Mozilla To Protect Adobe Flash Users

juct writes "Beginning with versions 3.5.3 and 3.0.14 of Firefox, Mozilla is going to check the version of installed Adobe Flash plug-ins and warn users if it discovers an outdated version with potential security holes. Mozilla confirmed this new security feature and said that the Flash version check was part of a wider commitment to 'protect users from emerging threats online.' Just recently, a study confirmed that 80 per cent of users surf with a vulnerable version of Adobe's plug-in."

Guaranteed to work

[Norsefire]

"WARNING!! The version of Adobe Flash you are using is out of date and contains security holes, please upgrade by clicking here ..."

Oh dear, I don't understand what this means. Luckily my son, who got sick of me ringing him for computer help, told me what to do whenever I encounter a box I don't understand; click the X, or click cancel, or ignore. Now back to clicking on every ad I see.

Of course, that isn't likely to happen. It would be more like:

WARNING!! The version of Adobe Flash you are using is out of date and contains security holes, unfortunately you are using Internet Explorer so there is no warning.

Re:Guaranteed to work

I got my parents to use Firefox. (of course, for some reason, they call it "Mozilla" and not "Firefox")
They're mostly happy, except you can clearly see the porn my dad goes to thanks to the smart location bar.

See, it's not impossible.

Re:Guaranteed to work

[RiotingPacifist]

ctrl+shift+P FTW, that way nobody has every found out that i like gay midget donkey porn!

Re:Guaranteed to work

[drseuk]

Just be grateful the Mozilla Protection Project is sponsored by Google and not Durex.

Re:Guaranteed to work

[Midnight+Thunder]

Oh I thought it should have been:

"Warning: You are using Adobe Flash, are you sure this such as good idea? How about some nice Dynamic SVG?"

Re:Guaranteed to work

[trawg]

It's an interesting branding issue - a significant proportion of the non-technical people I know that use Firefox call it Mozilla (though my dad keeps mispronouncing it "Mot-zilla", and he's not the only one I've met that does that).

Re:Guaranteed to work

[binarylarry]

Where I work, all the stupid fucking management call it "Mazolla."

You know, the MBA types.

Re:Guaranteed to work

Better than my mother, she calls it foxfire ever since the change from phoenix!

Re:Guaranteed to work

[Hurricane78]

You contradict yourself twice in that little paragraph. What point is it you are trying to make?? ^^

I think they will simply click on that OK to upgrade, as they click on everything else. To support that, just make the cancel button look small, scary, not recommended, with a sick face and a burning computer on it, and make the OK button 80% of the rest of the dialog, and make it look like a "red cross love palace for health, safety and happiness".
I'm serious!

Also, here in Germany, most people use Firefox, you insensitive clod! :P

Re:Guaranteed to work

[value_added]

Oh dear, I don't understand what this means. Luckily my son, who got sick of me ringing him for computer help, told me what to do whenever I encounter a box I don't understand; click the X, or click cancel, or ignore. Now back to clicking on every ad I see.

How the fuck does a post that consists of incoherent rambling get modded up?

The above pseudo anecdote may have been funny if the fine article involved Firefox opening dialog boxes, but that's not the case. Either the OP either didn't read the article, or notice bit about the "landing page".

I'd add that the unrelated comment about IE (a non sequitor, actually) is even less funny, but I can't figure out WTF he was trying to say. Or what any of it has to do with ... anything.

Next up, an excerpt from a Beavis and Butthead script that gets modded both insightful and funny:

Popup windows.
You said popup.
Ha ha ha.
Just click the X stupid.
Ha ha ha.
Internet Explorer is teh suck.
Ha ha ha.

Re:Guaranteed to work

[maxume]

It's not their fault that blonds are more fun.

Re:Guaranteed to work

[Late+Adopter]

"Warning: You are using Adobe Flash, are you sure this such as good idea? How about some nice Dynamic SVG?"

That'd be great! Do you have any? This, ummm, isn't my website, you know. =P

Re:Guaranteed to work

[Jurily]

Yet.

Re:Guaranteed to work

[thanasakis]

Have you ever actually tried writing some nice dynamic svg?

Re:Guaranteed to work

[commodore64_love]

>>>i like gay midget donkey porn!

Big deal. At least that's legal. I like porn starring 15-year-old men and women, and for some reason I'm in jail? (shaking head). Illogical.

Re:Guaranteed to work

[commodore64_love]

>>>just make the cancel button look small, scary, not recommended, with a sick face and a burning computer on it, and make the OK button 80% of the rest of the dialog, and make it look like a "red cross love palace for health, safety and happiness".
>>>

This is what Paypal does when they ask, "Are you sure you want to use a credit card to pay?" with a gigantic "NO" and a little barely visible "yes I'll take the risk" next to it. I would prefer that my computer not adopt the same sort of deception.

Besides I don't want to upgrade my Flash. I have the full version of Acrobat and do not feel like dishing-out another $100 to buy the latest version. I will take my risks and stick with what I have.

Re:Guaranteed to work

Imagine Slashdot in the year 2015: What SVG? I have SVGBlock installed hurhurhurhurr

Actually 2015 might be too optimistic for SVG adoption.

Re:Guaranteed to work

It isn't exactly a hard thing to do, just a lengthy process depending on how complex and/or long the animation. (unless you are meaning modifying it with JavaScript?)
Doing inline dynamic SVG is a problem at the moment i think. (at least it was last time i tried inline SVG... about a week ago)

Creating a dynamic JPG, now there is something hard. (not impossible though, if you are good at working with binary in JavaScript, you can do it)

And in saying that, you'd honestly be better off using CANVAS now, and O3D if you are daring.

Re:Guaranteed to work

[lukas84]

In 2015 i want my Mr. Fusion and flying Hovercars, not SVG.

Re:Guaranteed to work

Silly /.'r, this "Dynamic SVG" is just a myth.

Re:Guaranteed to work

[PsychoSlashDot]

It's an interesting branding issue - a significant proportion of the non-technical people I know that use Firefox call it Mozilla (though my dad keeps mispronouncing it "Mot-zilla", and he's not the only one I've met that does that).

Same cause as the one wherein I have to help my customers recover their Microsoft documents. Or fix the error they keep getting sometimes - they don't know when - in their Microsoft, which they refuse to write down. I've got a customer running two programs from Primavera (now owned by Oracle): Primavera Project Planner (P3) and Primavera Expedition. They're both "Primavera" to every employee at that customer.

The cause is marketing. Microsoft Windows. Microsoft Office Word 2007. Microsoft Internet Explorer. Primavera Project Planner. IBM Lotus SmartSuite. Even CorelDRAW! and Corel WordPerfect. End-users retain the first word, no more. If companies would stop slapping their company name all over their product names, my life would be easier. I'm sure it's the same in the automotive industry; Ford Fusion, Ford Flex, Ford F150.

Re:Guaranteed to work

[aoheno]

Need tech support from the son but can post /.? Awesome. Can he help me get my great-grandmother to post?

Re:Guaranteed to work

[fluffy99]

Don't be a wuss. Upgrade the Flash its free and gets rid of a gigantic hole in your browser. I feel you're pain on Acrobat as they stopped supporting the ancient versions. But of course those versions can't handle all the files and features generated using the latest versions anyway. If you just want to print to PDFs, there are better free programs out there.

Re:Guaranteed to work

IE handles the install of Flash (And every other ActiveX POS out there, of course, but that's another story) rather seemlessly.

If I want to install Flash in FF, I get redirected to Adobe's site and have to download and run something. In IE, it just installs via ActiveX without ever leaving the page. Aren't updates similarly more streamlined?

Re:Guaranteed to work

[Dragonslicer]

How the fuck does a post that consists of incoherent rambling get modded up?

Um, this is Slashdot. You have been here before, right?

Re:Guaranteed to work

Yeah. Dynamic SVG targeting 20% of the web, or Flash targeting 98%.... Hmm...

Re:Guaranteed to work

[Rockoon]

Prude!

Re:Guaranteed to work

[badkarmadayaccount]

Mod parent insightful.

Presumably

[drseuk]

the remaining 20% don't use Flash then?

Gnash?

[the_one(2)]

I admit i don't use flash very often because it's annoying and Adobe's flash plugin uses way to much CPU, but is it still needed? Gnash has worked for me every time I've tried it lately (admittedly mostly for youtube). Tried it now with a flash game and it seems to work.

Re:Gnash?

[The+MAZZTer]

Sounds like it doesn't from your post-parent. Mind giving some reasons why it "sucks"?

Re:Gnash?

[RiotingPacifist]

Switching is too much of a PITA, if gnash works for 70%+ of content and i could easily load adobe for the other 30% (new games etc), i would switch too! Unfortunatly on linux switching requires me to run a script and restart firefox. Ideally gnash could chainload adobe flash but the devs probably hate the idea of accepting partial defeat, unfortunatly until they do its too much of a PITA for day to day use!

Re:Gnash?

[dazjorz]

I don't know how it works, but in the default Firefox on Ubuntu, I can switch live between Gnash and Adobe Flash by a "plugins" button to the bottom right corner of every window. Maybe it's Ubufox doing that, not sure. Last time I used it it was a little buggy sometimes, but overall it works quite well.

Re:Gnash?

[TheRaven64]

For one thing, it doesn't (or, last time I checked, didn't) support the BBC iPlayer, which is about the only reason I would want flash to work. On the plus side, it does work with a lot of simple Flash adverts...

And Good For Them!

[Toad-san]

I've found replacements for Adobe Reader and Real player (Foxit and Real Alternative), but couldn't find a replacement for the Flash player (alas).

This is better than nothing. I have Flash (and all other scripts) turned off by default in my Firefox browser, but am still forced to use it to see some things.

Yeah, I know the troglodytes won't understand the warning, but it might give them the slightest clue that something's wrong.

Re:And Good For Them!

[Onymous+Coward]

... couldn't find a replacement for the Flash player (alas).

Eventually it'll be findable. In the form of standard HTML.

For a good number of uses that Flash is currently put to HTML is already the answer.

Re:And Good For Them!

FWIW: The "Real Alternative" player is just the Real One codecs that work in 3rd party players. I'm not sure if that actually protects you from anything, but it certainly is nice to keep the bloated Real One player from showing up all the time.

Re:And Good For Them!

[The+MAZZTer]

I find using NoScript to keep Flash off until I want it on is quite acceptable. It may still be a risk if you frequent sites that allow users to upload their own flash content, but as long as you only visit such sites that screen and approve such content before making it public you should still be OK.

Re:And Good For Them!

Silverlight / Moonlight. Seriously, I hate Microsoft as much as the next guy, but a language-agnostic VM with a mostly-open spec is a fantastic alternative to the aging and always-shitty Flash.

Re:And Good For Them!

[vcompiler]

To put everything in a marked language standard is really a bad idea. If want to replace Flash, replace it with another better-design or more open PLUG-IN. Plug-in model is how software can be built by collaborative organizations and how each component remains clean-designed and well-maintained.

Re:And Good For Them!

[characterZer0]

He wants a replacement for the flash client so he can see what others have created, not a replacement for the flash technology so he can create with something else. Such replacements already exists: Silverlight and JavaFX.

Re:And Good For Them!

My alternative to Real Player is empty hard drive space.

Re:And Good For Them!

[tepples]

For a good number of uses that Flash is currently put to HTML is already the answer.

That is, if all the major browser makers can agree on a codec for the <video> element.

Re:And Good For Them!

[sowth]

I have a suitable replacement for flash. Take a strobe light, a 555 timer, capacitor, resistor and power transistor. Connect them into a nice circuit, setting the timing freq for about 1 sec. Shove face into strobe light. Turn on power! Instant replacement for flash, and you don't even have to watch any "punch the monkey" ads.

Re:And Good For Them!

[Bri3D]

"Standard HTML" is sort of an oxymoron.

Yes, you can do a lot of what's done on the web in "standard" HTML - but then you have to wrangle it into every "standard" browser, which turns out to be subtly different and full of bugs compared to the next.

It's not even possible to point the finger straight at Microsoft any more - Firefox has its fair share of bugs and an awful lot of non-standard DOM extensions, and every browser disables and enables a certain feature which the next supports. Support is even added and removed in certain browser sub-patchlevels and revisions - for example Safari suddenly started supporting certain DOM load events in a random security patch due to a merge of upstream WebKit.

Flash provides a common platform on which layout, interpretation, and feature support is similar (nearly identical) across all browsers on most platforms, something no other web programming solution can do.

Unfortunately that common platform isn't very good, but the homogeneity it allows is the continuing, and probably lasting appeal.

Re:And Good For Them!

[Onymous+Coward]

Gosh, you'd almost think that it would be impossible to build a website.

People build websites. Websites that work across multiple browsers. It can be done.

And it'll get easier now that no one browser has the lion's share and a vested interest in subverting the platform.

Does flash not already do this?

[RiotingPacifist]

Doesn't flash already prompt you to upgrade from an old version?
if so how will this warning be more effective (unless they add an auto-update feature)?
if not, WTF ADOBE!!!

Re:Does flash not already do this?

[postmortem]

It does, sometimes on system startup; however it only installs updated plugin for Internet Explorer.

Re:Does flash not already do this?

Doesn't flash already prompt you to upgrade from an old version?

But consider this: If you've turned that stupid nag screen off, what then? I trust you see the problem.

Re:Does flash not already do this?

[A+Friendly+Troll]

I have never had Flash notify me that it needs an update. Ever. The only time I've seen the notification was on a single computer at the office.

A few days ago I was given this link http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html - I think it was somewhere on Slashdot, either in the article, or in the comments. Sure enough, I went there, and Flash was set to never notify me of updates.

Worth checking out.

Re:Does flash not already do this?

[Sulphur]

We are sorry, this page is designed to work with version 8 or greater. You are using version 10.

Re:Does flash not already do this?

I know the feeling all too well. But you can't blame flash for the idiots who write non-future proof version checks.

Re:Does flash not already do this?

[Krneki]

Only if you have Adobe bloatware installed on your PC. I like to keep it clean, so I remove all the Adobe crap from the Auto-start menus.

Re:Does flash not already do this?

[fluffy99]

No it does not. Some websites check the version and prompt you, but its not a feature of flash itself. I wouldn't mind if Firefox popped up a warning at startup, letting me know there is a new version of available if the installed version has a significant vulnerability. Something similar to the nag screen about updating the add-ins. You better give me an option to ignore the warning though, as I may have a valid reason for not upgrading such as breaking a corporate app.

Re:Does flash not already do this?

[smoker2]

Hear, hear.

Re:Does flash not already do this?

[smoker2]

It is a feature within Flash itself. Because they fucked up an earlier version, my perfectly valid flash movies show a warning to upgrade to version 10, even though I'm using version 10. I certainly didn't put anything in the script or on my website that would check for version and give warnings, so who did ? I'm not saying Adobe makes it check for updates, I'm saying Adobe provided the ability in actionscript or by some other means, for the developer to check the version from within flash.

Solving the wrong problem

The real problem is all those web sites that you have to use but are completely useless when flash is disabled. What firefox should be doing is sending an email to the web site administrator (it is the semantic web, is it not?) telling them to not rely on flash. Even better is if nobody even used the cruft, but dreaming of that is going from na-na land to someplace even more remote.

Re:Solving the wrong problem

My reaction usually consists of "section 508, bitch" type hints at their legal position :p

Hmm

I already ignore firefox updates (because I'm lazy). I wonder how many people just ignore updates in general?

And the sad part is, I know better. Why do they expect Joe Sixpack to heed update warning when a power computer user and programmer is too lazy to click "update"?

Here is patch

[dvh.tosomja]

+ function IsFlashVulnerable(FlashVersion) {
+ return true;
+ }

Re:Here is patch

function IsFlashVulnerable(FlashVersion) {
          if(userIsIrrelevantIgnorantGimp) {
                      return true;
          } else {
                      return false;
          }
}

there, fixed that for ya!!!!!!

one of the major reasons I don't use Flash

[Onymous+Coward]

Just recently, a study confirmed that 80 per cent of users surf with a vulnerable version of Adobe's plug-in.

It's an easy/appealing target vector. With the slow revving even the most recent version hangs your ass out in the wind to a substantial degree.

Now just throw in a good website (server/framework/XSS/whatever) exploit and you've got a serious worm.

For the worth of the putative benefits I am not encouraged enough to hang my ass out for Flash. (Except I do have it installed! Just kept dormant until I (rarely) click my NoScript button.)

Automatic updates

[chrisgeleven]

I am really surprised browser makers aren't doing automatic updates for plugins like Flash. That is really the only way to keep them up-to-date.

Re:Automatic updates

[Sosigenes]

I have been thinking the same thing. I dont think I have ever been prompted to upgrade Flash on my current install, and it's quite far out of date. It's a shame Firefox can't use Mozilla's update functionality for updating plugins as well as addons, as then it would be seamless. In fact, I've just tried to find an easy way to upgrade Flash, and it seems the only way is to go back to the website and download it again?

Re:Automatic updates

[Junior+J.+Junior+III]

Flash does notify me when there's an update available. I'm confused as to what more is needed, other than a truly secure Flash, and a secure environment to run it in.

Re:Automatic updates

Don't you feel annoyed though by all of the update prompts? Quicktime, Flash, Java, Adobe Acrobat. I've never had my computer compromised by these plug-ins specifically. Its only natural to say "Meh, I'll update it later. Go away!!"

Re:Automatic updates

[TheRaven64]

I'm more surprised that they don't run the plugins as an unprivileged user and reparent the window on X11 or use the platform's native sandboxing capabilities on Windows to prevent exploits in the plugin from compromising the browser, let alone the system. But then, popping up a dialog box when there are known vulnerabilities is easier than writing secure code.

Re:Automatic updates

Well a better way is to have an OS-level updater, like Ubuntu's Update Manager. All the auto-updating code from Firefox has to be yanked out when building a package for such a system to prevent it from interfering with the superior solution. This flash updater code will also have to go away in Ubuntu because flash is already in a package (flashplugin-installer) and kept up-to-date. What a waste of effort just because per-application auto-updating is needed in Windows.

Re:Automatic updates

[robmv]

Mozilla has provided the tools to do it with extensions, I do not know the reason why Adobe is afraid to build an XPI with Flash and publish all updates on Mozilla Add-ons site. They already do a yum repository for us, users of RPM based Linux dsitributions

Re:Automatic updates

I've never had my computer compromised by these plug-ins specifically.

Pray tell, how could you know that? Just because it's not acting strangely doesn't mean it hasn't been compromised. Remember how the HIV virus managed to kill so many people? That's because you incubate the virus for years, making it just as lethal yet much harder to detect.

Re:Automatic updates

[causality]

Mozilla has provided the tools to do it with extensions, I do not know the reason why Adobe is afraid to build an XPI with Flash and publish all updates on Mozilla Add-ons site. They already do a yum repository for us, users of RPM based Linux dsitributions

... because an XPI extension is written in XUL and/or Javascript, while a plugin is a compiled DLL that the browser loads up into its address space. they are two different things that work in different ways, even though they both add features to the browser. That's not to say that Flash couldn't be hosted on Mozilla's add-ons site, just that you are unlikely to see it in the form of an XPI file.

The real reason why you probably will never see it hosted on a non-Adobe server is simple enough. Nothing remotely resembling a "web standard" should be controlled by a single vendor, nor should it be anything other than an open standard with available source code for several working implementations. Almost everything that is or ever was wrong with Flash could have been fixed by someone else (since Adobe does not seem interested) if the above conditions were true.

Re:Automatic updates

[robmv]

... because an XPI extension is written in XUL and/or Javascript, while a plugin is a compiled DLL that the browser loads up into its address space. they are two different things that work in different ways, even though they both add features to the browser. That's not to say that Flash couldn't be hosted on Mozilla's add-ons site, just that you are unlikely to see it in the form of an XPI file.

Why some people always assume the person that is talking has no knowledge of what he or she is saying?, please take a look at Mozilla Extension reference and you will see that you can package plugins inside an XPI (/plugins/* reference on the exampleExt.xpi sample)

Re:Automatic updates

[causality]

... because an XPI extension is written in XUL and/or Javascript, while a plugin is a compiled DLL that the browser loads up into its address space. they are two different things that work in different ways, even though they both add features to the browser. That's not to say that Flash couldn't be hosted on Mozilla's add-ons site, just that you are unlikely to see it in the form of an XPI file.

Why some people always assume the person that is talking has no knowledge of what he or she is saying?, please take a look at Mozilla Extension reference and you will see that you can package plugins inside an XPI (/plugins/* reference on the exampleExt.xpi sample)

No assumption was intended and I apologize for giving you that impression. I just honestly believed at the time that you had this wrong because I made a mistake. I stand corrected. Thank you for taking the time to point this out, because even when it's a rather inconsequential thing like this, I still don't want to believe things which are false.

If I may revise my answer to your question, I would speculate that they don't produce an XPI for the Flash plugin because it would be incompatible with IE, which still has a large marketshare. So to Adobe, this would represent one more separate thing to have to keep track of and maintain. I doubt that they would do this in the absence of overwhelming demand for it. I also speculate that someone else would not be able to package an XPI for them because they probably don't permit others to redistribute their copyrighted software.

Re:Automatic updates

[robmv]

Apologies accepted, and sorry for being harsh but I have been hit by that behavior many times here on slashdot....

Adobe already has separate installer for IE (ActiveX in browser installation) and the traditional .EXE installer for other browsers. Introducing and XPI will not remove the need for an EXE installer (other NP plugin based browsers need it) so you are right about the extra burden.

Adobe has a license for redistribution but is restricted to intranet cases, or public but only using physical media (adobe installers without modification), but they had made exceptions before Warren Togami used to package then in RPM format with Adobe permission, before they started their own yum repository

Re:Automatic updates

[AlgorithMan]

That is really the only way to keep them up-to-date.

you must be a windows user... every friggin Linux Distro keeps flash up-to-date without third-party apps doing stuff, which is OS-business (especially when the user might not have administrator privileges)

Re:Automatic updates

[countertrolling]

That is really the only way to keep them up-to-date.

Well, yeah. If you trust automatic not to break something, or load your machine with junkware like the Adobe Download Manager(which seems unavoidable no matter how you install it)... In my case, just like in that old headache commercial, I'd rather do it myself.

A change of attitude

[TorKlingberg]

I am happy too see an open source developer dropping the attitude that if the bug is not in their code, then it's not their problem.

The next step would be to make sure that at least the most popular extensions work with a new version of Firefox when it is released.

Re:A change of attitude

[causality]

I am happy too see an open source developer dropping the attitude that if the bug is not in their code, then it's not their problem.

They're only having to do that because Adobe refuses to fix Flash. By that I do not mean the current approach of patch after patch. I mean really fix it, which would probably require reimplementing it from scratch using secure programming practices from the very beginning. Right now, the security history of Flash is a complete joke compared to anything else except maybe early Sendmail. At any rate, this amounts to Mozilla trying to help clean up Adobe's mess because Adobe is too lazy to do so without a significant amount of pressure.

The next step would be to make sure that at least the most popular extensions work with a new version of Firefox when it is released.

The next step would be to scrap Flash and make it go the way of the dinosaur. The immediate next step after that would be to recognize that using Adobe was not the mistake that was made here. Using any closed standard controlled by any single vendor was the mistake. What we need is an open standard that anyone can implement with no concern about patents or other encumberences. Then and only then, if Adobe can make the fastest/most secure implementation of that open standard, they remain relevant. If not, they quietly disappear. It's obvious they are afraid of such a level playing field.

Yeah, I got that.

[thePowerOfGrayskull]

Signed up for beta/testing FF updates. I get notified by FF that adobe is out of date. I click to install it. And lo! what installs? Not Flash... but some crappy Adobe Download Manager plugin whose sole purpose seems to be to download and install Adobe products. The Flash update did not ever download, even after FF restart.

Broke my own first rule on this one -- never download anything you're not 100% certain of - but it's still frustrating. If FF tells me it's taking me to install Flash, I think I should be able to trust that Flash is what I'm going to get.

Re:Yeah, I got that.

[jayemcee]

Here's a link for the latest version of the player without the download manager attached. http://download.macromedia.com/pub/flashplayer/updaters/10/flash_player_update3_flash10.zip

streamlining Flash updates?

Does updating Flash require you restart Firefox? Even with its Session Restore, textarea content is lost as are tabs whose URLs are no longer valid. Maybe Firefox should ask you if you want to install the newest version of Flash when you first open the browser? ie. in the same window where it asks you if you want to update the add-ons you have installed?

A simple web page?

Teaching the users to follow installation links from a standard (and unencrypted) web page is not a good idea. Not all users would be savvy enough to notice the difference between http://get.adobe.com/... and http://updateflashplayerforfree.com/... so it's only a matter of time before phishers distribute viruses through innocent Mozilla-looking pages. After all, it's Firefox and it has cute birds all over the place so it can't possibly contain a virus, right?

The correct way to do it would be to have a version check mechanism similar to that of extensions, which Mozilla can still update without releasing a new Firefox.

swapping one exploit for another

swap one exploit for another
http://www.google.com/search?hl=en&q=%22Adobe%20Download%20Manager%20%22%20exploit

wtf is wrong with Adobe ? whats wrong with just providing the plugin and nothing else ?
i should also rant at Sun for installing their fkin Yahoo toolbar/spyware accross our corporate network on every Java monthly update or installing their quickstarter/net assistant Firefox plugins without permission,then there is Apple with their forcing "Safari" (another exploit vector) as a pre-ticked update on their Quicktime updates WTF ? , google installing scheduled phone-home tasks every 15min with any bit of software they install
really just fuck off, fuck right off

is it any wonder with this despicable behaviour from major software companies with their "update" software is abused as a "install more crap" service that people dont update their plugins/software for fear of getting crap that they didn't ask for therefore exposing themselves to all these vulnerabilities or more if they do install it

perhaps when they get tagged as badware and spyware their behaviour might change
or maybe a good old million dollar class action lawsuit might

Re:swapping one exploit for another

[countertrolling]

perhaps when they get tagged as badware and spyware their behaviour might change...

Can't remember where I read it, but one of the adware/antivirus removal companies was being sued by a junkware creator. I guess they didn't like being tagged. Shades of Gator(CLaria).

How it all happened... Maybe.

The back story:

Adobe top managers were sittin' around one day during one of their 3-hour martini lunches, smoking cigarettes, scratching where it itches, and making lewd comments to the waitress.

Finally, one of them said, "How can we sink the company?" After much consultation by cell phone with people who actually understand Adobe products, they found a solution: Have a product that is always in the news because it is buggy and vulnerable. That product should also have a buggy, poorly designed update installer.

Okay, you say, "I doubt that." But do you have a better explanation? Hah! I thought not.

Getting Flash to work was a pain

[billsf]

But FreeBSD will protect you. I doubt Mozilla will ever catch me with a vulnerable version unless you say all Flash is vulnerable -- a point I won't argue. At least I have a 'kill script' to kill an annoying flash page.
While preserving the text I really want. For most viewing (video) I use VLC, clive and a script to glue them together. (written is sh -- hint tested with bash too) See the benefits of open source software?

BillSF

Sorry Microsoft -- you sold the only good thing you had -- Office. Lets hope the designers will revolt and force the source open. They are, after all the only known RealHackers(tm) in Microsoft!

Real protection?

[hansamurai]

How about protecting my browser from an Adobe crash? I know you're working on isolated tabs, but hurry up already!

Re:Real protection?

[maxume]

Flashblock (or noscript) does a pretty good job at this; most of the flash content that you want to run is also flash content that the creator cares about debugging well (as opposed to advertisements and such).

Re:Real protection?

[nickysn]

It's called nspluginwrapper and has been in Fedora for ages. It wraps the Firefox plugins and executes them in a separate process. If that separate process crashes, the crashed plugin stops working temporarily. Reloading the page restarts the plugin again. It also allows running 32-bit plugins in a 64-bit browser. It only isolates the plugins and not the browser code, but the browser is quite stable nowadays, so I consider it an overkill and a waste of resources to run each tab in a separate process. If there are bugs in the browser, that cause crashes - they should be fixed. Firefox does that pretty well here. If people use old versions, make an easy to use auto-update, and don't push updates that break things for people, so they become afraid to update. :) Firefox also does that well. So isolating just the f*cking plugins is enough :) Sure, it's a marketing point for Google Chrome (and it's probably more useful there, because their codebase is new and less well tested, so probably more crash-prone; but I haven't used it really, so I don't know), but it's not something I really miss. I'd be more happy to see something like nspluginwrapper ported to Windows.

Re:Real protection?

[CajunArson]

That's funny... nspluginwrapper tended to cause most of the problems I had with flash... since Adobe came out with the 64 bit Linux releases, I can't remember the last time the browser crashed due to Flash issues.

Re:Real protection?

The 64-bit flash plugin reliably crashes the browser if I ever close a tab that a flash video has played in. Irritatingly, nspluginwrapper also reliably hangs. Which I suppose is better than crashing, but I still have to shut down the whole browser to restore a flash-capable session (or use gnash, shrug).

Yeah, I reported the issue. Straight into /dev/null it seems. The problem has existed since release of the 64-bit plugin.

I assume it doesn't happen for everybody, but it's happened on every computer I've tried it on with AMD/ATi graphics cards - but with either of the two open source radeon drivers or the closed binary, and with or without plugin hardware accel enabled.

Oh hey

I use chrome which sandboxes plugins so most/any vulnerabilities are likely to do no more than crash the current tab. Why not make the entire browser secure from the ground up rather relying on the human element to keep things right?

Re:Oh hey

Wrong. Chrome only provides tolerance against unintended crashes; malicious or vulnerable plugins can still access all your files and install any rootkit they want.

Sandboxes are a good thing, but they're still nowhere near as powerful as what you describe.

Re:Oh hey

[Mashiki]

The browser is secure. I've mentioned this in other security forums, but flash & java went the way of ActiveX several years ago. "Playing outside the sandbox", a bad, bad idea. Soon as that happened, not only did it open a sluice of security vulnerabilities, but it broke the traditional sandbox concept of safe browsing. Now that doesn't stop the occasional stuff like buffer overruns, or divide by zero bugs to get control of a system. Bugs are bugs, but when you're able to send redirect requests to an external app, installed on the system with no user control... i.e. Browser>plugin>secondary\/trinary software we've got ourselves a serious problem.

The only solution I see is for the current development of flash to stop as it is. Move to app level support, and a new browser only based plugin to be released that doesn't break the sandbox rule. Because people are stupid, computers are still semi-complex bits of software and hardware. And not everyone is smart enough to keep it up to date. And that applies for all OS's.

And before some smartass decides to post "use a mac" good idea, too bad they're vulnerable to java and flash problems(stupid people are stupid). And linux flavors are good, but either don't work properly for most people, or are still under the mature point for most people OoTB.

Completely off-topic

[agnosticnixie]

For added lulz - Adobe's CS uses a full copy of an old and vulnerable version of Opera for its home-phoning loading screens, and for bridge - and of course their retarded mac devs (there used to be a a few hacks to make CS3 work In mAcOS x Hfs+ wIth CAsE sEnsitIVIty because apparently their coders are drunk monkeys, now they disabled it by making it impossible to install CS4 if the root partition is on a case-sensitive FS - I said fuck it, deleted the trialware and just moved to alternatives that fill my needs without taking up endless gigs of memory rather than waste money or time to fix it that is much more valuable in the end than what they would expect me to pay. That might amuse you.

Re:Completely off-topic

[PIBM]

What's the alternative to Photoshop CS4 ?

That could really be usefull!

Re:Completely off-topic

[Ma8thew]

There is no replacement for all of Photoshop's functions, but the majority of the functions normal people use can be found in Pixelmator or Acorn. For added points, Acorn has a Python powered plugin interface.

Re:Completely off-topic

[agnosticnixie]

Sadly I don't use photoshop so I didn't have to look for a serious alternative, what tools I needed replaced were Illustrator and Flex (well, and Dreamweaver and Premiere in theory, but I've always handcoded that stuff and FCX/FCP seemed a better bet.
I'd be semi tempted to say Iris but the project looks dead even if it's not a beta, pixel is perpetual vaporware, chocoflop seems promising but some versions of the beta are crashy to say the least, and pixelmator seems mostly like gimp+isight plugin and last I checked it it still didn't open .NEF files but might be worth the try in the future
Quite honestly, I think PS is the hardest of the lot to replace on any platform. Probably because it tries to be the all-things-for-everyone Raster Editor I guess.

Re:Completely off-topic

What's the alternative to Photoshop CS4 ?

http://www.gimp.org/

Re:Completely off-topic

[agnosticnixie]

GIMP 3 maybe, but right now, it's too limited if the editing happens to be photography.

Re:Completely off-topic

I just use GIMP in another workspace.

Re:Hmm -- Mod up parent

[billsf]

Don't know who this guy is, but this is what developers are like. Maybe if they had a key sequence to do it, it would be easier for us. Then again I don't ever expect Mozilla to beat FreeBSD on an exploit.

Re:Drunk the Kool-Aide

[RiotingPacifist]

I'm sorry in future we will try and make all releases of software perfect and not release until we are 100% sure no vulnerability will ever be found

~the hurd team

Finally

[DaveGod]

Even as a long time FF user I keep going to the Plugins menu, looking for and wondering why there isn't a "check for updates" button, just like there is for extensions.

Most plug-in authors do have their own auto-update programs but I dislike using them - I keep having to disable them from loading at boot, and they seem to do other crap I don't want like try to installl their other crapware. Even just trying to download flash they want you to install some download manager first; there used to be a proper installer hidden away as a re-distributable but I can't find it any more. Adobe Reader auto-updates but decides to install Actobat.com (which seems to be an Air application and not a web link) and it putting a shortcut on the desktop also irritates. Java update seems relatively benign but need to remember to untick the Yahoo! search bar, I'll tolerate the advert for OpenOffice. QuickTime have at least stopped having the iTunes bundle as the default, but every time I update it seems to forget my settings.

Not so long ago we were warning newbies to be wary of any software that tries to pull stunts like these.

Re:Finally

[nickysn]

Even as a long time FF user I keep going to the Plugins menu, looking for and wondering why there isn't a "check for updates" button, just like there is for extensions.

In the long term, they're planning to implement that also: http://blog.mozilla.com/security/2009/09/04/helping-users-keep-plugins-updated/ This is only the first step in a multi-step process that weâ(TM)re going down: 1. The first is to do a check when we update the browser. This is what weâ(TM)ll include with 3.5.3. 2. Second, weâ(TM)re going to have a regular page that you can go to to check the state of other plugins as well. This will happen sometime this month. 3. Firefox 3.6 will check for newer versions of plugins just like we check for newer versions of Firefox or extensions. If it sees that you have one thatâ(TM)s out of date, youâ(TM)ll be sent to that page. 4. Weâ(TM)re going to try to get to the point where you can upgrade the plugin via the plugin service that we currently use for installations. 5. Weâ(TM)re also talking about using Adobeâ(TM)s Express Install system, which can update flash from the flash plugin without having to use a separate installer. So thatâ(TM)s the long term plan for now. Some of it will be in 3.6, some of weâ(TM)ll be doing in parallel and some of which is longer term.

They forgot Adobe Reader/Acrobat.

[dicobalt]

Everyone is using ancient versions of that also.

2o7.net

[saur2004]

The reason I have not updated my very old version of Flash is because I heard about Omniture and 2o7.net and no they have not sufficiently explained themselves to their user base.

In the meantime...

[MrNonchalant]

Here's a page that checks your Flash version and lists the latest version for the different browsers/operating systems: http://www.adobe.com/software/flash/about/

Re:In the meantime...

[Culture20]

Here's a page that checks your Flash version and lists the latest version for the different browsers/operating systems: http://www.adobe.com/software/flash/about/

That's nothing, I know a lot of pages that will check your flash version for the different browsers/operating systems, *and* attempt to install software for you. They might even entertain you while you wait.

Version checking applications

[Wowsers]

I don't think it would go down too well if version checking was built into the current version of Skype for Linux.

"Dear Linux user, your version of Skype has not been updated for 2 1/2 years, there are no new updates planned, and x86_64 versions are out of the question. Please feel free to vent to eBay where they will helpfully file your comments in /dev/null.

Thank you for choosing Skype."

Re:Version checking applications

[j_sp_r]

A newer beta was released a week ago. Still no x86_64 but I don't care that much (just install the 32 bit packages with it)

Re:Version checking applications

[Minwee]

Please feel free to vent to eBay where they will helpfully file your comments in /dev/null.

Why would eBay care? You might have better luck complaining to marca instead, since he just bought the frakkin' thing.

Re:Version checking applications

A closed source P2P program from the authors of Kazaa? You deserve everything you get if you trust it.

Re:More hand holding, more bloat. FF is getting sh

[coryking]

Why don't you just use Lynx or wget? You anti-"bloatware" people seem to make a stink about anything that isn't plain ASCII anyway.. why not just go all out and use the least "bloated" client on earth? I'm serious. Use wget. It seems more your style.

upgrade? Why not block

[IceFox]

If the user doesn't upgrade does it disable the plugin?

One thing that'd protect users...

Would be running it in a separate subprocess so it doesn't inevitably crash the whole browser when you close a damn tab containing a youtube video.

Sounds stupid

[tengeta]

There are more holes in Flash than every version of Windows and MacOS combined. Updating may fix 3 of those issues at a time, while 50 more are found. Whoooooooeeeeeeeeeeeeeeeeeeeeeee

Re:upgrade? Why not block

[PrimaryConsult]

That would be annoying for Linux users... while updating flash is not difficult, it is... awkward for less technically inclined users who had someone else set it up for them. As one who has set up such installs for people, I don't want to have to walk them through manually copying a new libflashplayer.so into their /usr/lib/blah/plugins directory every time a flash update happens.

Flash cookies too?

[Pertain]

And how about also dealing with the privacy/tracking issues associated with Flash? Flash has the ability to stores cookies (LSOs or Large Storage Objects) with impunity. Flash cookies can be auto-deleted using a Firefox addon called "BetterPrivacy" but it should be built in to the standard Firefox privacy feature.

Re:upgrade? Why not block

[Minozake]

Not to mention possibly troublesome for multi-user systems on a guest account where flash is grabbed from a global directory. But, I suppose if a sysadmin were to update firefox, they should also probably update flash. If they don't value security, that is.

However, flash can be installed to ~/.mozilla/plugins/ for precedency over the global directory. I'd hate to be support on that:

User: "Where's .mozilla? I can't see it!"
Support: "What file manager are you using?"
[...]

Flash Cookie Management?

Any chance they will protect our privacy by adding Flash Cookie Management?

I automatically wipe the via `rm -rf ~/macromedia/*` to stop tracking on UNIX, but doing it on Windows is a hassle. Flash cookie management like browser cookie management would be nice. Sign me up for session flash cookies.

Maybe it's time for a latest-version.org.

[L-SWAT]

As said here : http://www.osnews.com/comments/22120 What about Java? What about Quicktime? What about Unity? What about VLC? What about ... http://latest-version.org/latest-version.txt http://latest-version.org/linux.txt http://latest-version.org/quicktime-version.txt ...

Better yet, warn about any flash

[Baloo+Uriza]

"This site uses a Flash plugin, instead of accepted and open internet standards. Flash has no public source code, and thus no critical peer review. Software with no peer review is intrinsically a security threat to your system. Automatically send nastygram to webmaster?" [Yes] [Search Google for a competing site]

Re:Better yet, warn about any flash

[Kagetsuki]

Mod parent up! I personally surf with flashblock and rarely hit the activate button. I rarely use youtube or video sites, and when I do there is a plugin called DownloadHelper I have set up to download, convert to standard mp4, then play the video for me in mplayer. But you know what, having an auto nastygram button would be awesome! If an auto-nastygram plugin exists I'd like to know the name of it.

Re:Drunk the Kool-Aide

[bvankuik]

Just thought I'd notify people that the above message is from an imposter, NOT from the real Hurd team! Besides the giveaway of the high UID, look at the signature people. Looking at it? It should be signed off as the GNU/Hurd team. Double-duh!!!!1!!1