Yet again, the Flash player is buggy and there's a new version (10.1.82.76). I've got the drill down pat.
As a Windows user, I first go to the Control Panel and remove the vulnerable version(s) of Flash. Strictly speaking, this is not needed, as new versions of Flash now remove older versions. Still, being into Defensive Computing, I like to see the removal of the old software first hand.
For the longest time there were two versions of Flash that Windows users needed to deal with: the ActiveX version for Internet Explorer and the "plugin" version for Firefox, Chrome and other browsers. Since I don't use Internet Explorer, there is no longer any need for the IE specific code, so from here on, I'm limiting myself to the "plugin" version only.
With Flash banished, my next step is to download Adobe's EXE installer version of the software. Most people update Flash from within a web browser, but since locking down the security on Internet Explorer has caused ripple effects throughout the system, I prefer a simpler approach.
The installer version runs with all web browsers shut down. The less software involved, the less that can go wrong. You can get the IE/ActiveX installer here.
So, imagine my surprise when this tried and true, defensive approach failed.
After the install, I always check that Flash is alive and well in my browsers by visiting Adobe's test page.
Firefox showed the new version was installed and working but Chrome was still using the old (10.1.53.64) version.
I use the portable version of Chrome rather than the normally installed version. Portable Chrome is the only mis-behaving portable application offered at PortableApps.com. That is, it's the only one that does not self-update.
Process Explorer can display the DLLs used by a process and it showed that Chrome (5.0.375.125) was using:
the version from Adobe that Firefox was picking up.* An older version of Chrome (5.0.375.55) picked up the latest version of Flash.
This is fallout both from Google's now including Flash as part of their browser and from not offering a portable version of Chrome (that said, Mozilla also does not offer a portable edition of Firefox). No doubt, if the portable edition of Chrome was officially sanctioned by Google, it would correctly self-update.
The inclusion of Flash in Chrome was done to make life easier for non-techies. Quoting Adobe:
Starting with Google Chrome 5.0.375.86, 32-bit Chrome browsers include the latest Adobe Flash Player 10.1 built-in. Therefore, Chrome users with these versions don't have to download Flash Player separately ... Chrome automatically updates when new versions of Flash Player are available, to protect users with the latest security updates.
The problem however goes beyond portable Chrome users.
By including Flash in the browser, it no longer shows up in the list of installed software in the Windows Control Panel.
Let's see: install one program and get another one also installed, under the covers, with no visible indication of what happened? That's what the bad guys do.
There is a fix for portable Chrome users. Entering "about:plugins" in the address bar displays a list of plugins, from which the gcswf32.dll version of Flash can be disabled, leaving the npswf32.dll version enabled.
Why Flash is referred to as "Shockwave Flash" in the list of plugins is a mystery to me.
For more on this, see my next posting More problems updating Adobe's Flash Player.
Interestingly, Portable Chrome starts out as 7 processes on Windows 7 and 8 under Windows XP, even when it's configured to start up displaying a blank page. The normally installed edition of Chrome starts out as three processes (under XP, also displaying a blank page initially), two for Chrome itself and the Google Update service. Not having the Google Update service running constantly in the background is, to me, a big reason to opt for the portable edition of Chrome.