I have a customer base that connected to vCloud Director. Since the release of 18.104.22.168 we are receiving the Shockwave Flash has crashed.
All browser / All Windows OS (7 & 10)
Reverting to version 22.214.171.124 fixes the issue.
[moderator: Added 'VMWare' to title to aid other users who are having the same issue in finding this topic]
Copy link to clipboard
Thanks, and sorry for the inconvenience. We're aware of the issue and are investigating to see if we can provide some relief.
For background, to address the security issue discovered in the wild that prompted this release , we more tightly enforce rules in the initial validation of the SWF bytecode. For some reason, the SWF that VMWare uses is failing those validation checks.
This has always been the case, but weren't treating the validation failure as fatal, and would apply some more nuanced heuristics. We're now aborting immediately at the validation failure to ensure that we're addressing the entire set of possible related issues.
It's not immediately clear why it happens to be this particular SWF, but it's old, and there's the possibility that a compiler bug or third-party toolchain created some invalid bytecode that wouldn't normally exist in an equivalent SWF compiled from a newer toolchain.
We're now looking to see if we can be a little more surgical and allow this content to run normally again, now that we've made it through the immediate priority of addressing the vulnerability being abused in the wild. We'll be happy to update the thread as we have new information about the availability of a fix, etc. In the meantime, we'd strongly recommend using Flash Player 126.96.36.199 for general browsing, and keeping a dedicated VM or browser with Flash Player 188.8.131.52 for the specific task of accessing this content.
 Adobe Security Bulletin APSB17-32 - https://helpx.adobe.com/security/products/flash-player/apsb17-32.html
Thank you very much. Is there a timeline for an updated release that handles the validation for VMWare?
Without a fix committed and tested, any guess I gave you about when the patch would land wouldn't be very meaningful. The target would be to drop something as soon as possible in a beta as pain relief and shoot for November's patch Tuesday as the mainstream release vehicle, but the most important thing is that we maintain the integrity of the mitigation we've deployed for the security issue.
I am one of the UI managers at VMware. How can we help you with this? Can we instrument our code or do anything else to help isolate the issue?
Thanks for reaching out! I think we're actually okay at this point.
We checked in a candidate fix late yesterday. The builds ran overnight, so we'll start evaluating them today. Assuming that both the functional fix and original security mitigation pass muster (I'm fairly confident they will), it should land in a beta early next week. We have some external operational constraints that preclude doing a drop sooner.
In terms of what happened, there's a java-style idiom that you use (presumably for library versioning) that uses undefined functions (i.e. functions with blank bodies) that are called repeatedly. When compiled, this resulted in bytecode that was getting flagged. We've been able to safely make affordances for it. This approach seems to be pretty rare (the number of distinct SWFs impacted appears to be very small at this point), but whenever we ding a relatively obscure edge case like this, it's invariably an important enterprise application that breaks.
How do you revert to version 184.108.40.206 when I don't have it. I uninstalled and reinstalled flash but doesn't help.
Also looking at this workaround Shockwave Flash crashes with vSphere Web Client 6.x (2151945) | VMware KB didn't help, same issue.
I can't wait until November to have see if something works.
thanks upn0rth. I downloaded it. Uninstalled the current version, rebooted and installed 27.0.0159 and worked again in Chrome.
Like madmax, we too are not in a position to wait for November. We have 2000 users unable to access their vApps + VM consoles through vCloud Director right now. Downgrading flash to the vulnerable version in our enterprise is not an option.
Has this issue been assigned a bug in https://tracker.adobe.com?
A comment on the Chrome bug
references this Adobe bug FP-4198653...
Interesting. Its release notes state:
Oct 17, 2017
Flash Player Flashplayer quits unexpectedly when logging into VCD (Virtual Cloud) Portal(FP-4198649)
220.127.116.11 fixes the vCloud/vSphere crash and is now available from the labs page link, posted in comment #11
18.104.22.168 is a beta release, which fixes the VMWare crashing issue. Since it's a beta release, it's not listed on the security bulletin page.
@ m_vargas Any idea when 22.214.171.124 is going to go from beta to production? We don't really want to uninstall 170 and then install a beta product, I would rather keep it production and just get a new build for production release. Do you have an ETA?
We're aiming for an update posted to adobe.com on Wednesday, barring unforeseen issues between now and then. We can't speak to when Google (Chrome) or Microsoft (Win8.x/10 for IE/Edge) would release the update.
does it also fix the same problem with vmware vcenter flash client?
I can confirm, beta version 126.96.36.199 fixed this problem for vCenter web client in Chrome. (Windows 7)
I have MS Windows 10 Pro.
When i try to install Adobe Flash Player 188.8.131.52 (beta) for Internet Explorer (Active X) i get the error:
It's about i have last version of Adobe Flash Player in my IE...
Microsoft embeds Flash Player in IE and Edge on Windows 10, as such, the standalone installer does not work, and all Flash Player updates for IE/Edge are released by Microsoft via Windows Update. You'll need to use a different browser until this fix is in the release channel and Microsoft releases the update.
Thanks for answer, m_vargas.
But for what this distributive is made?
That's for Windows 7 and below.
I thought there was a comment on the labs page about the ActiveX Control being for Windows 7 and below, but don't see it. I have submitted a query to the folks who maintain that page.
Correct. and unless you have Firefox installed, you don't need flash activeX nor the ( flash plugIn for Firefox) starting from Windows 8.1