfaces.  Each one of those interfaces requires a completely different Flash Player, which targets the individual API required.  So, it's totally plausible that you might have up to three instances of Flash Player, and Google Chrome actually keeps it's own installation of Flash Player sequestered from the rest of the system, and maintains an independent set of preferences.

Also, to make things even more confusing, there's a "New" Edge, and a "Legacy" Edge.  The Legacy Edge was built off the Internet Explorer codebase.  The New Edge is built off the Chromium codebase (the open-source flavor underlying Google Chrome).  So, the old Edge uses the ActiveX Flash Player, but the new Edge uses the PPAPI Flash Player, except when you launch a page in the IE Compatibility Mode inside the New Edge, at which point it uses the ActiveX Flash Player.  It's pretty confusing.  We exist in the middle of a large, complex, dynamic ecosystem that is getting increasingly more fragmented and complex.  It's pretty messy.

The actual distribution of Flash Player to consumers happens via the Adobe Product Download Center.  Although Flash Player is free to use, it's expensive to distribute and maintain.  There are cost-recovery mechanisms in the distrubtion pipeline that include bundled offers and promotions, which vary by language, region, etc.   The "shim" installers that you download initially have small filename variations that consider those factors, but I don't work on the distribution business and it's opaque to me.  The moral of the story is that the filenames don't convey any useful information.  Anyone can name a file anything.

If you're really worried about whether or not a file is legitimate, there are cryptographic mechansims built into the software distribution ecosystem.  The math gets deep quickly, but basically there's a trusted authority that issues keys to developers, with which they can sign applications.  When a binary is signed, that signature says "a.) this software came from me", and "b.) the binary file that I signed has not been modified".  More succinctly, code-signing guarantees integrity and non-repudiation.  

The only truly meaningful guarantee about "is this thing legit?" is the digital signature.  The operating system is transparently validating that to make sure that the signature is valid and that the file has not been modified.  It will pop a warning if something doesn't match, but it doesn't necessarily know that a binary should come from a specific company.  It's just confirming "was this file signed by someone with a valid code-signing certificate".  It's a good check, but you can go further manually, to confirm "did this file get signed by the valid code signing certificate issued to Adobe, Inc". 

As you can imagine, those keys are super important.  On our end, there's a whole mess of technology involved to insure that they can't be stolen (and there are mechanisms built into the code-signing ecosystem that handle revocation in the event that happens), and that only official builds created from secure build systems by authorized users can be signed, and that anything signed is recorded with a robust audit trail.

So, if you want to validate that the binaries are legit and came from us, check the digital signature. 

This is a decent guide: 
https://www.thewindowsclub.com/verify-digital-signature-programs-windows

or if you want authoritative sources: 

https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature

Clearly, that's more than the average user is going to undertake, which is why we push automatic updates so hard across the industry.  It's straighforward for us to build guarded update publication pipelines that utilize cryptographic technology and strict access controls to ensure that you're never going to encounter something that isn't legitimate and well-vetted.

So, the short answer to all of this is:

• Enable Automatic Updates in Control Panel > Flash Player
  • This covers all the browsers that don't bundle a Flash Player automatically, and ensures that Flash stays patched quickly in the event that we ship an urgent security update.
    
    
• Enable Automatic Updates for Windows Update
  • This ensures that all the browser, operating system and Flash patches for IE and Legacy Edge get installed and are updated quickly in the event that a high priority security update gets shipped by Microsoft via Windows Update.
    
    
• Ensure Automatic Updates are enabled on Google Chrome
  • Unless you actively went in and disabled them, automatic updates are the default.
  • You can confirm that Flash is up-to-date by going to chrome://components and hitting Check for Updates, but my experience with the aggregate population is that this just works... 
• Ignore anything on a web page or popup that tells you to update
  • If the message about updating Flash is innocent, it's probably because the browser is actively blocking Flash, and the website assumes that you just don't have Flash installed (this was a reasonable assumption from 2000 up until about 2017).  
    • We keep a list of how to enable Flash Player in supported browsers here:
      https://helpx.adobe.com/flash-player.html
    • Just checking to make sure Flash is enabled is the only thing we'd recommend that you do when prompted to update by a webpage.
  • If the message is malicous, you just avoided a big headache, and if you can't get a website to work, it's probably better to walk away than risk it.  You can always shoot a note to the site admins if it's super important that you access that content.