previous Yet Another Adobe Flash Unpatched Vulnerability Actively Exploited in the Wild
Forcing HTTPS with NoScript next
21 09 2010

Yet Another Adobe Flash Painful Update

Posted by: Giorgio in Flash, Mozilla

Yesterday Adobe rushed out a security update (version 10.1.85.3), one week in advance on the announced schedule, patching a critical vulnerability that has being exploited in the wild for more than one week.

As usual, users of the latest stable Firefox version on Windows are plagued with an awful manual update process, involving the installation of a ridiculous "Adobe DLM (powered by getPlus(3))" extension (forcing an extra, useless, browser restart), whose only function seems to be displaying additional banners during the download.

Even worse, this time looks like Adobe made going through this process actually impossible, on my system at least, because of a mismatch between the DLM plugin version they automatically offer, i.e. getPlusPlus for Adobe 16290, and the version actually required for downloading the Flash update with their markup:

<embed type="application/getplusplusadobe16291"
pluginspage="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.xpi"
service-url="http://get.adobe.com/flashplayer/webservices/dlm/"
return-page="http://get.adobe.com/flashplayer/completion/dlm/"
itemid="Flash_Player_10.1_for_Windows_-_Other_Browsers"
core-product="flashplayer" dlmbanner="on" language="" os="" height="1" width="1">

As you can see, the required version is 16291, rather than 16290.

Fortunately the actual direct download URL is not impossible to discover, for instance by dinamically replacing "16291" with "16290" with a bit of javascript: magic in the address bar and sniffing the network activity.

So, if you're stuck like me or you just don't want to install this getPlusPlus crap, you probably want to use this direct link :)

This entry was posted on Tuesday, September 21st, 2010 at 10:23 am and is filed under Flash, Mozilla. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

19 Responses to “Yet Another Adobe Flash Painful Update”

  1. #1 Wladimir Palant says:
    September 21st, 2010 at 11:40 am

    Or simpler - temporarily change general.useragent.extra.firefox preference so that Adobe's sniffing doesn't recognize you as Firefox. The website will give you a direct download link then, without any additional crap.

  2. #2 Ludovic says:
    September 21st, 2010 at 12:03 pm

    Hum the direct link is windows only :(

  3. #3 AnonymousCoward says:
    September 21st, 2010 at 2:13 pm

    @:Ludovic
    The NoScript power-user/mod *therube* has left a set of useful links for the Flash Bewildered here:
    http://forums.informaction.com/viewtopic.php?f=19&t=3866
    I'd guess that if you go to the link for "otherversions" and your useragent string doesn't upset adobe...?
    Man, that Adobe download routine sucks and errors so much.
    I even heard myself say the other day that it would be better to have a Java-like Flash Console in Win - for the less tech user - than to go through all this junk. Just for a silly library file. At least with a console you could have a chance at monitoring all the junk. But I think that Adobe has zero ability to reduce bloat.

    I've been happily using the stand-alone link since *therube* got it for us.

    @Giorgio eh eh, you should use the search button on your own forum more ;-)

  4. #4 Anonymous Coward says:
    September 21st, 2010 at 2:35 pm

    @Ludovic: You can always get a DLM-free direct download link from:
    http://get.adobe.com/flashplayer/otherversions/

  5. #5 Captain Canuck says:
    September 21st, 2010 at 3:06 pm

    @Ludovic:

    You only get the get++ wth Windows anyway

  6. #6 Emil says:
    September 21st, 2010 at 4:33 pm

    I tried to uninstall flash from Windows and when visited youtube, firefox offered me to install older version of flash player which even failed, at the end i used your download link :)

  7. #7 lither212 says:
    September 21st, 2010 at 4:42 pm

    thanks for the links

  8. #8 LoatheAdobe says:
    September 21st, 2010 at 8:20 pm

    This is really the most straightforward, and quite useful even for people who aren't working in a corporate environment:

    http://www.adobe.com/products/flashplayer/fp_distribution3.html

    Or you could download the codename-Square Flash 10.2 release from Labs. Making the dangerous assumption that they would have updated the download by now if it were vulnerable, the 2010-09-15 release will probably do you just fine.

  9. #9 Walter K says:
    September 21st, 2010 at 9:36 pm

    I never use this crapware? "extension" to download Flash.
    These are direct links to the latest Flash installers:

    ActiveX/IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

    Firefox: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

    As always, one needs to quit all browsers to install.

  10. #10 yamaban says:
    September 22nd, 2010 at 12:22 am

    For the people out there in what of a 64bit version: Adobe offers a new beta called Square P1 (10.2.161.22)at Adobe-Labs:
    http://labs.adobe.com/technologies/flashplayer10/
    Download-links:
    http://labs.adobe.com/downloads/flashplayer10.html
    Notes:
    http://download.macromedia.com/pub/labs/flashplayer10/flashplayer_square_p1_releasenotes.pdf

  11. #11 Faust says:
    September 22nd, 2010 at 3:06 am

    FYI, I've gotten weary of always trying to track down the direct link, so I now just resort to using filehippo.com, which always seems to have the latest files within 24 hrs.

  12. #12 Not So Prod IE User says:
    September 22nd, 2010 at 5:38 am

    I know this thread is for firefox-users but for IE Users just add _ax and you will get the IE-version (if you dont understand just change install_flash_player.exe for install_flash_player_ax.exe in the link provided by maone)

  13. #13 passageguy says:
    September 22nd, 2010 at 2:27 pm

    Thx for the direct link dude ,i have the same prob ,this getPlusPlus piss me off, really.

  14. #14 Unanimous Howard says:
    October 1st, 2010 at 2:43 pm

    What's your experience using non-x86/amd64 machines with BSD or UNIX systems?

  15. #15 Giorgio says:
    October 1st, 2010 at 8:53 pm

    @Unanimous Howard:
    Some Solaris/Sparc, some YDL/PowerPC, some Maemo/ARM.
    May I ask you why?

  16. #16 Josh says:
    October 6th, 2010 at 4:20 am

    Thank you for the link sir. It solved my problem.

  17. #17 Robert` says:
    October 28th, 2010 at 6:22 pm

    Linux distributions perfected patch management years ago with yum and aptitude. All of my Linux systems update automatically by monitoring the Linux repository hosted at Adobe.com. When a new version of AcrobatReader or Adobe flash-plugin is posted, yum-updatesd downloads and installs it. If yum-updatesd is off, all you have to do is su -c "yum -y update". There is also a GUI based prompt for updates. Software downloads, Installations, Updates, and Uninstalls is so antiquated on Windows. Under windows it is the same process i used 30 years ago. Under Linux, it is all automated.

    $ cat /etc/yum.repos.d/adobe-linux-i386.repo

    [adobe-linux-i386]

    name=Adobe Systems Incorporated

    baseurl=http://linuxdownload.adobe.com/linux/i386/

    enabled=1

    gpgcheck=1

    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux

  18. #18 Omnibus says:
    October 29th, 2010 at 9:26 pm

    Thank you sooooo much Giorgio

  19. #19 xyloth says:
    November 4th, 2010 at 8:49 pm

    thank you so fuckin much. Adobe sucked that time

Bad Behavior has blocked 987 access attempts in the last 7 days.