June 2018: My experience with the Adobe Flash tester (linked to above) is that no matter you do in Chrome, it will not run the Flash tester when loaded with HTTP. Only the secure HTTPS version of the page actually works.
The most useful thing I have written about Flash was: A
handy tip about updating Flash in the Chrome browser April 14, 2016. It walks you through using CHROME://COMPONENTS to update just the Flash Player in Chrome without updating the rest of the browser. Many times the Chrome browser has reported that it was up to date, yet Flash was not.
This site (page really) started as way for me to easily find the main Adobe Flash tester page (links at the top above) which reports both on the installed copy of Flash in your browser and the latest version for assorted operating systems. The version history below lets you judge just how old a given instance of the Flash Player is and how many bug fixes its missing.
February 12, 2019. Not much this month, just one "important" vulnerability that
can result in information disclosure. Some copies of Internet Explorer use one version, some another. Makes no sense
October 25, 2017. No sexy security flaw this time, just "an important functional fix impacting Flex content". It seems that Internet Explorer on Windows 7 and 10 should use the new 183 version of Flash but that on Windows 8.1
it should use the old 170 version. But, the day after this update was released, there was no Flash update for Windows 10.
October 10, 2017. Adobe released fixes for an unknown number of
functionality bugs. The Flash Player for Edge on Windows 10 and Internet Explorer on Windows 8.1 were not updated. The update for these two browsers is expected later in the month. IE on Windows 10? Beats me. The Adobe tester page said it was updated, this forum post said it was not.
February 14, 2017. Adobe released fixes
for 13 bugs. Although there is supposed to be an update for Chrome OS, that does not appear to be happening. I checked two Chromebooks on Feb 14th, each was running version 55.0.2883.105 and each claimed to be up to date. Yet, each was using Flash version 220.127.116.11.
Adobe has a second un-named tester page at adobe.com/swf/software/flash/about/flashAbout_info_small.swf that displays the installed version number in a huge font (also available with insecure HTTP).
Great for small screens. But, that's all it does, there is no indication of whether the
installed version is current or not. If your browser tries to download a file, Flash is not installed. Update March 28, 2017: I had not used this Flash tester in a long time. It seems to have disappeared. Update October 23, 2017: Its back. But current browsers download the .swf file rather than displaying it as a web page. I am told that Chrome version 44 and earlier, that support NPAPI plugins, would display this.
They even have a third tester page they call Flash Player Help (also available via
This page shows the installed version of Flash and indicates if its the latest version or not.
When the installed version is old, it tells you what the latest version is for your browser/OS.
That's the good news. The bad news is that it punts on the Chrome browser and IE on Windows 8. In both cases it says that Flash should be updated automatically, so fuggedaboutit, you're fine. In early Feb 2014 it was only
displaying the first 3 sections of the Flash version number, which has 4 sections. By September 2014 this bug had been fixed. As of May 2015, the bug
was back, it reported only that v17.0.0 was installed. The bug still existed July 15, 2015 (Chrome on Windows 7 reported that version 18.0.0 was installed).
Adobe used to have a fourth Flash tester but sometime in Jan 2014 or earlier, it was merged into the above.
Some perspective on Flash Player bugs May 17, 2015. After 18 years of development, Flash has had a lot of bug fixes both in 2015 and in the last 12 months. Also, four defensive strategies to be as safe as possible when running Flash.
Defending Against the Flash player June 6, 2011. Here I argue for getting off the Flash update roller coaster by un-installing the Flash player
used by Internet Explorer (ActiveX) and the copy used by Firefox (plugin). Also, avoid the Adobe Reader because it contains the Flash player. You're left with Googles
Chrome browser which self-updates quietly.
I ran into an interesting wrinkle while logged on as a Guest user on a Chromebook. The upside to being a guest user is that you always start with a virgin copy of the operating system. When it comes to blocking Flash, however, this is also a downside. As of Chrome OS version 46 (and probably earlier versions too), Google defaults to "Detect and run important plugin content". At one point, I was viewing a single web page and the Chromebook was sluggish. I used Shift-Escape to bring up the Google Chrome Task Manager and saw that the Flash plugin was using a lot of ram and CPU cycles. I killed the Flash process, but it soon came back even though I was still on the same web page. Annoyingly, if you want to block Flash content by default, Guest users on Chrome OS need to change the plugin action to "Let me choose when to run plugin content" every time they logon. Bah humbug.
FLASH PLAYER on WINDOWS (needs to be revised for Windows 10)
My Recommendation: (last updated Feb 15, 2015) Windows users should only use Flash in the Chrome browser. I have said this here for years and now it is more true than ever. For one thing, Chrome does a painless (if at times less than perfect) job of keeping the Flash Player up to date with bug fixes. The end user is not told or asked, which, in my opinion, is the way it should be. In addition, Chrome does a better job of sandboxing Flash than either Internet Explorer or Firefox. This too, has been true for a long time, and was illustrated recently when a flaw was exploitable in IE and Firefox but not in Chrome. What's new here is the recommendation to use click-to-play as a defensive tactic in Chrome. Websites that need Flash can still use it, but the end user has to first okay this by clicking on the area of the page devoted to Flash. You can also whitelist some websites. As of Chrome v45, you enable click-to-play with: Settings -> Show Advanced Settings -> Content Settings button -> Plug-ins section -> "Let Me choose when to run plugin content" radio button.
HISTORY and BACKGROUND
For Windows users with multiple browsers, the Flash player has been a particular
annoyance for years because there are multiple copies of it. It is packaged one way for use with
Internet Explorer (an ActiveX control) and another way (referred to as the plugin version)
for use with Firefox and Opera. Then along came Chrome with its own embedded copy, an idea
that Microsoft copied with the desktop edition of Internet Explorer 10 and 11 on Windows 8.
The Metro/TileWorld/Modern edition of IE on Windows 8.x does not support Flash.
Each packaging of the Flash Player is independent, so
one of Adobe's Flash tester pages (linked to above) needs to be run in each installed browser.
A Windows user with IE, Firefox and Chrome can have three copies of the Flash Player and each can be
at a different version. What a mess.
For many years the update procedure for Flash was manual, rather than automatic. Now (December 2014) that things are more
automated, the problem is inconsistency. Each Windows browser self-updates Flash using a different mechanism. Internet Explorer,
in its never-ending quest to be the worst option, updates Flash one way on Windows 7 and a different way on Windows 8.x.
On Windows 8, Flash in IE10 and 11 is updated
with Windows Update. On Windows 7, IE10 and IE11 depend on Adobe rather than Microsoft. The Flash Player has its own, optional,
self-update mechanism (first introduced in the summer of 2012). This same Adobe-provided mechanism is used by Firefox.
Chrome has always been the best at this, despite some potholes along the way. It updates Flash along with the browser itself,
silently and reasonably quickly.
The portable version of Chrome is an exception.
When run stand-alone (that is, without the PortableApps.com Platform) it does not self-update at all.
The potholes I referred to above are a reference to Google's use of their component updating system for the Flash player. This
software updating scheme is separate and distinct from the updating mechanism used for the rest of the browser. My experience has
been that Flash updates via the component system roll out much slower. Thus, vulnerable Flash software remains installed much longer
than it used to. See my October 2013 blog on this Chrome
browser on Windows fails to update embedded Flash player. It is not clear to me that Google always uses their
component mechanism for updating Flash. Recently (Nov. 2014) Flash updates have appeared in Chrome fairly quickly.
To see the version of Flash, and all plugins used by Chrome, enter chrome://plugins in the address bar. For full details on just Flash enter chrome://flash in the address bar.
I am a huge fan of the portable edition of Firefox.
As a rule, it picks up the same copy of Flash that a normally installed copy of Firefox does.
However, I have run across portable copies of Firefox with their own embedded copy of Flash. Portable Firefox users
should update Flash in the same way you would for a normally installed copy of Firefox and then verify each portable instance of
Firefox at Adobe's tester page.
Oct 2012: One issue with IE 10 and 11 using Windows Update to deliver Flash player updates is that Microsoft normally releases updates once
a month. If Flash needs to be updated immediately, Microsoft may be reluctant to break from their schedule. In a Sept. 2012 article, Ed Bott
griped that Microsoft had not updated IE10 with the latest Flash patches:
Microsoft puts Windows 8
users at risk with missing Flash update. In fairness, Windows 8 had not been released at the time. Another 2012 article on this, one which did a
good job putting things in perspective is Adobe
confirms Windows 8 users vulnerable to active Flash exploits by Gregg Keizer in Computerworld.
Nov 2014: The way this seems to have played out is that Adobe adjusted their release schedule to match that of Microsoft. On the second Tuesday
of the month both companies release bug fixes. Of course, that leaves Windows users vulnerable to known flaws in the Flash player longer.
Manually un-installing the Flash browser plugins for IE and Firefox
It is normally not necessary to manually remove an old version of the Flash Player plugin before installing a new version.
Still, I suggest doing so, to verify that the un-install worked before upgrading. Windows users can un-install Flash from
the Control panel list of installed software - look for two versions (ActiveX and plugin) and remove each. Again, this is,
limited, as it does not remove the copies of Flash embedded in other software such as Chrome and the Adobe Reader.
Should something go wrong with the un-install (it's happened to me, see an example), Adobe offers downloadable uninstallers for
Windows and Macs in their TechNote tn_14157.
August 19, 2012: On July 31, 2012 Chrome on Windows was converted from using an included Flash Player with an
NPAPI interface to one with a PPAPI interface. The PPAPI version is newer and safer, that is, it is better sandboxed.
Google refers to the PPAPI version of the Flash Player as Pepper Flash. The Pepper Flash interface is used on Windows,
Linux and Chrome OS. OS X, however, is still using the older NPAPI interface for the Flash player plugin. For more, see
my blog Explaining the confusion over Flash versions.
Sometime between September and December of 2012 OS X was upgraded to a Pepper-based Flash Player.
Flash in the Adobe Reader and other software
Outside of the installed copies of Flash that the Operating System is aware of, and outside of Chrome, Flash is also embedded in other software. Popular programs that include their own embedded copies of the Flash Player are
the Adobe Reader versions 9 and 10 (Flash is not included with the Adobe Reader version 8) and Adobe Acrobat.
Other software with its own copy of Flash includes Adobe AIR, Adobe Shockwave (see Dec. 2012 warning
of vulnerability), Adobe Flash Professional and Adobe Flex.
Flash is also used by AOL Instant Messenger and Microsoft Office. In fact, malicious Flash files have been embedded inside
Office documents as part of a phishing attack. I don't know which version of the Flash player is picked up by Office apps.
All these copies are not necessarily patched at the same time by Adobe.
More than once the workaround for a vulnerable embedded copy of Flash in Reader and Acrobat has been to rename, move or
delete a file. For more on this see Security
Advisory for Adobe Flash Player, Adobe Reader and Acrobat, look for the MITIGATIONS section. This is true for both Adobe Reader
version 9 and X. Here is a brief summary:
Adobe Reader and Acrobat 9.x on Windows: Rename file authplay.dll. It is typically located at
C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
Adobe Reader 9.x and Acrobat Pro 9.x on Macs: Delete or move the AuthPlayLib.bundle file.
Adobe Reader 9.x on UNIX: Remove the library named "libauthplay.so.0.0.0."
Update: April 25, 2012. Things are changing here. See
what Adobe says. In brief: Starting with the Reader and Acrobat 9.5.1 updates, Adobe Reader and Acrobat 9.x on Windows and Macintosh use the installed Flash Player plugin for Firefox/Opera. No more Authplay. Adobe Reader 9.x users no longer have to update
Adobe Reader each time there is an update to Flash. If the Firefox version of Flash is not installed and you open a PDF file that includes
Flash (SWF) content, a dialog will prompt the user to install the latest Flash Player. Adobe is working on doing the same
with Adobe Reader X.
Opera on Windows
I don't use Opera. According to Adobe it uses the plugin version of Flash that Firefox uses.
The warning above that a new version of Flash is available is flawed for these reasons:
It checks once a week, at best. To me, this not frequently enough. And, your computer may only be checking every 60 days or not at all. To see how your machine is configured, check the Global
Notifications Settings Panel. On a new Windows 7 machine, the default was 7 days, but I don't know if that's
always the case.
Adobe only warns about new versions of the Flash player at system startup. Anyone who doesn't turn off their computer doesn't get warned. My main laptop gets re-booted only once a month to install Windows patches. Every night it hibernates. No warning messages for me.
When you see this message, how do you know if it's legit or a scam? Non-techies can't tell. The Flash update notice has already been used in attempts to install malware.
The message is sometimes wrong. For example, if the computer was booted with an old version of Flash, then Flash was updated to the latest and greatest version, the next re-boot may well incorrectly warn that Flash is outdated. On one of my computers, after I removed Flash from both IE and Firefox, the next reboot warned me to update Flash. It's not clear if this warnig applies to the copy of the Flash player embeded in Chrome.
There is not enough information supplied. For example, it does not say what the latest version of Flash is.
It also does not say what old version of Flash it detected, let alone where this old version
It may install old software. I know someone who ignored the warning about updating Flash for quite a while.
When they finally gave in and let Adobe update Flash, it installed an old version.
Regarding point 3 above, on Windows XP SP3, the last time I checked, Process Explorer showed
that the warning came from program NPSWF32_FlashUtil.exe running out of
C:\WINDOWS\system32\Macromed\Flash. In June 2011 on a Windows 7 64 bit system, the program displaying the window touting a Flash update was FlashUtil10q_Plugin.exe running out of C:\Windows\SysWOW64\Macromed\Flash. The program identified itself as "Adobe® Flash® Player Installer/Uninstaller 10.3 r181" but it was not signed, so we can't know if it really came from Adobe or not. This may change over time, so I'd key off the Window Title column in Process Explorer to see the source process.
Flash Player on Android
Since this is no longer supported (the last bug fix was issued Sept. 2013) notes about this have been moved here.
Flash Player on a Mac
As on Windows, there are can be multiple versions of Flash concurrently installed on OS X. To illustrate, in April 2016, Flash for Firefox and Safari (NPAPI) was at version 18.104.22.168. Flash for Chrome (PPAPI) was version 22.214.171.124 and Flash for Opera (PPAPI) was version 126.96.36.199.
Another way to get to Adobe's flash tester page is to right click on a Flash movie in a web
page and select "About Adobe Flash Player".
Mozilla offers a plugin checker that works with
Firefox and other browsers. As a rule, I wouldn't use it. It gets automatically invoked when Firefox itself
is updated and this can be a good thing, as it warns of outdated instances of the Flash player. But,
bad guys create fake pages that mimic these warnings, so you can't blindly trust them.
Always check at Adobe's official Flash tester page.
Windows users can check the installed version of the Flash player
in the control panel. In XP, go to Add or Remove
Programs, click on the Flash player, then click on "click here for support informaton". In Windows 7 and 8, the version number
is displayed as part of the list of installed software under Programs and Features. Vista users seem to be out of luck.
This does not, however, tell you what the latest Flash version is. And, it doesn't tell you about copies of
Flash embedded in other applications (i.e. Chrome, the Adobe Reader).
Flash Self-Update Checking
The self-update capability of the Flash player is poor. In terms of frequency, the best it can do is check for updates every 7 days.
In terms of completeness, I believe it only reports on Flash used by web browers. That is, I don't think it warns about copies
of the Adobe Reader with an old version of Flash embedded. The Adobe Reader and the Flash player browser plugin are updated in
different and independant ways.
In addition, the Flash player has incorrectly warned me about outdated software. It seems to check, find an old version
and then warn you the next time Windows boots up. By then, of course, the Flash player may well be up to date.
And, as with Firefox's warning about the need to upgrade, this notification has also been spoofed by bad guys
in an attempt to trick unwary users into installing malicious software. Bottom line: don't believe any notices about available
updates to the Flash player, always check with Adobe's Flash tester page.
To configure how often the Flash player checks for udpates, go to a Macromedia.com hosted web page called the Notifications panel.
Note: you can prevent Flash from checking for updates in two ways. The first is a simple checkbox on the Notifications Panel. An Adobe TechNote, IT Administration: Configuring Flash Player auto-update notification explains another way, one involving a file called mms.cfg, but this TechNote seems to have been abandoned. It was last updated in April 2008 (as of Aug. 18, 2010) and doesn't even mention Windows 7.
Adobe also has another Flash tester page, Version Test for Adobe Flash Player, but as of July 3, 2010, 24 days after a new version had been released, it still listed an older version as being current. I checked again on September 22, 2010 and it no longer reports the latest version of Flash, only the installed version.
See my assorted notes on Flash Cookies (last updated November 2014)