We have the same problem.
I believe it will auto update 30 days after release automatically so you have 30 days of potential vulnerability. Not sure if Adobe staff read this but if they do please remove that 30 wait.
A workaround is to deploy flash by hosting it on a server (IT Admin: Deploying Flash Player via Background Updater) or deploy a Google Chrome setup msi via a GPO and set the GPO to make Chrome the default browser (Since Chrome doesn't need a separate flash plug-in). Chome will auto update on day of the new Chrome release.
Why not just script it, then push the script out ?
It not hard to script the bat to download, cleanup/uninstall and install the new msi files directly.
Its very simple to push that out.
Yes, the information you have provided is correct. 220.127.116.11 is the recent build which was pushed along with 18.104.22.168 as a silent update for all the users who are still on ver17.0, both these builds have the same security fix and thus both of them are secure and no harm to your system.
Now what is a Loud-Release --> For a major release or major feature release we notify all our users that we have a major change in our builds, so all systems will get a notification that a major release is available for download and install. During this period everyone is supposed to goto the Flash Player Install/Update page to get the latest flash player installed which has to be done manually using our Download Manager.
1. If you were a 17.0 user and updated to 18.0 via our online downloader you would have got 22.214.171.124, and then will silently updated to 126.96.36.199
2. If you are on 17.0 you will move to 188.8.131.52, were 184.108.40.206 is the build shipped with 220.127.116.11 which does not have a latest features but has all the security fixes. Every 17.0 user will keep getting the notification to upgrade to 18.0 for which he'll have to download via our online download manager.
Because you have many systems you have to manage I recommend moving yourself to a more controlled and administrative environment where you can manage updates by creating a server for pushing the silent update bits (Adobe Flash Player Distribution | Adobe bits) and all the machines with Flash Player installed will then refer to your system for any update.
Please refer the following links:
Will v17.x (in my case 18.104.22.168) upgrade silently to v18.x at any time?
We have an mms.cfg deployed via GPO to update clients (direct from Adobe - we don't have an LAN mirror). However, Firefox automatically treats any Flash lower than 22.214.171.124 as vulnerable so blocks and nags users:
We also had the mms.cfg deployed via GPO to silently update. And most of us here also use Fire Fox. I grew tired of seeing the message that flash is vulnerable and having to allow it and each and every site to run Flash and I am sure that my users were tired of this as well. I ended up writing a script that runs during startup on each client. The script checks the registry to see what version of Flash is installed on the client. If the version installed on the client does not match the latest version, then the old version is uninstalled and the latest version is installed, if the client does have the latest version the script stops. Since I am using this method I configured the mms.cfg to no longer silently update and I now receive email notifications when a new version of flash is installed and will then update my script. I went this route because major releases Flash will not install over the previous version, this is the case anyway going from Flash 17 to 18.
Hi Ricard - does your script not require administrator rights though?
The good thing about the mms system was that it ran as the "local system" account so non-admins (e.g. the users) would be updated without needing admin rights..
Ideally the mms would update major flash versions immediately.
No admin rights needed as the script runs on startup of each client and the Flash exe's are stored in a public directory. Simply deploying the mms.cfg was nice until this major release was pushed. Another way around all of this is to limit users to using Chrome only.
Could you post the script for IE and Chrome?
This is the deployment method for Chrome:
Download the chrome msi (googlechromestandaloneenterprise.msi) from https://www.google.com/work/chrome/browser/
create shared folder on the server, and share it out
share permissions: "everyone" full control
NTFS permissions: "domain computers" full control (note this is "domain computers" not "domain users")
Let's say the share is \\servername\gpopublishedapps then the full path to the msi is \\servername\gpopublishedapps\googlechromestandaloneenterprise.msi
Now create a GPO:
Computer Configuration - Policies - Software Settings - Software installations - New Package - Now browse to the msi in the shared folder as noted above - Then under the Deployment method window set the radio box to "assigned".
Now apply this new GPO policy to the OU with your workstations.
When they next reboot they will get Chrome installed by the computer account so even users without admin rights will get it installed. By default the msi will also install the Google scheduled task that runs as the system user to autoupdate Chrome to the latest version meaning you will always have a fully patched Chrome and flash. This is a "set and forget" method.
You could do the same for flash if there was an msi but you would have to copy in the new msi and refresh the policy each time a new flash came out. No "set and forget" here.
Ricardc might give you his method of updating flash with a script...
Or maybe as piyush says, adobe will rethink their autoupdate policy and fix their scheduled task so it actually updates to the latest version as soon as a new release is out regardless if it's a "loud release" or not.. Hopefully they will soon after all that crytolocker fun this flash bug has caused