Thursday, February 26, 2009

Adobe Flash Player Update

Once again, there is a security hole in Adobe Flash and everyone should update to version (open Flash Player Version Display in case you want to know the version of your Flash Player).

Home users can easily go to the Get Flash page from Adobe and update their player. No big deal.

However, in a company with more than 500 computers, users are normally not allowed to install any software and any ActiveX/XPI download is blocked. Means: All these users can't update their flash player; it must be installed by the IT.

Normally this isn't a big problem at all since the Flash player for Internet Explorer is just an OCX file that you can easily replace. Starting with version 10, Adobe patches the security ACL for this file and denies the user EVERYONE the access to write the attributes for the OCX. Before they do this, they set the attributes of the file to READ-ONLY.

Boink, you can't copy the new OCX file because it's marked READ-ONLY. ATTRIB –R does also not help, because the ACL on the file prevent you from doing this. To make a long story short: In order to update Adobe Flash manually you need to perform the following steps.

  • Get a new Flash OCX from Adobe. Easiest way possible is to use one machine that is directly connected to the internet and update Flash from the Get Flash Page page.
  • Copy the Flash OCX from C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx to a network share where all machines have access to.
  • Use the following batch file which will first delete the old Flash OCX, then patch the ACLs on the file, which will allow us to change the attributes using ATTRIB (remove READ-ONLY) which ultimately allows us to copy the OCX file.

SET FOLDER=%SYSTEMROOT%\system32\Macromed\Flash

SET OLDFILE1=%FOLDER%\Flash10a.ocx

SET NEWFILE=%~dp0flash10b.ocx



echo j|CACLS %NEWFILE_DEST% /E /G Users:F
echo y|CACLS %NEWFILE_DEST% /E /G Users:F
echo j|CACLS %NEWFILE_DEST% /E /G Benutzer:F
echo y|CACLS %NEWFILE_DEST% /E /G Benutzer:F



regsvr32.exe %NEWFILE_DEST% /S


Please note: This script will not install Flash, it will just update it. And it only updates Flash for Internet Explorer, not for Firefox or any other Browser. That every call to CACLS is duplicated is simply due to the fact that we also have German machines which expect "J" for JA instead of "Y" for YES.

No comments:

Post a Comment