Adobe Flash Player And Shockwave September Updates Released Without Change Logs

Adobe released new versions of Flash Player and Shockwave Player for Windows two days ago – I’ve been waiting for them to publish change logs to see what’s new but so far there is no sign of them.

Change logs are not just of interest to tech addicts – they let all users know in advance what changes are going to be made to their computer e.g. if they are urgent security updates or not. Using this information, people can decide whether or not to install the update – not providing a list of changes makes it impossible to judge the need to update and the possible impacts.

Flash Player is used by so many websites (over 22% according to W3Techs) and has caused so many recent problems in web browsers that it is particularly important to know what has changed. However, Adobe have contradictory information on their websites as to what the new version actually contains – here is all I’ve found so far:

Adobe Flash Player 11.4.402.278 – According to Adobe’s Release Notes for Flash Player 11.4, this version doesn’t exist yet – they still point to 11.4.402.265 as the latest version, even though the update has been out for 2 days now.

According to Adobe’s Security Bulletins for Flash Player, the last bulletin was posted in August and refers to 11.4.402.265 – not the latest version. However, Flash Player Support Center states that the new 11.4.402.278 “contains fixes for critical vulnerabilities identified in Security Bulletin APSB12-19″ which is the August bulletin noted above…

Either the update last month did not actually fix (all of) the security vulnerabilities (which is not good news as it means Flash Player has been at risk for weeks) or Adobe have made a mistake and there are no security updates in the latest version?

It’s impossible to know for sure but it is probably safest to assume that the new version released this week does include security updates – and should therefore be installed. It may include other fixes but, if so, Adobe aren’t saying. We have previously explained why you should update Flash Player and it is particularly important to install security updates as it is regularly targeted by viruses and hackers.

Updating – Users who have set Flash Player to receive updates automatically should already have received this update. For other users, the update for Windows can be downloaded from Adobe here.

[Google Chrome contains an integrated Flash Player which is updated automatically – no user action is required. However, the latest Chrome version 21.0.1180.89 does not yet contain this updated Flash Player – the changes may be included in the PepperFlash plugin but I haven’t found any changelog for that either]

Shockwave Player 11.6.7.637 – The latest version of Shockwave Player suffers from a similar lack of information. According to Adobe’s Security Bulletins for Shockwave Player, the last one was posted in August and refers to 11.6.6.636 – not the latest version. However, as with Flash Player above, this might not be the whole story – it remains unclear as to what has changed.

Updating – The update for Windows can be downloaded from Adobe here. This might be a good time to reconsider whether you actually need Shockwave Player. Although it is still used by some multimedia sites they are increasingly rare – I can’t remember the last time I visited a site that required it.

If in doubt, try disabling Shockwave Player in your browser for a few weeks and see if any sites require it. If not, uninstall it and you will never have to worry about future updates or security risks from Shockwave again – you could always reinstall the latest version later on if necessary.

Conclusion

Adobe’s various websites offer contradictory (or no) information about what is included in these updates so it is impossible to be sure (at the time of writing) how necessary the changes are. For such a large company this appears to be poor customer communication – it may not make much difference to home users but businesses may use change logs to help focus testing and assess whether to roll out the latest changes to all their computers.

It’s impossible to make an informed decision but, based on previous security vulnerabilities, it is probably safest to install these updates in case they do enhance security.