Last year all security bulletins on Adobe Flash player security issues contained information on NPAPI, PPAPI and ActiveX for Windows platform. But now in all bulletins only PPAPI (Flash Player for Google Chrome) and ActiveX (Flash Player for IE/Edge) are mentioned as vulnerable. Can you tell whether Flash Player NPAPI is also vulnerable to issues mentioned, for example, here (Adobe Security Bulletin) and to other CVEs created this year?
I'm not sure why the change was made, however, while NPAPI is not specifically called out, it is implied since the NPAPI plugins is supported on Windows, Mac, and Linux. The following table is excerpted from Adobe Security Bulletin and I've added the 4th column to describe each entry:
|Adobe Flash Player Desktop Runtime||220.127.116.11 and earlier||Windows, and Linux||This is referring to the ActiveX Control, NPAPI, and PPAPI plugins for Windows and Linux. Normally, Macintosh would be listed here as well. It's separate this time due to the previous versions not being the same.|
|Adobe Flash Player Desktop Runtime||18.104.22.168 and earlier||Macintosh||This is referring to the NPAPI and PPAPI plugins for Macintosh.|
|Adobe Flash Player for Google Chrome||22.214.171.124 and earlier||Windows, Macintosh, Linux and Chrome OS||This is referring to the PPAPI plugin Google embeds in Chrome|
|Adobe Flash Player for Microsoft Edge and Internet Explorer 11||126.96.36.199 and earlier||Windows 10 and 8.1||This is referring to the ActiveX Control Microsoft embeds in Internet Explorer and Edge.|
Hope this helps clarify the information.
The Security Bulletin applies to all Flash Player types (ActiveX Control, NPAPI, PPAPI), so yes, NPAPI, as well as PPAPI are vulnerable and Adobe recommends updating to the latest version for all Flash Player types.