Flash Player Update Reminder is FUBARed

Let me see if I got the important details:

• On launch, you received the Flash Player update notification dialog
• When you clicked Download, nothing visibly happened
  • When the startup-related CPU contention cleared, you eventually got a browser window with 17 tabs of the download page
• You were unable to dismiss the dialog while the system was experiencing CPU contention without clicking Close
• The dialog obscured all other content on the screen

It would be helpful to know what version of Windows we're talking about.

I think your criticism is legitimate.  I'm not a fan of the update notification dialog, or update notifications in general.  It's exactly why they're not the default behavior. 

You can enable silent, friction-free updates that ensure that you're always running the latest Flash Player by going to Control Panel > Flash Player > Updates > Allow Adobe to install Updates (Recommended). 

Beyond being a much better user experience, there's a good reason for promoting automatic updates.

What we see in practice is that attackers have been able to analyze the differences in published binaries (in our software and others across the industry) in order to understand changes (proactive security changes among them) and target unpatched clients.  That activity used to take months, but we (in the collective industry sense) see evidence of it in days now.

Back in the day, a Flash Player vulnerability was doubly problematic because not only were users vulnerable, but they would never patch, so you'd see malware exploiting the same vulnerability across a huge population for months or years after the underlying issue was fixed.  With automatic updates, we protect the vast majority of the population in 24-48 hours.

Like in immunology, herd immunity matters.  It costs bad actors some amount of time and money to develop an exploit.  By shortening the time in which that actor can utilize the exploit, we minimize the incentive for doing that work by minimizing the ROI.  For overall network health, minimizing the number of clients that are affected by an exploit makes the exploit inherently unreliable, and therefore less useful to the attacker deploying it.

So yeah, there's definitely room for improvement on the notification dialog.   In your instance, it's especially pronounced because the machine is super busy at startup.  Under normal circumstances, the dialog would be responsive and you'd just carry on with your day.

I"d really recommend avoiding the problem entirely by enabling automatic updates; however, I'd be happy to file an enhancement request on your behalf.  I'd definitely like to know what version of Windows you're using before I do that.

Sorry Jeromie, I just logged in and got this notice. If the system emailed me that you replied, I must have missed it.

You've got most of the details correct, except the system wasn't locked up due to the CPU. I could change the window focus by clicking other popups.. except the stubborn update popup blocked everything and I couldn't read (or do) anything else. I could click the Win key, the menu would respond, the Task Tray (or whatever they call it this week) worked and responded.. except again, the Adobe update thing wouldn't respond at all. I imagine it was hung up waiting on some service, or a hook that would normally be available, but the high encryption stuff locked down until it was clear. I dunno.

As I recall, that machine was a Win7 64bit.. some sort of special military high encryption version. Not sure if the high encryption stuff makes any difference to the Adobe bits. I do ground up VAR stuff on various systems, The Win versions are WinXP 32/64 bit and Win7 32/64 bit. I occasionally do Win98 and Win3.11, but nobody expects current versions of flash for those. If a customer NEEDS a product verified and operational on Win8, 8.1 or 10, I simply download a VM for testing purposes. I refuse to support them myself. WAY too many layers of system nonsense bogging things down. Apparently, Microsoft agrees, because they've already started end-of-lifeing sub-versions of Win10.

I'm actually back here on a related issue. The same stupid pop-up is there, taking me to a webpage, and they've deleted the links to the full version (multibrowser) installers. ..but, that's a story for another thread.

You'd have to take a quick peek at the code yourself to verify. The problem  experienced was due to the fact that the auto-updater loaded before the rest of the taskbar.. junk, so it apparently claimed priority over task manager and everything else. Fine, whatever. If it CAN take priority over the Task Manager, that's Micro$oft's fault for being idiots. I have no problem with it being on top.

My problem was that it DEMANDED to remain on top. It blocked out security dialogs and pop-ups on a fresh install. I couldn't even alt+tab to them. ..probably also Micro$oft's fault, but your pop-up needs to behave appropriately, and RELEASE 'remain on top' when security (or system) dialogs need to take priority.

I'm not overly concerned with it. The fact that it locked up was a fluke, I'm sure. The actual issue is that WHEN it locks up, end users are effectively locked out of their desktop. I just got the pop-up again today about a new update, and it didn't lock up.

My problem now is that I try to keep the (current) offline installer on my backup to do a fresh install if my OS, HD or network card crash and burn. Plus.. we live in the middle of nowhere in Colorado. We don't even have TELEPHONE service. Cell phone service depends on the weather, and we didn't even HAVE an internet provider until last year. I'm not alone. There are whole sections of the state up in the mountains with zero access. My kids computers don't have broadband access, and I've got no use on wasting the bandwidth on multiple updates of the exact same thing. I'm considering pulling my Windows Update Server out of mothballs and putting it back online, because they had a 300mb update last month. I can't be doing multiple Gigabytes of downloads on a handful of machines, because Micro$oft discourages people from programming in machine language.. because Captain Bill invented C# or C+ or whatever!

Anyway, I'm rambling. I have a handful of machines that haven't gotten their security updates for Flash since September because some numb-nuts decided to pull the current stand-alone installer off of the website, and lock it up for enterprise users only.

I'd really love to understand the lame brain decision making process involved in that one. Congress is trying to figure out how to get broadband access to the other 80% of the country.. and Adobe decides to block off their offline installer. I mean.. REALLY?? What about the rest of the developing world? where they only have a satellite uplink or dial-up for an entire region?

Baffling.

Also, I'm pretty sure that US CERT requires the offline security patches to be available anyway.

I brought all of this up in my other post. I'm just basically venting at you because you seem to be more reasonable than the person on the other thread. Thank you for taking the time to pay attention to these issues. More and more companies are scaling back their quality control to somewhere around zero, or at absolute zero. Also baffling.

Side note: as a VAR,I can guaranty you that I COULD get the offline installer easily, but that would be dishonest. At any rate, the real issue is that you're effectively killing security updates for a broad swath of end users. HTML5 is poised to kill off Flash player anyway, the whole thing makes no sense, unless Adobe WANTS to kill off Flash..?

Um.. that was on a clean fresh install, Robert. The only thing it was infected with was OEM drivers, anti-virus, a web browser and Flash.

..kindly scratch off the word 'stand-alone' and fill in 'offline' above. I forgot that the .swf player was referred to as the stand-alone player these days.

Unfortunately, there's not really anything actionable here, or I'd be all over it.  If you can get me something that reproduces and that I can debug (like a VM snapshot), I'd be more than happy to look into it.  We wouldn't find it acceptable to ship a build that resulted in unusable scenarios like you're describing.  If we were seeing it in our own testing or in a large population in the field, we'd be in full emergency mode already.  That is not the case.

In all seriousness, I usually start digging for clues when I see 2-3 people in a day that start describing similar symptoms that sound new.  If this was happening in numbers, it would be on my radar in a prominent way.

I'm always reluctant to say "its you, not us", but I'm pretty confident that there's not a large cohort of people seeing non-dismissible modal dialogs during update or installation.  This thread would have three pages of "me too" replies already, our enterprise customers would be blowing up my inbox, and I'd see it in the Windows crash telemetry when people started killing the task constantly.  That happens for issues that are invisible to most people.  None of those indicators are present, and I've *never* seen or heard anyone complain about this set of symptoms on the test team, and I'm ~12 years into working on this product at this point.

I totally believe that it happens for you and that you're seeing it, but it's at the intersection of some number of conditions that we haven't identified and can't reproduce in a way that allows us to examine the contributing factors.  Without that understanding, I can't do any of the meaningful engineering that might result in a fix.

It wouldn't totally surprise me if this happened on clean install of Windows in an Enterprise environment after custom Group Policy Objects were applied.  You have a ton of control with GPOs, and it's definitely possible to crank down access in ways that might cause us to fail unexpectedly.  Usually that manifests in Flash just not working, but its really dependent on what and how you lock down the machine.

If it's happening on a regular consumer install of Win7, it seems like some flukey thing or that there's an underlying hardware issue.  A flaky stick of RAM can produce all kinds of weirdness, and isn't necessarily easy to diagnose.  The bottom line is that I can't say anything meaningful without hard data to examine.