By Rob Pegoraro
Friday, June 11, 2010; 1:14 PM
Adobe shipped the semi-awaited 10.1 version of its Flash Player browser plug-in last night, but the results aren't likely to earn the San Jose, Calif., company any more friends.
Adobe's blog post and release notes tout Flash 10.1's performance, stability and privacy improvements. But the real reason to install 10.1 is its security fixes, which close a serious vulnerability.
An Adobe advisory issued June 4 warned that this hole could "allow an attacker to take control of the affected system" and was apparently "actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat."
(Adobe Reader, unfortunately, won't get patched until June 29. Don't want to wait? Most Mac users can and should dump Reader for OS X's own Preview. Windows users can try such free alternatives as Sumatra PDF or Foxit Reader.)
Given the urgency of Flash 10.1's security fixes, it's odd that Adobe makes it so hard to see what version of Flash you have. Unless you know to right-click on a Flash object on a page and select "About Adobe Flash Player 10..." from that menu, you're left to puzzle through Flash Player pages on Adobe's site--where neither its support, help nor download pages list your plug-in's version. Instead, visit the "about" page that the Flash right-click menu links to.
(Flash can alert users to updates, but it comes set to check for them only every seven days--way too long when an exploit's loose.)
Downloading and installing the new Flash plug-in remains a laughably bad procedure.
On Windows, you must do this twice--once for Internet Explorer, once for such non-IE browsers as Firefox and Chrome. In IE, Adobe asks you to run a "download manager" in the browser (requiring clicks through two security alerts in Windows Vista and 7) and, by default, will add a McAfee Security Scan utility. In Firefox, Adobe requests that you install a different in-browser download manager--which you can't use until you restart Firefox--after which it will again push the McAfee program. To avoid this runaround, download and run the plain installer files: one for IE, the other for non-IE browsers.
On a Mac, there's no download-manager idiocy. But Adobe's installer will require you to type in an administrator password to authorize its actions--and this tool, unlike the one Apple includes in OS X, won't let you check what files it plants on the hard drive. And some promised Mac features, such as better performance when playing H.264 video files, aren't coming until later. Anybody still wonder why Steve Jobs dislikes this program?
Since I refrained from installing beta versions of Flash 10.1, it's too soon to say if it delivers on Adobe's performance and stability promises. Other writers seem impressed, though, and I have seen one notable fix so far: this nifty Space Shuttle launch-sequence video no longer crashes in Safari.
Unfortunately, Flash's settings panel--accessible only by right-clicking on a Flash object or visiting a special Adobe page--remains the same freakshow as ever.