Warning about Flash Update

Report · Aug 16, 2020

Received notice of Update to Adobe Flash. Downloaded in Edge and then had warning that this may harm PC. No issue when downloaded in Firefox and Norton then flags as safe. Microsoft help says Edge flags some third party apps with this warning if they meet certian (unspecified) criteria. MS says I can still decide to accept it, but how is a casual user (like myself) supposed to decide if safe or not safe when this alert appears? Also, can anyone say if downloading with one browser is "for the use and benefit of" the entire PC or is it browser specific? I couldn't get an answer from MS support as to this question.

Report · Aug 16, 2020

1. Flash is nearly dead, it is going away at the end of this year. If you can, uninstall it now from the browsers where it can be removed (not IE or Edge).

2. There may be different Flash Players for different browsers.

3. CRUCIAL most update notices are fake, they are attacks trying to get you to download malware. Sounds like Edge caught it (indeed, Edge is locked by Microsoft and download a REAL update is impossible!)

If you must update go to http://get.adobe.com/flash

If you fell for a fake, suggest you wipe your machine and restore from a full system backup taken before then.

Report · Aug 17, 2020

Thank you for the info. Although I appreciate your comments and suspect that you know much more about these things than I, I have pretty good reason to believe that this was a legitimate update. My reasons are as follows: (1) I recall this problem happening several weeks ago and I now see there was an update in June (that's probably about the time I first saw this. (2) The update notice resembled the ones I've typically received in the past with which I had no difficulty on my old PC with Windows 7. (3) At the previous time, and again the other day (not knowing if this might be a new update), I used Firefox and my Norton program flagged it as safe each time. (4) Several full system scams including one just now have been negative except for low risk tracking cookies. (5) Microsoft agent - although I'm not always convinced that IT staff whose primary language is not English always understand the issue or explain things clearly - informs me that MS Edge is designed to flag third party downloads as possibly harmful (although the first time around the agent took "control" of my PC and allegedly "fixed" the problem. Another reason why I'm never sure that they fully understand the problem.) (6) I seem to recall that MS Edge flagged another valid download as possibly problematic although I don't recall what that was , I do seem to recall that I purposely sought out something to test what would happen and it was because it was happening with what I knew to be a safe item, I felt the "problem" was with Edge and that's why I called MS. (7) Although I don't know for certain, I suspect that even though I installed the June update using Firefox, it seems to be browser specific and because Edge is my default browser (for reasons I won't detail) I get the notice of new update - FYI, per another comment on the fake updates site, I got mine when I started the PC although sometimes my Edge opens automatically and not sure if it did each time I saw notice. Will look for that in future. (8) I just searched to see if browser specific and it seems to be https://www.bing.com/search?q=is+Adobe+Flash+browser+specific&form=ANSNB1&refig=b1369dd46d90457d8830... Site says "browser plug-in" and so, I suspect given negative scans and other factors, that I keep getting the notice because Adobe's auto update software is not "seeing" the update on my Edge browser (especially if it's appearing only when bowser open - I will try to confirm.

Report · Aug 17, 2020

Flash Player is a built-in component of IE and Edge on Windows 8 and higher. Installation and updates are handled by Microsoft via Windows Update. Similarly, Flash Player on Google Chrome is built into the browser and delivered via their auto-updater.

If you also have Flash Player installed for Firefox (or other NPAPI browsers), then you would have needed to use our installers and auto-update mechanism, but you can always just open the Flash Player icon in the control planel and look at the Updates tab to check to see if you need an update, and install it.

The reality is that the technical hurdles that need to be overcome in order for attackers to install malware on modern browsers and operating systems is very high. It's much easier to attack the human in the system and coax them into installing something malicious on their behalf.

Please, always download Flash Player from https://get.adobe.com/flashplayer and ignore prompts on webpages to download updates, particularly on Edge, where there isn't a legitimate installer available. If you don't have Windows Update set to automatically apply updates, then you might need to check for and apply updates manually.

It's just way more likely that either you need to activate Flash in the browser (see: https://helpx.adobe.com/flash-player.html) because it's being blocked by default, or you're running into something sketchy.

Report · Aug 18, 2020

ATT: jeromiec83223024

Thank you. This is very helpful. One question though. I checked the updates tab and it is set to “Allow Adobe to Install Updates and is NPAPI version 32.0.0.414 and PPAPI version 32.0.0.387. I clicked on “Check now” and the chart says Windows Edge 32.0.0.387 Firefox 32.0.0.5414 chrome 32.0.0.414. Seems to indicate that I’m up to date. NEW QUESTION: Based on my settings should updates be installed without asking me to take action? Also, the download link I received took me to (based on saved screen shots) https://get3.adobe.com/flashplayer/update/ppapi/ After clicking to download, while showing initializing bar, it went to https://get3.adobe.com/flashplayer/download/?installer=FP_32_for_Opera_and_Chromium_-_PPAPI &os=Windows%2010&browser_type=KHTML&browser_dist=Chrome&d=McAfee_Security_Scan_... (apparently cut off) and then I got the alert in Edge. I copied the first URL into Firefox and downloaded it there with Norton saying it was safe.

As a double check, I pasted the URL you provided into Firefox and downloaded – it was at https://get.adobe.com/flashplayer/download/?installer=FP_32_for_Firefox_-_NPAPI&os=Windows%2010&brow... I note that this URL differs from the one I got in Edge. (I don’t recall if I remembered to cancel the McAfee.) I then tried the previously copied and pasted URL https://get3.adobe.com/flashplayer/update/ppapi/ and got to https://get3.adobe.com/flashplayer/download/?installer=FP_32_for_Opera_and_Chromium_-_PPAPI&os=Windo... This seems to be identical to what I got in Edge (allowing for the cut off in the screen print) and differs a bit from the one I got using your URL, but not sure if that’s because it was taken from Edge which uses a different version than Firefox. Norton flags it as safe. Can you clarify?

I then tried your URL in Edge (and this time know I declined McAfee) and got to https://get.adobe.com/flashplayer/download/?installer=FP_32_for_Opera_and_Chromium_-_PPAPI&os=Window...

It's a bit confusing for me, but I sense that there are some differences between Edger and Firefox URLs possibly because of the different versions. The one thing I do note, however, is that when I use your URL, I don’t get the number “3” after “get”, but I don’t know it’s significance. However, I once again checked the download as I did it and Norton declares it safe.

Report · Sep 12, 2020

I just got a popup to update Flash after rebooting. It looked completely normal and I was about to do it. My mind was on something else and I accidentally clicked the Remind Me Later instead. It disappeared and did not return. So I have come to Adobe to get it, and I find several posts like these about it.
I went to the download page and clicked to download the latest version of Flash. I did so, and the file name was exactly the same as one on my computer from July. It asked if I wanted to replace that file with the new one and I did. Sure enough, it was exactly the same.

So I would advise that the update popup from Sept 13 is apparently not legit. And it was not on a webpage. I had just rebooted and had not even opened Chrome. It came from my computer.

Report · Sep 14, 2020

Flash Player installer files usually have same file name from one release to another. One difference would be the major version number included in the file name, however, Adobe hasn't incremented Flash Player's major version number in quite a while, so it's normally the same file name.

Report · Sep 14, 2020

I kind of have to question that. I have never had it pop up and ask if I wanted to replace the old file before. Either way, I won't ever do an update except off the webpage from now on...short time or not.

Report · Sep 15, 2020

This is FYI information that may be helpful. No need for comments unless you know something to the contrary. I decided to contact Norton to inquire as to whether I might have any malware or virus that wasn’t being detected (on the possibility that they had not been aware of it and so it wasn’t blocked or found on scans). I was advised that if my program shows “Protected” I am “clean” and if not, it would say “At risk” and advise to “fix it”. When I raised the concern that it might be a program that was not in their system, the technician guided me to my control panel to check the programs. Nothing installed since about August (when the issue first arose) was in the list with a few exceptions that seemed logical (e.g. Microsoft Updates and a handful of other programs I have. The technician said that virus and malware are programs and thus would appear in the listing. I did however note that there was an Adobe Flash for June 2020 (per Adobe site, last update) and another for August – I neglected to ask why both showed – I’m now going to try to check this out on the Internet, but if anyone knows anything about this, a relevant comment would be appreciated. One interesting point of note. Avoiding too much detail, I went back to the listing so I could view it in more detail and had a different view – couldn’t see install dates and unable to change back. Contacted Norton and they did a screen share – OF NOTE ISTHAT Edge flagged the program as possibly harmful to my computer. So, it appears that Edge may flag any non-MS product as possibly harmful.

Report · Sep 15, 2020

Screenshots are always helpful when talking about particular messages or warnings, but I'm pretty sure that Edge tells you that anything you download that's executable (like an installer) is potentially harmful. It's the generic "caveat emptor" warning. Make sure you really, really trust the source of that executable. It's valid advice, and one of the reasons that we promote automatic updates so heavily.

The meta issue here is that as an industry, we've made it pretty hard for malicious actors to actually install software without your express consent. It's a large part of why we plug automatic updates so hard. Humans are now the weak link in the chain. It's easier for an attacker to trick you into installing malware on their behalf than it is to install it themselves, plus it's generally better ROI.

Along those lines, Google Chrome (on Mac/Win/Linux) and Microsoft Edge (and IE) on Win8+ both include Flash Player as a built-in component. The updates are distributed through the browser's built-in update mechanism. There's nothing to download or install. That doesn't stop bad actors (and poorly maintained websites) from recommending that you download and install updates from time to time, but where notices come from content on the web, we don't really have any control.

Also, just to clarify the confusion about why you're seeing different downloads, there are a couple flavors of browser plug-in interfaces: NPAPI (Netscape Plug-In Application Programming Interface), PPAPI (Pepper Plug-in API) and ActiveX (Microsoft). Depending on the lineage of the given browser, they use one of the three major plug-in interfaces. Each one of those interfaces requires a completely different Flash Player, which targets the individual API required. So, it's totally plausible that you might have up to three instances of Flash Player, and Google Chrome actually keeps it's own installation of Flash Player sequestered from the rest of the system, and maintains an independent set of preferences.

Also, to make things even more confusing, there's a "New" Edge, and a "Legacy" Edge. The Legacy Edge was built off the Internet Explorer codebase. The New Edge is built off the Chromium codebase (the open-source flavor underlying Google Chrome). So, the old Edge uses the ActiveX Flash Player, but the new Edge uses the PPAPI Flash Player, except when you launch a page in the IE Compatibility Mode inside the New Edge, at which point it uses the ActiveX Flash Player. It's pretty confusing. We exist in the middle of a large, complex, dynamic ecosystem that is getting increasingly more fragmented and complex. It's pretty messy.

The actual distribution of Flash Player to consumers happens via the Adobe Product Download Center. Although Flash Player is free to use, it's expensive to distribute and maintain. There are cost-recovery mechanisms in the distrubtion pipeline that include bundled offers and promotions, which vary by language, region, etc. The "shim" installers that you download initially have small filename variations that consider those factors, but I don't work on the distribution business and it's opaque to me. The moral of the story is that the filenames don't convey any useful information. Anyone can name a file anything.

If you're really worried about whether or not a file is legitimate, there are cryptographic mechansims built into the software distribution ecosystem. The math gets deep quickly, but basically there's a trusted authority that issues keys to developers, with which they can sign applications. When a binary is signed, that signature says "a.) this software came from me", and "b.) the binary file that I signed has not been modified". More succinctly, code-signing guarantees integrity and non-repudiation.

The only truly meaningful guarantee about "is this thing legit?" is the digital signature. The operating system is transparently validating that to make sure that the signature is valid and that the file has not been modified. It will pop a warning if something doesn't match, but it doesn't necessarily know that a binary should come from a specific company. It's just confirming "was this file signed by someone with a valid code-signing certificate". It's a good check, but you can go further manually, to confirm "did this file get signed by the valid code signing certificate issued to Adobe, Inc".

As you can imagine, those keys are super important. On our end, there's a whole mess of technology involved to insure that they can't be stolen (and there are mechanisms built into the code-signing ecosystem that handle revocation in the event that happens), and that only official builds created from secure build systems by authorized users can be signed, and that anything signed is recorded with a robust audit trail.

So, if you want to validate that the binaries are legit and came from us, check the digital signature.

This is a decent guide:
https://www.thewindowsclub.com/verify-digital-signature-programs-windows

or if you want authoritative sources:

https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature

Clearly, that's more than the average user is going to undertake, which is why we push automatic updates so hard across the industry. It's straighforward for us to build guarded update publication pipelines that utilize cryptographic technology and strict access controls to ensure that you're never going to encounter something that isn't legitimate and well-vetted.

So, the short answer to all of this is:

Enable Automatic Updates in Control Panel > Flash Player
- This covers all the browsers that don't bundle a Flash Player automatically, and ensures that Flash stays patched quickly in the event that we ship an urgent security update.
Enable Automatic Updates for Windows Update
- This ensures that all the browser, operating system and Flash patches for IE and Legacy Edge get installed and are updated quickly in the event that a high priority security update gets shipped by Microsoft via Windows Update.
Ensure Automatic Updates are enabled on Google Chrome
- Unless you actively went in and disabled them, automatic updates are the default.
- You can confirm that Flash is up-to-date by going to chrome://components and hitting Check for Updates, but my experience with the aggregate population is that this just works...
Ignore anything on a web page or popup that tells you to update
- If the message about updating Flash is innocent, it's probably because the browser is actively blocking Flash, and the website assumes that you just don't have Flash installed (this was a reasonable assumption from 2000 up until about 2017).
  - We keep a list of how to enable Flash Player in supported browsers here:
    https://helpx.adobe.com/flash-player.html
  - Just checking to make sure Flash is enabled is the only thing we'd recommend that you do when prompted to update by a webpage.
- If the message is malicous, you just avoided a big headache, and if you can't get a website to work, it's probably better to walk away than risk it. You can always shoot a note to the site admins if it's super important that you access that content.

Adobe Community

Warning about Flash Update

1 Correct answer