Copy link to clipboard
Copied
The flash player seems to only be available over HTTP, not HTTPS.
How do I download and install the player securely - in a way that isn't vulnerable to a MITM (man-in-the-middle) attack?
Copy link to clipboard
Copied
MD5 or SHA checksums aren't available securely either, AFAICT.
Copy link to clipboard
Copied
Help! Anyone? Adobe???
Copy link to clipboard
Copied
OMG-is-NoScreenname-Avail wrote:
Help! Anyone? Adobe???
Just to clarify: this is a user-to-user forum, not Adobe Support.
Copy link to clipboard
Copied
Hi, This is why you always want to Uninstall/Install from the Adobe Site. You can download and SAVE the Uninstaller to your Desktop and also the Installers. As long as you follow the Uninstall instructions and the Install instructions, you can disconnect from the Internet and Install from your Desktop.
The Adobe Flash Player Uninstaller is here:
http://kb2.adobe.com/cps/141/tn_14157.html
You can find information for the Manual Installers here and also various instructions and settings needed.
http://kb2.adobe.com/cps/191/tn_19166.html
Hope that helps.
eidnolb
Copy link to clipboard
Copied
No that doesn't help at all. Those instructions direct users to the Flash Player Download Center. It is impossible for users to securely download Flash from the Flash Player Download Center.
ʇɐb ɹəuəllıʍ,
Yes, well, only Adobe can fix the problem; I was hoping some Adobe employee would happen to notice and take action, given this is a Critical security vulnerability; You agree this is a valid problem, right?
I was not aware of a way to get in touch with Adobe to report unresolved security vulnerabilities. I just poked around and http://blogs.adobe.com/psirt/ eventually led me to the Adobe Security Report Form which I've filled out.
(Amusingly, Adobe's "Notifying Adobe of Security Issues" web page says, "Adobe takes security very seriously and aims to quickly address any security-related problems involving our products. We've set up an email address that customers can use to report security issues to us directly." In fact, it seems they do not, as they've not provided this "email address that customers can use to report security issues" on said web page.)
We'll see if Adobe finally gets its act together.
Copy link to clipboard
Copied
Copy link to clipboard
Copied
I tried one more thing - I opened a JIRA account and reported the issue that way. Result:
Copy link to clipboard
Copied
I'd recommend posting on our security form (see link below.) I can't promise that you'll get a response, but this issue will be reviewed. I'd recommend asking for a response though, given your concerns.
http://www.adobe.com/support/security/alertus.html
Thanks,
Chris
Copy link to clipboard
Copied
Chris, thanks for trying, but I've long since done that.
You weren't looking closely enough at what I wrote, which indicated I'd already done so: I wrote, "I just poked around and http://blogs.adobe.com/psirt/ eventually led me to the Adobe Security Report Form which I've filled out."
The text "Adobe Security Report Form" in my earlier post is linked to the URL you posted.
It's the same Security Report (Form) I refered to two more times when I wrote:
Copy link to clipboard
Copied
Since Flash Player updates are now downloaded and installed silently in the background, this is no longer an issue.
B.t.w. I don't see anybody in the whole world making downloads available via https
Copy link to clipboard
Copied
Wow, I'm having trouble biting my tongue over your comment, Pat.
What makes you think that, assuming what you claim now happens is true - that "Flash Player updates are now downloaded and installed silently in the background", that the issue has in any way been addressed. Wishful thinking?
Oh, and "Flash Player updates are now downloaded and installed silently in the background" is not even true. Seems like more wishful thinking.
In the latest version of Mac OS X, when one visits a site with flash with an out of date flash player in Safari, it displays "Blocked Plug-in". If one clicks there, the same damn problem still exists. I'm led to
Clicking "Blocked Plug-in" opens http://plugins.apple.com/AdobeFlash-en-us
which redirects to http://get.adobe.com/flashplayer/
clicking on the "download now" button on that page goes to http://get.adobe.com/flashplayer/completion/?installer=Flash_Player_11_for_Mac_OS_X_10.6_-_10.8
which triggers a download - what of? where from?
http://fpdownload.macromedia.com/get/flashplayer/pdc/11.4.402.265/install_flash_player_osx.dmg, http://get.adobe.com/flashplayer/completion/?installer=Flash_Player_11_for_Mac_OS_X_10.6_-_10.8
Oh, and holy smoking lard mound, Batman! Adobe hasn't even signed the thing!
% /usr/bin/codesign -v install_flash_player_osx.dmg
install_flash_player_osx.dmg: code object is not signed at all
Same damn problem. Adobe doesn't give a flying **** about security.
Copy link to clipboard
Copied
Pat Willener wrote:
B.t.w. I don't see anybody in the whole world making downloads available via https
You're ignorant. I don't mean that as an insult; just a statement fact. One of the folks making downloads available via https, by default, is a pretty new company based in Mountain View, California: Google. Heard of 'em? They offer a bunch of app downloads, like Google Earth, Google Chrome, the whole Google Play store, AKA Android Market, Google B and started addressing this problem in 2010. I'd bet it's no longer an issue for them (but I'm not sure; haven't checked every app). They're not alone.
Copy link to clipboard
Copied
Looks like Adobe's been forced by Apple's Gatekeeper to get with the program.
%codesign -vv /Volumes/Flash\ Player/Install\ Adobe\ Flash\ Player.app/
/Volumes/Flash Player/Install Adobe Flash Player.app/: valid on disk
/Volumes/Flash Player/Install Adobe Flash Player.app/: satisfies its Designated Requirement