January 6, 2008 3:28 PM PST

Black eyes for Adobe

Posted by Michael Horowitz

On December 22, I wrote about problems updating the Flash player in Firefox, where I mentioned that the Adobe un-installer program for the Flash player does not always un-install the Firefox plug-in DLL version of the Flash player. Simply put, Adobe is not aware of all the places that Firefox looks to find the Flash player. The un-installer would run fine, but Firefox would nonetheless continue to use an old version of the Flash player, even after installing a newer version.

At the time, I reported this as a bug to Adobe (using this form). It is now two weeks later, and Adobe never responded, either to me or by updating the un-installer.

Realizing their press people might want to be aware of this, I also contacted the public relations department at Adobe (using this form). No response.

And then there is the whole issue of needing a special Flash player un-installer in the first place. Did you know this was necessary? Do your friends?

From where I sit, it doesn't seem that Adobe has done a good job of communicating this. And it's a necessary communication, removing the Flash player using the standard Add or Remove Programs applet from the Windows XP control panel doesn't work, and may or may not indicate that it doesn't work.

Speaking of communication, did you know that versions of the Flash player prior to "9,0,115,0" have serious security bugs (aka vulnerabilities or holes)? Secunia calls these bugs "highly critical." The tech support page for Flash doesn't mention them at all.

Then there are the recent stories about Adobe spying on how their customers use their CS3 software.

-- Adobe, Omniture in hot water for snooping on CS3 users
by David Chartier December 31, 2007

-- Wear tinfoil hats when using Adobe products
by Nicholas Carlson December 27, 2007

The CS3 software makes an outbound connection to something specifically designed to deceive. The connection is to a computer by name, but the name was chosen to look like a safe IP address. Specifically, the CS3 software communicates with 192.168.112.2O7.net.

Many people know that IP addresses that start with 192.168.x.x are for internal use only. That is, they are special IP addresses that do not exist on the Internet, but are instead reserved for use on local area networks. Adobe and tracking firm Omniture tried to use this commonly known fact to trick people who are not real techies.

Nerds know that this is 207.net, but many people no doubt see it as 192.168.112.207 and think it is a safe, internal-use-only IP address. Pretty sneaky.

By the way, Omniture owns two 207.net domains, one with the middle character the letter "O" and one with the middle character a zero.

Finally, there is another wrinkle to the problem of not fully removing the Firefox plug-in DLL version of the Flash player. Originally, I noted that Adobe's un-installer failed to remove the program from
C:\Program Files\Mozilla Firefox\plugins\

Recently, I worked on a computer that had Netscape Communicator installed (the e-mail program continued to be viable long after the Web browser fell by the wayside). On this machine, the Flash player DLL was in
C:\Program Files\Netscape\communicator\program\plugins

The un-installer missed this too.

If you know someone at Adobe, you might want to pass this on. They won't speak to me.

Update: Someone from Adobe contacted me on January 7th. They are investigating this now. Apparently many/most/all Adobe employees take off from December 24th until early January.

See a summary of all my Defensive Computing postings.

Originally posted at Defensive Computing

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.