Locked

Flash Player Update Reminder is FUBARed

Explorer ,
Aug 20, 2018 Aug 20, 2018

Copy link to clipboard

Copied

I doubt it makes any difference, but this occurred on a Windows 64 bit machine, fully updated and probably more secure than the vast majority of end-users. Flash is what ever the previous release is before current, because I haven't updated it due to the reasons listed below.

First off.. I hope some actual Adobe people read this, because I'm not here trying to vent and report bugs to the community. It took me almost a full hour to get logged in to this interminable site and FIND a contact option just to report my issues. I wouldn't be in the least bit surprising if NOBODY is reporting issues with your product(s). ..and my only CONTACT option is to bug the community. Grr..

So, just for the record, the update reminder screen really irritates the crap out of me. As mentioned in another thread, there is no 'remind me later' option. There is no minimize button. It is unresponsive. It stays on top, blocking other warnings, windows and pop-ups at start up.

Ok.. listen, Adobe Flash may be -A- security concern, but it is not ALL of the security concerns. It is also not as important as any mission critical concerns that people and businesses may have. So.. KNOCK IT OFF!!

Adobe Flash Update needs to use a pop-up reminder, like everybody else, then politely wait in the Notification tray.. like everybody else. Set up a notification that pops up every three hours if you want to nag people, but do NOT block their entire start-up routine!! I'm currently working on a military grade laptop, I booted up the machine and Flash Update locked up and blocked me from initiating my hardware security devices, along with doing anything else useful, or paying attention to any other notifications!

I listed a few specific issues above that need to be addressed, but I can tell you precisely what happened to me. The notification window, opened, so I clicked the 'download' button, and it just sat there. About five seconds later, I clicked it again, and nothing. Five seconds went by again.. so I clicked it a bunch of times. Nothing happened. Then I clicked the 'close button a bunch of times. Again, nothing happened, so I tossed my mouse and threw up my hands in disgust, unable to do anything else with it.. so I just sat there with my arms crossed.

Once it eventually decided to respond (thankfully), it popped up the prompt for the Master Password for my web browser. After I entered my master password, it attempted to open like seventeen tabs for downloading Adobe Flash.

That brings up another point.. WHY are we opening the browser when I gave you permission to download?? Is this a function specifically designed to trick people in to downloading side-apps or PUPs (Potentially Unwanted Programs)?? Because if it is, that's a security issue, and that REALLY pisses me off.

You need to get someone working on the Flash Update program. Fix whatever glitch(es) is / are causing it to be unresponsive. Turn off 'stay on top'. Add a minimize button, so I'm not forced to click the 'close' button if it's unresponsive. It IS a security concern, and personally I WANT to update it ASAP. I understand that the majority of people forget to update, so offer them a 'remind me later' function, then minimize the reminder to the Notification toolbar, and use a service to remind them every three hours. Finally, get rid of the ^%$#ing browser function that opens the browser AFTER I gave you permission to download! Rename that button to 'More Info' and give me an ACTUAL automated download button.

Grr....

Now I'm off to reboot my machine and attempt to re-enable my hardware security devices. You best hope that this issue with Flash Update isn't repeatable every time.

Views

923

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Aug 20, 2018 Aug 20, 2018

Copy link to clipboard

Copied

There is one, and ONLY one way to get a Flash update Adobe Flash Player Install for all versions

There are many, repeat MANY, false update notices on web sites... nobody should ever click on a Flash update at a web site

False but real looking popup links take people to sites where a hacked Flash is installed... which then steals information and sends it to the hackers

Report the web site to Adobe - Report abuse/phish/spam http://helpx.adobe.com/security/alertus.html

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 20, 2018 Aug 20, 2018

Copy link to clipboard

Copied

Thank you John, but at no point did I mention browser pop-ups.I appreciate your comment from a security standpoint, but it has absolutely no relevance to what I mentioned above.

ACTUALLY, that is all the more reason that Flash Update should NEVER open a browser window and confuse people. It should take care of its own updates, and avoid the browser completely. The proposed 'More Info' button should simply link to a version change and known issues page, and the web based update function should be abandoned entirely.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 21, 2018 Aug 21, 2018

Copy link to clipboard

Copied

Let me see if I got the important details:

  • On launch, you received the Flash Player update notification dialog
  • When you clicked Download, nothing visibly happened
    • When the startup-related CPU contention cleared, you eventually got a browser window with 17 tabs of the download page
  • You were unable to dismiss the dialog while the system was experiencing CPU contention without clicking Close
  • The dialog obscured all other content on the screen

It would be helpful to know what version of Windows we're talking about.

I think your criticism is legitimate.  I'm not a fan of the update notification dialog, or update notifications in general.  It's exactly why they're not the default behavior. 

You can enable silent, friction-free updates that ensure that you're always running the latest Flash Player by going to Control Panel > Flash Player > Updates > Allow Adobe to install Updates (Recommended). 

Beyond being a much better user experience, there's a good reason for promoting automatic updates.

What we see in practice is that attackers have been able to analyze the differences in published binaries (in our software and others across the industry) in order to understand changes (proactive security changes among them) and target unpatched clients.  That activity used to take months, but we (in the collective industry sense) see evidence of it in days now.

Back in the day, a Flash Player vulnerability was doubly problematic because not only were users vulnerable, but they would never patch, so you'd see malware exploiting the same vulnerability across a huge population for months or years after the underlying issue was fixed.  With automatic updates, we protect the vast majority of the population in 24-48 hours.

Like in immunology, herd immunity matters.  It costs bad actors some amount of time and money to develop an exploit.  By shortening the time in which that actor can utilize the exploit, we minimize the incentive for doing that work by minimizing the ROI.  For overall network health, minimizing the number of clients that are affected by an exploit makes the exploit inherently unreliable, and therefore less useful to the attacker deploying it.

So yeah, there's definitely room for improvement on the notification dialog.   In your instance, it's especially pronounced because the machine is super busy at startup.  Under normal circumstances, the dialog would be responsive and you'd just carry on with your day.

I"d really recommend avoiding the problem entirely by enabling automatic updates; however, I'd be happy to file an enhancement request on your behalf.  I'd definitely like to know what version of Windows you're using before I do that.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 17, 2018 Dec 17, 2018

Copy link to clipboard

Copied

Sorry Jeromie, I just logged in and got this notice. If the system emailed me that you replied, I must have missed it.

You've got most of the details correct, except the system wasn't locked up due to the CPU. I could change the window focus by clicking other popups.. except the stubborn update popup blocked everything and I couldn't read (or do) anything else. I could click the Win key, the menu would respond, the Task Tray (or whatever they call it this week) worked and responded.. except again, the Adobe update thing wouldn't respond at all. I imagine it was hung up waiting on some service, or a hook that would normally be available, but the high encryption stuff locked down until it was clear. I dunno.

As I recall, that machine was a Win7 64bit.. some sort of special military high encryption version. Not sure if the high encryption stuff makes any difference to the Adobe bits. I do ground up VAR stuff on various systems, The Win versions are WinXP 32/64 bit and Win7 32/64 bit. I occasionally do Win98 and Win3.11, but nobody expects current versions of flash for those. If a customer NEEDS a product verified and operational on Win8, 8.1 or 10, I simply download a VM for testing purposes. I refuse to support them myself. WAY too many layers of system nonsense bogging things down. Apparently, Microsoft agrees, because they've already started end-of-lifeing sub-versions of Win10.

I'm actually back here on a related issue. The same stupid pop-up is there, taking me to a webpage, and they've deleted the links to the full version (multibrowser) installers. ..but, that's a story for another thread.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 17, 2018 Dec 17, 2018

Copy link to clipboard

Copied

Makes sense.  More of a misbehaving modal dialog thing.  I don't think that's a widespread problem (it's not on my radar at all).  If you come up with a repro case, I'd be happy to look at it and file bugs as appropriate.

I stand by my advice on automatic updates.  The update notification dialog harks back to a different time, and if it were up to me, would be retired at this point.

The update notification dialog is only guaranteed to pop within about a week-long window of the bits updating on our servers, and it only does one target (NPAPI/ActiveX/PPAPI) at a time, and is rate-limited to once per day.  If the user has multiple targets installed that are managed by our updater (as opposed to the Chrome or Windows Update conduits), then they could get update notifications daily (once per target) over a couple days.  That's sub-optimal from my perspective, but it's behaving as designed, and the behavior is maintained to continue meeting the expectations of the people that prefer it for their particular reasons.

Adobe has an actual distribution business that packages and monetizes the downloads for free products (Flash, Reader, etc.), and I don't personally have a ton of visibility into it, except to say that those things are a moving target.  That stuff happens downstream.  Most of the impetus there is around heading off unauthorized distribution, which was actually happening in a really problematic way (it produced a large contingent of installs that would never update), and at absurdly large scale.  This had material impacts for both the business, and for the herd immunity concerns I was talking about above, which is why we require and enforce the need for a valid license agreement in order to access the redistributable downloads.

If your use-case falls under the terms for acceptable use, we do provide a free redistribution license, which would give you access to a portal with a suite of installers for managed systems that might be more suitable for what you're doing.  It's good for a year, and usually takes a couple hours to get approved (I think our formal promise is 72 hours, but it's usually pretty quick).

Adobe Flash Player Distribution | Adobe

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 15, 2019 Jan 15, 2019

Copy link to clipboard

Copied

You'd have to take a quick peek at the code yourself to verify. The problem  experienced was due to the fact that the auto-updater loaded before the rest of the taskbar.. junk, so it apparently claimed priority over task manager and everything else. Fine, whatever. If it CAN take priority over the Task Manager, that's Micro$oft's fault for being idiots. I have no problem with it being on top.

My problem was that it DEMANDED to remain on top. It blocked out security dialogs and pop-ups on a fresh install. I couldn't even alt+tab to them. ..probably also Micro$oft's fault, but your pop-up needs to behave appropriately, and RELEASE 'remain on top' when security (or system) dialogs need to take priority.

I'm not overly concerned with it. The fact that it locked up was a fluke, I'm sure. The actual issue is that WHEN it locks up, end users are effectively locked out of their desktop. I just got the pop-up again today about a new update, and it didn't lock up.

My problem now is that I try to keep the (current) offline installer on my backup to do a fresh install if my OS, HD or network card crash and burn. Plus.. we live in the middle of nowhere in Colorado. We don't even have TELEPHONE service. Cell phone service depends on the weather, and we didn't even HAVE an internet provider until last year. I'm not alone. There are whole sections of the state up in the mountains with zero access. My kids computers don't have broadband access, and I've got no use on wasting the bandwidth on multiple updates of the exact same thing. I'm considering pulling my Windows Update Server out of mothballs and putting it back online, because they had a 300mb update last month. I can't be doing multiple Gigabytes of downloads on a handful of machines, because Micro$oft discourages people from programming in machine language.. because Captain Bill invented C# or C+ or whatever!

Anyway, I'm rambling. I have a handful of machines that haven't gotten their security updates for Flash since September because some numb-nuts decided to pull the current stand-alone installer off of the website, and lock it up for enterprise users only.

I'd really love to understand the lame brain decision making process involved in that one. Congress is trying to figure out how to get broadband access to the other 80% of the country.. and Adobe decides to block off their offline installer. I mean.. REALLY?? What about the rest of the developing world? where they only have a satellite uplink or dial-up for an entire region?

Baffling.

Also, I'm pretty sure that US CERT requires the offline security patches to be available anyway.

I brought all of this up in my other post. I'm just basically venting at you because you seem to be more reasonable than the person on the other thread. Thank you for taking the time to pay attention to these issues. More and more companies are scaling back their quality control to somewhere around zero, or at absolute zero. Also baffling.

Side note: as a VAR,I can guaranty you that I COULD get the offline installer easily, but that would be dishonest. At any rate, the real issue is that you're effectively killing security updates for a broad swath of end users. HTML5 is poised to kill off Flash player anyway, the whole thing makes no sense, unless Adobe WANTS to kill off Flash..?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advisor ,
Jan 15, 2019 Jan 15, 2019

Copy link to clipboard

Copied

in 20 years of Flash on in my everyday use of Internet I never had such kind of issue.

For sure, your computer is infected with something that is using Flash design but it's not.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 15, 2019 Jan 15, 2019

Copy link to clipboard

Copied

Um.. that was on a clean fresh install, Robert. The only thing it was infected with was OEM drivers, anti-virus, a web browser and Flash.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 15, 2019 Jan 15, 2019

Copy link to clipboard

Copied

..kindly scratch off the word 'stand-alone' and fill in 'offline' above. I forgot that the .swf player was referred to as the stand-alone player these days.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 15, 2019 Jan 15, 2019

Copy link to clipboard

Copied

LATEST

Unfortunately, there's not really anything actionable here, or I'd be all over it.  If you can get me something that reproduces and that I can debug (like a VM snapshot), I'd be more than happy to look into it.  We wouldn't find it acceptable to ship a build that resulted in unusable scenarios like you're describing.  If we were seeing it in our own testing or in a large population in the field, we'd be in full emergency mode already.  That is not the case.

In all seriousness, I usually start digging for clues when I see 2-3 people in a day that start describing similar symptoms that sound new.  If this was happening in numbers, it would be on my radar in a prominent way.

I'm always reluctant to say "its you, not us", but I'm pretty confident that there's not a large cohort of people seeing non-dismissible modal dialogs during update or installation.  This thread would have three pages of "me too" replies already, our enterprise customers would be blowing up my inbox, and I'd see it in the Windows crash telemetry when people started killing the task constantly.  That happens for issues that are invisible to most people.  None of those indicators are present, and I've *never* seen or heard anyone complain about this set of symptoms on the test team, and I'm ~12 years into working on this product at this point.

I totally believe that it happens for you and that you're seeing it, but it's at the intersection of some number of conditions that we haven't identified and can't reproduce in a way that allows us to examine the contributing factors.  Without that understanding, I can't do any of the meaningful engineering that might result in a fix.

It wouldn't totally surprise me if this happened on clean install of Windows in an Enterprise environment after custom Group Policy Objects were applied.  You have a ton of control with GPOs, and it's definitely possible to crank down access in ways that might cause us to fail unexpectedly.  Usually that manifests in Flash just not working, but its really dependent on what and how you lock down the machine.

If it's happening on a regular consumer install of Win7, it seems like some flukey thing or that there's an underlying hardware issue.  A flaky stick of RAM can produce all kinds of weirdness, and isn't necessarily easy to diagnose.  The bottom line is that I can't say anything meaningful without hard data to examine.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines