In today's release, we've updated Flash Player with important bug fixes and security updates. Current Flash Player customers who have selected the "Allow Adobe to install updates (recommended)" update mechanism will be automatically updated to the latest version of Flash Player over the next 24 hours.
The most recent Flash Player security bulletin can be found here: Security Bulletin (APSB16-37)
Features for Flash Player 23:
Async Drawing refers to the method that the browser and Flash Player use to exchange a bitmap surface where Flash Player draws the SWF content. It is used only when the stage is composited with rest of the content in the browser window. This feature allows wmode “direct” (wmode opaque and transparent) to behave as “windowless” in hardware accelerated async drawing. It is not used in fullscreen mode, or in windowed mode where the plugin draws directly to its own window. If asynchronous drawing is unavailable for any reason, the plugin falls back to using the existing synchronous drawing model.
AsyncDrawing is supported in NPAPI Plugin on Windows desktop platforms only. It is currently available from FP version 23.0 in Firefox Nightly 51.0a1, the Firefox versions supporting the feature is yet to be announced. The choice of which Async Drawing path is used (hardware or software) depends on whether the browser supports hardware or software Async Drawing modes.
The following table describes Asynchronous drawing availability by WMODE:
Non-accelerated/Software Async Drawing
Non-accelerated/Software Async Drawing
Hardware accelerated Async drawing
To disable AsynchronousDrawing support in Firefox, go to “about:config” in the search bar of the browser and set “dom.ipc.plugins.asyncdrawing.enabled” to false.
HSTS Support in Flash Player
Beginning with Flash Player 23, we have introduced support for HSTS (HTTP Strict Transport Security). HSTS is an IETF standard, which enforces user agents (browsers) to use HTTPS for communication instead of HTTP. HTTPS response may have a Strict-Transport-Security(STS) header field that requests the user agent to make further requests in HTTPS. Flash Player will now acknowledge the STS header in HTTPS response.
This will be particularly helpful when a SWF calls another SWF (child SWF) that is present in HSTS enabled server. Flash Player will acknowledge the STS header in the response and further request to the same domain will always be HTTPS. This feature will be helpful in mitigating protocol hijacking attacks and cookie hijacking.
Disabling local-with-filesystem access in Flash Player by default
Beginning with Flash Player 23, local-with-network permissions will now be applied to all local SWF content, regardless of the preference chosen at compile time.
When playing Flash (SWF) content from local filesystem, developers have historically been able to configure content to exclusively read from the filesystem, or communicate to the network. When this functionality was introduced over a decade ago, it enabled an interesting array of use-cases ranging from simple games to interactive kiosks. In context of modern web security, we believe that it is time to retire local filesystem functionality in the browser plugin. At the same time, Adobe AIR has been established as a robust, mature solution for delivering ActionScript-based content as a standalone application.
Vast majority of Flash Player users and content will be unaffected by this change. This change only impacts Flash content played from the local filesystem, using the browser. Flash content hosted on the internet and local webservers, as well as the Standalone Flash Player remains unaffected.If you are a user who requires this functionality, these files can be added to the list of Trusted Locations in Flash Player.
Workarounds for Legacy Content:
We highly recommend that you only circumvent these controls to enable content from sources that they trust.
For Internet Explorer, Edge, Firefox, Opera and Safari:
On the affected system, go to the Flash Player Settings Manager:
• Mac: System Preferences > Flash Player
• Windows: Control Panel > Flash Player
Select the Advanced tab
In the Developer Tools section, click the Trusted Location Settings button
Click the "Add..." button and add relevant files and folders to the list
For Google Chrome (and similar PPAPI browsers):
Navigate to the Settings Manager page
Choose Edit Locations > Add Locations from the popup list
In the text field that appears, type or paste the file/folder path that you'd like to trust
Click the "Confirm" button
Note: Please be aware that the "Browse for files" and "Browse for folder" buttons do not function properly. You must manually type or copy/paste your path into the text field above the buttons to add the file or folder to the trusted list.
For System Administrators:
The legacy behavior can be restored by applying the EnableInsecureLocalWithFileSystem=1 flag to mms.cfg.
Video and Camera support for Stage3D by VideoTexture for Flash Player (Release)
In Flash Player 20 or earlier, use of video in Stage3D required use of the Video object, which is not hardware accelerated. It involved copying the video frame to a BitmapData object and then loading data onto the GPU, which made it CPU-intensive.
To address this limitation, Video texture object was introduced. It allows you to use hardware decoded video in Stage 3D content. Further, extending this capability in Flash Player 23 release, texture objects have been introduced to support the use of NetStream and Cameras in a manner similar to the use of StageVideo. These textures can be used as source textures in stage3D rendering pipeline. You can use them as rectangular, RGB, or no mipmap textures in rendering of a scene. They are treated as ARGB texture by the shaders which implies that the AGAL shaders do not have to bother about YUV to RGB conversion now. The shaders treat these textures as ARGB textures. This allows you to use the standard shaders with static images without any need for modification. When you render using these textures, the image that is used by the rendering pipeline is the the latest frame at that time. Though, there is no tearing in the video frame, if you use the same texture many times, some of these instances may be picked from different timestamps.
With the use of a VideoTexture object, all this work gets optimized internally - YUV to RGB conversion and texture loading can be completely moved to the GPU. See the VideoTexture devnet article for implementation details.
Note: Video Texture is an existing feature in AIR. It was introduced in AIR 17.0 version.
For complete information please see our release notes.
Stability bugs and security fixes
Resizing embedded flash video player will turn the interface black in xulrunner(4186134)
"ALT GR+0" does not return @ on french layout Keyboard(4196791)
Performance drop is observed on Firefox 49.0.2 when async drawing is enabled (4197072)
Current Flash Player users who have enrolled in the "Allow Adobe to install updates (recommended)" update mechanism will be automatically updated to Flash Player 23 over the next 24 hours.
Users who have selected "Notify me to install updates" will receive an update notification dialog within 7 days from today. Please note that Windows users will need to restart their system or log out and in to activate the update notification dialog.
Customers using Google Chrome will receive updates through the Google update mechanisms. Please note that this release is not available for ActiveX Flash Player on Windows 8.1 and Windows 10.
If you would like to install the update immediately, please use one of the links below:
Flash Player 23 Windows for Internet Explorer - ActiveX: 18.104.22.168
Flash Player 23 Windows for Firefox and other Netscape Compatible Browsers - NPAPI: 22.214.171.124
Flash Player 23 Windows for Opera and Chromium Based Browsers - PPAPI: 126.96.36.199
Flash Player 23 Windows for Google Chrome - PPAPI: 188.8.131.52
Flash Player 23 for Internet Explorer on Windows 8.1 (64-bit machine): 184.108.40.206
Flash Player 23 for Internet Explorer on Windows 8.1 (32-bit machine): 220.127.116.11
Flash Player 23 Windows for Internet Explorer and Edge on Windows 10 - ActiveX: 18.104.22.168
Flash Player 23 Mac for Safari, Firefox and other Netscape Compatible Browsers - NPAPI: 22.214.171.124
Flash Player 23 Mac for Opera 26 and Chromium Based Browsers - PPAPI: 126.96.36.199
Flash Player 23 Mac for Google Chrome - PPAPI: 188.8.131.52
Flash Player 11.2 desktop for Linux (NPAPI): 184.108.40.2064
Previous versions of Flash Player can be found on the Flash Player Archive page
If you encounter a problem with broken or missing links, please clear your browser cache and try again. If the problem persists, please create a new post in our forum or send email to firstname.lastname@example.org or email@example.com.