I'm getting constant (multiple per day) reminders to update my Flash Player

Hi Divya,

This dang rabbit hole is getting deeper and deeper.

So first I looked up to see what the difference was between NPAPI and PPAPI versions. Just support for different browsers. So, Fault 1 on Adobe for not saying something to the affect: "One of your two Flash Players is out of date, yada yada" so that if one has updated one and not the other, there's still work to be done (and if they both need to be updated, why not do them both at the same time????).

As it stands, the current model is a bit confusing and rather frustrating.

According to Adobe's website Adobe - Flash Player

both versions should be 22.0.0.209. My PPAPI was showing up as .192 so OK, there's the problem.

I did have to close and reopen the Sys Prefs for the update to show up.

One last question: My primary set of reasons for selecting "Notify me to install updates" is for (1) to work around those times when an update is released that shouldn't have been released (it does happen) and I can hold back and wait for a safer/better release, and (2) I do not want to be working on a web page (e.g., filling out a form, whatever) and suddenly have the page close because the browser is rebooting to accommodate a new Flash player.

Are my arguments not supported by what you experience? Is there any reason to support letting Adobe install updates as they deem appropriate?

Thanks,

Thanks for your feedback.  You're at a very small intersection of users who have installed both NPAPI and PPAPI Flash Players on Mac, with Update Notification enabled. 

The standalone PPAPI distribution is a relatively new offering that we made available for the population that was using Chromium-based browsers besides Google Chrome, which happens to be a very, very small fraction of the population.  What we saw in practice was that community wanted Flash, but were using suboptimal techniques for installing it, and we thought it was important to give them an officially sanctioned path quickly.  As you've noted, there's clearly some room for incremental improvement, and I'm happy to open a bug to see if we can ideally just update everything at once, or at the very least, provide some better differentiation.

To answer your question about why you should enable automatic updates and address some of your concerns, iI'll give you some background and context.  Obviously, it's your decision to make, but there's are really good reasons for making automatic updates the default.

The release cadence and the nature of the types of invasive changes that lead to hard-to-predict functional issues in the field are a response to an increasingly well-funded and sophisticated adversary on the security front. 

We actually have something like 30k automated tests and a small army of test engineers that work diligently on this product.  While we do our best to identify issues before the reach the field, the combinatorial scale of all the relevant browsers, operating systems, graphics and audio chipsets and drivers, and the existing body of both well- and malformed content is not something that you can test comprehensively.

It's more important that we respond to, and to the extent possible, stay ahead of bad actors than maintain perfect backward compatibility. It's also not always possible to predict when we make a very low-level change, what the side effects will be on real-world content.  When faced with an ugly decision between functional and security risk, we're going to side with security, and that occasionally means that we break stuff.  While we actually have several million people using our weekly beta builds, it's also the case that that population is sometimes to small for every issue to show up in.  When we break things under those circumstances, it's unfortunate, and it probably means that my weekend plans are toast, but favoring security in the risk assessment is the right thing to do.

There's also an industrial-scale ecosystem dedicated to both blocking and detecting emerging threats that starts at endpoint protections supplied by hundreds of vendors to thousands of corporate and institutional networks, plus the whole personal virus scanner market, which ends at the deployment of malware signatures and software patches for vulnerabilities in the wild. 

Much like epidemiology, Herd Immunity comes in to play on the Internet.  Having the ability to patch a huge swath of the internet quickly in response to one of those notifications reduces the threat to the network overall (back in the 90's and 2000's, you'd see the same exploits working reliably for 6 months after we patched, because nobody updated manually), which means that even patched vulnerabilities remain valuable for a long time.   In a world where we can patch the vast majority of the population within a couple days of someone discovering an exploit in the wild means that the cost of using an exploit stays very high, and on the other end, we use proactive defense-in-depth work to drive the cost of the actual development up.  In short, make it really expensive to build a working exploit, then minimize the window in which an attacker can derive any value from it.

The problem with manual updating is that you have this long-tail of machines which aren't patched regularly, and where that attack remains viable and has value.  The larger that population is, the less effective your disincentives are.  You always have the state-sponsored guys who aren't motivated by money and have infinite resources, but the majority of this stuff is economically driven in nature, and if the activity isn't profitable, the bad guys will move on to something with a bigger ROI.

Because automatic updates ensure that you a.) get those patches as close to immediately as we can get them to you without pushing over the entire Akamai CDN, and b.) ensure that the value of exploits post-patch is effectively nil, we would really prefer that you use them.  Automatic updates provided both the best possible defense to our users, and serve up serious economic disincentives for actors developing those exploits in the first place.

While the decision to delay updates is clearly yours to make, the truth is that we're seeing exploit kits reverse engineer fixes in the latest release in order to target unpatched versions, and they're getting really fast at it.  We continue to up the ante with new defense-in-depth mitigations, but that's a cat-and-mouse game.  There's a new attack for every defense, and defenses generally come at the expense of performance.

Personally, today in 2016, I don't believe that manual patch management is a wise approach outside of specific and extreme circumstances (mission-critical enterprise environments, etc), and feel that the value of fast and consistent patching outweighs the occasional inconvenience of a functional bug.  If you have an IT department with system administrators that can vet patches and have a wealth of other defenses at their disposal, you're in a position to take the contrarian view... but for the vast majority of people, that's not the reality.

It's also true that I totally relate to, and have taken your stance on patching in the past.  My thinking has evolved with the realities of the current security landscape, and at this point, I'm happy to deal with the inconvenience of the occasional functional bug vs. worrying about contracting a well-executed piece of malware that gave an attacker persistent, unnoticed access to my system -- particularly when you're talking about applications that process untrusted content.

Hi Jeromeiec,

Having been involved with Adobe software since long before the CS stuff started, I gotta say that is one of most complete and detailed response I've ever received from an Adobe Engineer (and I've sat down over beers on some of the answers).

I guess the one extra thing I should point out is that I never intended to install both, in fact I never knew there were two to install (as you could probably deduce from what I was saying). What I've found over the years is to have AT LEAST two browsers at the ready since every once-in-a-while one can encounter a website that just doesn't want to work in X browser but might work just fine in Y browser. I've yet to find any browser that does exactly what I want it to do so I do what many others do, settle for something that's OK.

Nonetheless, I'm intrigued that very few have intentionally (or not intentionally) have both versions installed. I find it hard to believe that having multiple browsers at the ready is not more common than that.

Now, to be more specific, there are three reasons why IN GENERAL I prefer to do manual patching over automatic. One of these I stated before: if the patch causes something else to break down that's not good.

For a 2nd reason, decisions made by Adobe can have significant unintended consequences. This past year, when the CC did it's update, it not only updated the user's software to the most recent CC software, it also removed the earlier version of that software. While that might be at most an inconvenience, in this particular case, there were many who had plugins for their software that didn't/couldn't work with the latest software. Since the earlier version of the Adobe software was removed, now the user had to learn how to reinstall the older software and reinstall the plugins. So the user, doing a 15-30 minute update ended up wasting many hours. My point is simply that the unintended consequences for decisions that were not vetted by the testing community can be dreadful.

The second issue, and one that I do not fully know if this is a real or perceived issue is "when will the update be done?" As I first mentioned, when I got this update warning, I was in the middle of filling out a form on the web and did NOT want to deal with a Flash Player update until I had finished filling out that form. The last thing I need/want is to be forced into a reboot of my browser because something needs to be updated and can't wait for 10-30 minutes. But again, I do not know how your auto-updating works.

As I stated, I've been working with Adobe software for a gazillion years and if you follow my email, you can see some of those links (but not with Flash).

By your arguments though I will switch my Flash Player updating to automatic and see what happens. After all, what could happen??

;>)

Best and again thanks for your thorough explanation,

Gary