Flash still not patched

Ryan Naraine took at look at the Google Analytics for a couple sites and notes that those visitors aren’t patching their flash.
I’m seeing the same types of thing he’s seeing when I look in the Google Analytics report for www.infosecblog.org.
Nearly 30% report that they are running unpatched Flash 9.0 r115.
You’d think if you were at a security blog, reading about Flash updates, that you might want to check if your Flash is up to date.
I’m a little surprised to hear people say that Adobe doesn’t have a Flash update mechanism. Until I killed the updater in our environment, users where prompted to update if one was available at the time they accessed a Flash applet.
At Shmoocon, one of the sessions discussed passive vulnerability fingerprinting like this. If you don’t have the ability to do authenticated scans on your look for opportunities like this to gather version information from the logs.


  1. I was meaning to blog about that last week. I did mention it at work, but never got it on the blog.
    I installed xpsp3 on my home computer. Secunia Personal Software Inspector alerted that I had an old version of Flash, but it was not build 115. The sp3 install aded flash.ocx version
    Secunia likes to go nuts about old verisons of flash so I just renamed the file. IE can only use one version of flash at a time. I verified the version I was running (build 124 for both IE and Firefox) and called it a day.
    I’m not sure what other people are seeing but I definately didn’t see build 115 replace build 124. I’ll have to watch for that as I upgrade other computers.

Comments are closed.