Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla To Protect Adobe Flash Users

Soulskill posted about 5 years ago | from the helping-those-who-don't-help-themselves dept.

Mozilla 132

juct writes "Beginning with versions 3.5.3 and 3.0.14 of Firefox, Mozilla is going to check the version of installed Adobe Flash plug-ins and warn users if it discovers an outdated version with potential security holes. Mozilla confirmed this new security feature and said that the Flash version check was part of a wider commitment to 'protect users from emerging threats online.' Just recently, a study confirmed that 80 per cent of users surf with a vulnerable version of Adobe's plug-in."

cancel ×

132 comments

Sorry! There are no comments related to the filter you selected.

Guaranteed to work (4, Insightful)

Norsefire (1494323) | about 5 years ago | (#29322685)

"WARNING!! The version of Adobe Flash you are using is out of date and contains security holes, please upgrade by clicking here ..."

Oh dear, I don't understand what this means. Luckily my son, who got sick of me ringing him for computer help, told me what to do whenever I encounter a box I don't understand; click the X, or click cancel, or ignore. Now back to clicking on every ad I see.

Of course, that isn't likely to happen. It would be more like:

WARNING!! The version of Adobe Flash you are using is out of date and contains security holes, unfortunately you are using Internet Explorer so there is no warning.

Re:Guaranteed to work (1, Funny)

Anonymous Coward | about 5 years ago | (#29322733)

I got my parents to use Firefox. (of course, for some reason, they call it "Mozilla" and not "Firefox")
They're mostly happy, except you can clearly see the porn my dad goes to thanks to the smart location bar.

See, it's not impossible.

Re:Guaranteed to work (4, Funny)

RiotingPacifist (1228016) | about 5 years ago | (#29322757)

ctrl+shift+P FTW, that way nobody has every found out that i like gay midget donkey porn!

Re:Guaranteed to work (0, Troll)

commodore64_love (1445365) | about 5 years ago | (#29323305)

>>>i like gay midget donkey porn!

Big deal. At least that's legal. I like porn starring 15-year-old men and women, and for some reason I'm in jail? (shaking head). Illogical.

Re:Guaranteed to work (1)

drseuk (824707) | about 5 years ago | (#29322795)

Just be grateful the Mozilla Protection Project is sponsored by Google and not Durex.

Re:Guaranteed to work (1)

Jurily (900488) | about 5 years ago | (#29323245)

Yet.

Re:Guaranteed to work (1)

trawg (308495) | about 5 years ago | (#29322943)

It's an interesting branding issue - a significant proportion of the non-technical people I know that use Firefox call it Mozilla (though my dad keeps mispronouncing it "Mot-zilla", and he's not the only one I've met that does that).

Re:Guaranteed to work (1)

binarylarry (1338699) | about 5 years ago | (#29322965)

Where I work, all the stupid fucking management call it "Mazolla."

You know, the MBA types.

Re:Guaranteed to work (1)

maxume (22995) | about 5 years ago | (#29323131)

It's not their fault that blonds are more fun.

Re:Guaranteed to work (1)

PsychoSlashDot (207849) | about 5 years ago | (#29323781)

It's an interesting branding issue - a significant proportion of the non-technical people I know that use Firefox call it Mozilla (though my dad keeps mispronouncing it "Mot-zilla", and he's not the only one I've met that does that).

Same cause as the one wherein I have to help my customers recover their Microsoft documents. Or fix the error they keep getting sometimes - they don't know when - in their Microsoft, which they refuse to write down. I've got a customer running two programs from Primavera (now owned by Oracle): Primavera Project Planner (P3) and Primavera Expedition. They're both "Primavera" to every employee at that customer.

The cause is marketing. Microsoft Windows. Microsoft Office Word 2007. Microsoft Internet Explorer. Primavera Project Planner. IBM Lotus SmartSuite. Even CorelDRAW! and Corel WordPerfect. End-users retain the first word, no more. If companies would stop slapping their company name all over their product names, my life would be easier. I'm sure it's the same in the automotive industry; Ford Fusion, Ford Flex, Ford F150.

Re:Guaranteed to work (0)

Anonymous Coward | about 5 years ago | (#29323011)

Better than my mother, she calls it foxfire ever since the change from phoenix!

Re:Guaranteed to work (3, Interesting)

Midnight Thunder (17205) | about 5 years ago | (#29322877)

Oh I thought it should have been:

"Warning: You are using Adobe Flash, are you sure this such as good idea? How about some nice Dynamic SVG?"

Re:Guaranteed to work (4, Funny)

Late Adopter (1492849) | about 5 years ago | (#29323155)

"Warning: You are using Adobe Flash, are you sure this such as good idea? How about some nice Dynamic SVG?"

That'd be great! Do you have any? This, ummm, isn't my website, you know. =P

Re:Guaranteed to work (4, Insightful)

thanasakis (225405) | about 5 years ago | (#29323273)

Have you ever actually tried writing some nice dynamic svg?

Re:Guaranteed to work (0)

Anonymous Coward | about 5 years ago | (#29323581)

It isn't exactly a hard thing to do, just a lengthy process depending on how complex and/or long the animation. (unless you are meaning modifying it with JavaScript?)
Doing inline dynamic SVG is a problem at the moment i think. (at least it was last time i tried inline SVG... about a week ago)

Creating a dynamic JPG, now there is something hard. (not impossible though, if you are good at working with binary in JavaScript, you can do it)

And in saying that, you'd honestly be better off using CANVAS now, and O3D if you are daring.

Re:Guaranteed to work (0)

Anonymous Coward | about 5 years ago | (#29323457)

Imagine Slashdot in the year 2015: What SVG? I have SVGBlock installed hurhurhurhurr

Actually 2015 might be too optimistic for SVG adoption.

Re:Guaranteed to work (1)

lukas84 (912874) | about 5 years ago | (#29323601)

In 2015 i want my Mr. Fusion and flying Hovercars, not SVG.

Re:Guaranteed to work (0)

Anonymous Coward | about 5 years ago | (#29323769)

Silly /.'r, this "Dynamic SVG" is just a myth.

Re:Guaranteed to work (3, Insightful)

Hurricane78 (562437) | about 5 years ago | (#29323031)

You contradict yourself twice in that little paragraph. What point is it you are trying to make?? ^^

I think they will simply click on that OK to upgrade, as they click on everything else. To support that, just make the cancel button look small, scary, not recommended, with a sick face and a burning computer on it, and make the OK button 80% of the rest of the dialog, and make it look like a "red cross love palace for health, safety and happiness".
I'm serious!

Also, here in Germany, most people use Firefox, you insensitive clod! :P

Re:Guaranteed to work (1)

commodore64_love (1445365) | about 5 years ago | (#29323371)

>>>just make the cancel button look small, scary, not recommended, with a sick face and a burning computer on it, and make the OK button 80% of the rest of the dialog, and make it look like a "red cross love palace for health, safety and happiness".
>>>

This is what Paypal does when they ask, "Are you sure you want to use a credit card to pay?" with a gigantic "NO" and a little barely visible "yes I'll take the risk" next to it. I would prefer that my computer not adopt the same sort of deception.

Besides I don't want to upgrade my Flash. I have the full version of Acrobat and do not feel like dishing-out another $100 to buy the latest version. I will take my risks and stick with what I have.

Re:Guaranteed to work (1)

fluffy99 (870997) | about 5 years ago | (#29324039)

Don't be a wuss. Upgrade the Flash its free and gets rid of a gigantic hole in your browser. I feel you're pain on Acrobat as they stopped supporting the ancient versions. But of course those versions can't handle all the files and features generated using the latest versions anyway. If you just want to print to PDFs, there are better free programs out there.

Re:Guaranteed to work (2, Funny)

value_added (719364) | about 5 years ago | (#29323099)

Oh dear, I don't understand what this means. Luckily my son, who got sick of me ringing him for computer help, told me what to do whenever I encounter a box I don't understand; click the X, or click cancel, or ignore. Now back to clicking on every ad I see.

How the fuck does a post that consists of incoherent rambling get modded up?

The above pseudo anecdote may have been funny if the fine article involved Firefox opening dialog boxes, but that's not the case. Either the OP either didn't read the article, or notice bit about the "landing page".

I'd add that the unrelated comment about IE (a non sequitor, actually) is even less funny, but I can't figure out WTF he was trying to say. Or what any of it has to do with ... anything.

Next up, an excerpt from a Beavis and Butthead script that gets modded both insightful and funny:

Popup windows.
You said popup.
Ha ha ha.
Just click the X stupid.
Ha ha ha.
Internet Explorer is teh suck.
Ha ha ha.

Re:Guaranteed to work (1)

aoheno (645574) | about 5 years ago | (#29323829)

Need tech support from the son but can post /.? Awesome. Can he help me get my great-grandmother to post?

Presumably (5, Funny)

drseuk (824707) | about 5 years ago | (#29322741)

the remaining 20% don't use Flash then?

Gnash? (2, Interesting)

the_one(2) (1117139) | about 5 years ago | (#29322743)

I admit i don't use flash very often because it's annoying and Adobe's flash plugin uses way to much CPU, but is it still needed? Gnash has worked for me every time I've tried it lately (admittedly mostly for youtube). Tried it now with a flash game and it seems to work.

Re:Gnash? (-1, Troll)

Anonymous Coward | about 5 years ago | (#29323061)

Gnash sucks.

Re:Gnash? (1)

The MAZZTer (911996) | about 5 years ago | (#29323133)

Sounds like it doesn't from your post-parent. Mind giving some reasons why it "sucks"?

Re:Gnash? (1)

TheRaven64 (641858) | about 5 years ago | (#29323327)

For one thing, it doesn't (or, last time I checked, didn't) support the BBC iPlayer, which is about the only reason I would want flash to work. On the plus side, it does work with a lot of simple Flash adverts...

Re:Gnash? (3, Interesting)

RiotingPacifist (1228016) | about 5 years ago | (#29323175)

Switching is too much of a PITA, if gnash works for 70%+ of content and i could easily load adobe for the other 30% (new games etc), i would switch too! Unfortunatly on linux switching requires me to run a script and restart firefox. Ideally gnash could chainload adobe flash but the devs probably hate the idea of accepting partial defeat, unfortunatly until they do its too much of a PITA for day to day use!

Re:Gnash? (1)

dazjorz (1312303) | about 5 years ago | (#29323301)

I don't know how it works, but in the default Firefox on Ubuntu, I can switch live between Gnash and Adobe Flash by a "plugins" button to the bottom right corner of every window. Maybe it's Ubufox doing that, not sure. Last time I used it it was a little buggy sometimes, but overall it works quite well.

Drunk the Kool-Aide (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29322745)

Cool, now yet another whining warning that something is out of date. Note to corporate America, we don't buy computers to sit here all day long updating them! It actually makes me less inclined to do the update than more inclined when I get the warning several times a day. The constant harassment makes me ignore the warnings much as constant advertising makes me ignore ads.

Re:Drunk the Kool-Aide (3, Funny)

RiotingPacifist (1228016) | about 5 years ago | (#29323185)

I'm sorry in future we will try and make all releases of software perfect and not release until we are 100% sure no vulnerability will ever be found

~the hurd team

And Good For Them! (4, Interesting)

Toad-san (64810) | about 5 years ago | (#29322751)

I've found replacements for Adobe Reader and Real player (Foxit and Real Alternative), but couldn't find a replacement for the Flash player (alas).

This is better than nothing. I have Flash (and all other scripts) turned off by default in my Firefox browser, but am still forced to use it to see some things.

Yeah, I know the troglodytes won't understand the warning, but it might give them the slightest clue that something's wrong.

Re:And Good For Them! (1)

Onymous Coward (97719) | about 5 years ago | (#29322803)

... couldn't find a replacement for the Flash player (alas).

Eventually it'll be findable. In the form of standard HTML.

For a good number of uses that Flash is currently put to HTML is already the answer.

Re:And Good For Them! (1)

vcompiler (1383819) | about 5 years ago | (#29323355)

To put everything in a marked language standard is really a bad idea. If want to replace Flash, replace it with another better-design or more open PLUG-IN. Plug-in model is how software can be built by collaborative organizations and how each component remains clean-designed and well-maintained.

Re:And Good For Them! (1)

characterZer0 (138196) | about 5 years ago | (#29323431)

He wants a replacement for the flash client so he can see what others have created, not a replacement for the flash technology so he can create with something else. Such replacements already exists: Silverlight and JavaFX.

Re:And Good For Them! (0)

Anonymous Coward | about 5 years ago | (#29322963)

FWIW: The "Real Alternative" player is just the Real One codecs that work in 3rd party players. I'm not sure if that actually protects you from anything, but it certainly is nice to keep the bloated Real One player from showing up all the time.

Re:And Good For Them! (1)

The MAZZTer (911996) | about 5 years ago | (#29323141)

I find using NoScript to keep Flash off until I want it on is quite acceptable. It may still be a risk if you frequent sites that allow users to upload their own flash content, but as long as you only visit such sites that screen and approve such content before making it public you should still be OK.

Re:And Good For Them! (0)

Anonymous Coward | about 5 years ago | (#29323179)

Silverlight / Moonlight. Seriously, I hate Microsoft as much as the next guy, but a language-agnostic VM with a mostly-open spec is a fantastic alternative to the aging and always-shitty Flash.

Does flash not already do this? (2, Insightful)

RiotingPacifist (1228016) | about 5 years ago | (#29322775)

Doesn't flash already prompt you to upgrade from an old version?
if so how will this warning be more effective (unless they add an auto-update feature)?
if not, WTF ADOBE!!!

Re:Does flash not already do this? (4, Informative)

postmortem (906676) | about 5 years ago | (#29322829)

It does, sometimes on system startup; however it only installs updated plugin for Internet Explorer.

Re:Does flash not already do this? (4, Informative)

A Friendly Troll (1017492) | about 5 years ago | (#29323073)

I have never had Flash notify me that it needs an update. Ever. The only time I've seen the notification was on a single computer at the office.

A few days ago I was given this link http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html [macromedia.com] - I think it was somewhere on Slashdot, either in the article, or in the comments. Sure enough, I went there, and Flash was set to never notify me of updates.

Worth checking out.

Re:Does flash not already do this? (0)

Anonymous Coward | about 5 years ago | (#29322843)

Doesn't flash already prompt you to upgrade from an old version?

But consider this: If you've turned that stupid nag screen off, what then? I trust you see the problem.

Re:Does flash not already do this? (3, Funny)

Sulphur (1548251) | about 5 years ago | (#29323439)

We are sorry, this page is designed to work with version 8 or greater. You are using version 10.

Re:Does flash not already do this? (0)

Anonymous Coward | about 5 years ago | (#29324015)

I know the feeling all too well. But you can't blame flash for the idiots who write non-future proof version checks.

Re:Does flash not already do this? (1)

Krneki (1192201) | about 5 years ago | (#29324017)

Only if you have Adobe bloatware installed on your PC. I like to keep it clean, so I remove all the Adobe crap from the Auto-start menus.

Re:Does flash not already do this? (1)

fluffy99 (870997) | about 5 years ago | (#29324077)

No it does not. Some websites check the version and prompt you, but its not a feature of flash itself. I wouldn't mind if Firefox popped up a warning at startup, letting me know there is a new version of available if the installed version has a significant vulnerability. Something similar to the nag screen about updating the add-ins. You better give me an option to ignore the warning though, as I may have a valid reason for not upgrading such as breaking a corporate app.

You know what I'd really like? (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29322787)

I'd really love if goddamn FireFox would just *work* with Flash.

I don't really give a shit what version of the Flash Player I may be using, and I honestly could care less if FireFox tells me it's 'unsecure'; what I'd really like is for them to fix their shitty-ass browser and the random freezing problem that has been plaguing it for several revisions whenever you're hitting Flash pages.
Yah, blame JavaScript, blame Flash, blame every-fuckin-thing but the shitty browser that has had memory leaks and weird freezes forever, but the bugs just keep getting filed away...

Fags.

Solving the wrong problem (0, Interesting)

Anonymous Coward | about 5 years ago | (#29322807)

The real problem is all those web sites that you have to use but are completely useless when flash is disabled. What firefox should be doing is sending an email to the web site administrator (it is the semantic web, is it not?) telling them to not rely on flash. Even better is if nobody even used the cruft, but dreaming of that is going from na-na land to someplace even more remote.

Re:Solving the wrong problem (0)

Anonymous Coward | about 5 years ago | (#29323087)

My reaction usually consists of "section 508, bitch" type hints at their legal position :p

Hmm (0)

Anonymous Coward | about 5 years ago | (#29322827)

I already ignore firefox updates (because I'm lazy). I wonder how many people just ignore updates in general?

And the sad part is, I know better. Why do they expect Joe Sixpack to heed update warning when a power computer user and programmer is too lazy to click "update"?

Re:Hmm -- Mod up parent (1)

billsf (34378) | about 5 years ago | (#29323169)

Don't know who this guy is, but this is what developers are like. Maybe if they had a key sequence to do it, it would be easier for us. Then again I don't ever expect Mozilla to beat FreeBSD on an exploit.

Here is patch (3, Insightful)

dvh.tosomja (1235032) | about 5 years ago | (#29322849)

+ function IsFlashVulnerable(FlashVersion) {
+ return true;
+ }

Re:Here is patch (0)

Anonymous Coward | about 5 years ago | (#29324085)

function IsFlashVulnerable(FlashVersion) {
          if(userIsIrrelevantIgnorantGimp) {
                      return true;
          } else {
                      return false;
          }
}

there, fixed that for ya!!!!!!

one of the major reasons I don't use Flash (1)

Onymous Coward (97719) | about 5 years ago | (#29322871)

Just recently, a study confirmed that 80 per cent of users surf with a vulnerable version of Adobe's plug-in.

It's an easy/appealing target vector. With the slow revving even the most recent version hangs your ass out in the wind to a substantial degree.

Now just throw in a good website (server/framework/XSS/whatever) exploit and you've got a serious worm.

For the worth of the putative benefits I am not encouraged enough to hang my ass out for Flash. (Except I do have it installed! Just kept dormant until I (rarely) click my NoScript button.)

Automatic updates (4, Interesting)

chrisgeleven (514645) | about 5 years ago | (#29322879)

I am really surprised browser makers aren't doing automatic updates for plugins like Flash. That is really the only way to keep them up-to-date.

Re:Automatic updates (1)

Sosigenes (950988) | about 5 years ago | (#29322973)

I have been thinking the same thing. I dont think I have ever been prompted to upgrade Flash on my current install, and it's quite far out of date. It's a shame Firefox can't use Mozilla's update functionality for updating plugins as well as addons, as then it would be seamless. In fact, I've just tried to find an easy way to upgrade Flash, and it seems the only way is to go back to the website and download it again?

Re:Automatic updates (1)

Junior J. Junior III (192702) | about 5 years ago | (#29322989)

Flash does notify me when there's an update available. I'm confused as to what more is needed, other than a truly secure Flash, and a secure environment to run it in.

Re:Automatic updates (0)

Anonymous Coward | about 5 years ago | (#29323025)

Don't you feel annoyed though by all of the update prompts? Quicktime, Flash, Java, Adobe Acrobat. I've never had my computer compromised by these plug-ins specifically. Its only natural to say "Meh, I'll update it later. Go away!!"

Re:Automatic updates (0)

Anonymous Coward | about 5 years ago | (#29323733)

I've never had my computer compromised by these plug-ins specifically.

Pray tell, how could you know that? Just because it's not acting strangely doesn't mean it hasn't been compromised. Remember how the HIV virus managed to kill so many people? That's because you incubate the virus for years, making it just as lethal yet much harder to detect.

Re:Automatic updates (1)

TheRaven64 (641858) | about 5 years ago | (#29323345)

I'm more surprised that they don't run the plugins as an unprivileged user and reparent the window on X11 or use the platform's native sandboxing capabilities on Windows to prevent exploits in the plugin from compromising the browser, let alone the system. But then, popping up a dialog box when there are known vulnerabilities is easier than writing secure code.

Re:Automatic updates (0)

Anonymous Coward | about 5 years ago | (#29323357)

Well a better way is to have an OS-level updater, like Ubuntu's Update Manager. All the auto-updating code from Firefox has to be yanked out when building a package for such a system to prevent it from interfering with the superior solution. This flash updater code will also have to go away in Ubuntu because flash is already in a package (flashplugin-installer) and kept up-to-date. What a waste of effort just because per-application auto-updating is needed in Windows.

Re:Automatic updates (1)

robmv (855035) | about 5 years ago | (#29323597)

Mozilla has provided the tools to do it with extensions, I do not know the reason why Adobe is afraid to build an XPI with Flash and publish all updates on Mozilla Add-ons site. They already do a yum repository for us, users of RPM based Linux dsitributions

Re:Automatic updates (1)

causality (777677) | about 5 years ago | (#29324115)

Mozilla has provided the tools to do it with extensions, I do not know the reason why Adobe is afraid to build an XPI with Flash and publish all updates on Mozilla Add-ons site. They already do a yum repository for us, users of RPM based Linux dsitributions

... because an XPI extension is written in XUL and/or Javascript, while a plugin is a compiled DLL that the browser loads up into its address space. they are two different things that work in different ways, even though they both add features to the browser. That's not to say that Flash couldn't be hosted on Mozilla's add-ons site, just that you are unlikely to see it in the form of an XPI file.

The real reason why you probably will never see it hosted on a non-Adobe server is simple enough. Nothing remotely resembling a "web standard" should be controlled by a single vendor, nor should it be anything other than an open standard with available source code for several working implementations. Almost everything that is or ever was wrong with Flash could have been fixed by someone else (since Adobe does not seem interested) if the above conditions were true.

Re:Automatic updates (2, Informative)

robmv (855035) | about 5 years ago | (#29324265)

... because an XPI extension is written in XUL and/or Javascript, while a plugin is a compiled DLL that the browser loads up into its address space. they are two different things that work in different ways, even though they both add features to the browser. That's not to say that Flash couldn't be hosted on Mozilla's add-ons site, just that you are unlikely to see it in the form of an XPI file.

Why some people always assume the person that is talking has no knowledge of what he or she is saying?, please take a look at Mozilla Extension reference [mozilla.org] and you will see that you can package plugins inside an XPI (/plugins/* reference on the exampleExt.xpi sample)

A change of attitude (1)

TorKlingberg (599697) | about 5 years ago | (#29322889)

I am happy too see an open source developer dropping the attitude that if the bug is not in their code, then it's not their problem.

The next step would be to make sure that at least the most popular extensions work with a new version of Firefox when it is released.

Re:A change of attitude (1)

causality (777677) | about 5 years ago | (#29324189)

I am happy too see an open source developer dropping the attitude that if the bug is not in their code, then it's not their problem.

They're only having to do that because Adobe refuses to fix Flash. By that I do not mean the current approach of patch after patch. I mean really fix it, which would probably require reimplementing it from scratch using secure programming practices from the very beginning. Right now, the security history of Flash is a complete joke compared to anything else except maybe early Sendmail. At any rate, this amounts to Mozilla trying to help clean up Adobe's mess because Adobe is too lazy to do so without a significant amount of pressure.

The next step would be to make sure that at least the most popular extensions work with a new version of Firefox when it is released.

The next step would be to scrap Flash and make it go the way of the dinosaur. The immediate next step after that would be to recognize that using Adobe was not the mistake that was made here. Using any closed standard controlled by any single vendor was the mistake. What we need is an open standard that anyone can implement with no concern about patents or other encumberences. Then and only then, if Adobe can make the fastest/most secure implementation of that open standard, they remain relevant. If not, they quietly disappear. It's obvious they are afraid of such a level playing field.

How about the study which proves 80% are idiots (-1, Troll)

Anonymous Coward | about 5 years ago | (#29322893)

That's the low down, jack !! If you are reading this, 80% law of statistics says you are a fucking moron, with a slight chance of only being an idiot !!

Yeah, I got that. (5, Informative)

thePowerOfGrayskull (905905) | about 5 years ago | (#29322921)

Signed up for beta/testing FF updates. I get notified by FF that adobe is out of date. I click to install it. And lo! what installs? Not Flash... but some crappy Adobe Download Manager plugin whose sole purpose seems to be to download and install Adobe products. The Flash update did not ever download, even after FF restart.

Broke my own first rule on this one -- never download anything you're not 100% certain of - but it's still frustrating. If FF tells me it's taking me to install Flash, I think I should be able to trust that Flash is what I'm going to get.

swapping one exploit for another (3, Interesting)

Anonymous Coward | about 5 years ago | (#29323017)

swap one exploit for another
http://www.google.com/search?hl=en&q=%22Adobe%20Download%20Manager%20%22%20exploit [google.com]

wtf is wrong with Adobe ? whats wrong with just providing the plugin and nothing else ?
i should also rant at Sun for installing their fkin Yahoo toolbar/spyware accross our corporate network on every Java monthly update or installing their quickstarter/net assistant Firefox plugins without permission,then there is Apple with their forcing "Safari" (another exploit vector) as a pre-ticked update on their Quicktime updates WTF ? , google installing scheduled phone-home tasks every 15min with any bit of software they install
really just fuck off, fuck right off

is it any wonder with this despicable behaviour from major software companies with their "update" software is abused as a "install more crap" service that people dont update their plugins/software for fear of getting crap that they didn't ask for therefore exposing themselves to all these vulnerabilities or more if they do install it

perhaps when they get tagged as badware and spyware their behaviour might change
or maybe a good old million dollar class action lawsuit might

How it all happened... Maybe. (0)

Anonymous Coward | about 5 years ago | (#29323027)

The back story:

Adobe top managers were sittin' around one day during one of their 3-hour martini lunches, smoking cigarettes, scratching where it itches, and making lewd comments to the waitress.

Finally, one of them said, "How can we sink the company?" After much consultation by cell phone with people who actually understand Adobe products, they found a solution: Have a product that is always in the news because it is buggy and vulnerable. That product should also have a buggy, poorly designed update installer.

Okay, you say, "I doubt that." But do you have a better explanation? Hah! I thought not.

Completely off-topic (1)

agnosticnixie (1481609) | about 5 years ago | (#29323143)

For added lulz - Adobe's CS uses a full copy of an old and vulnerable version of Opera for its home-phoning loading screens, and for bridge - and of course their retarded mac devs (there used to be a a few hacks to make CS3 work In mAcOS x Hfs+ wIth CAsE sEnsitIVIty because apparently their coders are drunk monkeys, now they disabled it by making it impossible to install CS4 if the root partition is on a case-sensitive FS - I said fuck it, deleted the trialware and just moved to alternatives that fill my needs without taking up endless gigs of memory rather than waste money or time to fix it that is much more valuable in the end than what they would expect me to pay. That [dearadobe.com] might amuse you.

Re:Completely off-topic (1)

PIBM (588930) | about 5 years ago | (#29323315)

What's the alternative to Photoshop CS4 ?

That could really be usefull!

Re:Completely off-topic (1)

Ma8thew (861741) | about 5 years ago | (#29323415)

There is no replacement for all of Photoshop's functions, but the majority of the functions normal people use can be found in Pixelmator [pixelmator.com] or Acorn [flyingmeat.com] . For added points, Acorn has a Python powered plugin interface.

Re:Completely off-topic (1)

agnosticnixie (1481609) | about 5 years ago | (#29323427)

Sadly I don't use photoshop so I didn't have to look for a serious alternative, what tools I needed replaced were Illustrator and Flex (well, and Dreamweaver and Premiere in theory, but I've always handcoded that stuff and FCX/FCP seemed a better bet.
I'd be semi tempted to say Iris but the project looks dead even if it's not a beta, pixel is perpetual vaporware, chocoflop seems promising but some versions of the beta are crashy to say the least, and pixelmator seems mostly like gimp+isight plugin and last I checked it it still didn't open .NEF files but might be worth the try in the future
Quite honestly, I think PS is the hardest of the lot to replace on any platform. Probably because it tries to be the all-things-for-everyone Raster Editor I guess.

Re:Completely off-topic (0)

Anonymous Coward | about 5 years ago | (#29323657)

What's the alternative to Photoshop CS4 ?

http://www.gimp.org/ [gimp.org]

Re:Completely off-topic (1)

agnosticnixie (1481609) | about 5 years ago | (#29323697)

GIMP 3 maybe, but right now, it's too limited if the editing happens to be photography.

streamlining Flash updates? (0)

Anonymous Coward | about 5 years ago | (#29322947)

Does updating Flash require you restart Firefox? Even with its Session Restore, textarea content is lost as are tabs whose URLs are no longer valid. Maybe Firefox should ask you if you want to install the newest version of Flash when you first open the browser? ie. in the same window where it asks you if you want to update the add-ons you have installed?

A simple web page? (0)

Anonymous Coward | about 5 years ago | (#29323015)

Teaching the users to follow installation links from a standard (and unencrypted) web page is not a good idea. Not all users would be savvy enough to notice the difference between http://get.adobe.com/... and http://updateflashplayerforfree.com/... so it's only a matter of time before phishers distribute viruses through innocent Mozilla-looking pages. After all, it's Firefox and it has cute birds all over the place so it can't possibly contain a virus, right?

The correct way to do it would be to have a version check mechanism similar to that of extensions, which Mozilla can still update without releasing a new Firefox.

Hypocrites (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29323029)

Why stop with adobe? They should include a warning for their own faulty line of product: "Warning - you are using firefox, a browser with a long history of vulnerabilities. We don't care about websites turning hostile on your ass, we have more important things to do, like html5, acid2 and all kind of rich web 2.0 features... What's our excuse? Our security isn't as crap as IE (6.0)". But that would be asking too much, I fear.

Getting Flash to work was a pain (1)

billsf (34378) | about 5 years ago | (#29323055)

But FreeBSD will protect you. I doubt Mozilla will ever catch me with a vulnerable version unless you say all Flash is vulnerable -- a point I won't argue. At least I have a 'kill script' to kill an annoying flash page.
While preserving the text I really want. For most viewing (video) I use VLC, clive and a script to glue them together. (written is sh -- hint tested with bash too) See the benefits of open source software?

BillSF

Sorry Microsoft -- you sold the only good thing you had -- Office. Lets hope the designers will revolt and force the source open. They are, after all the only known RealHackers(tm) in Microsoft!

Real protection? (1)

hansamurai (907719) | about 5 years ago | (#29323089)

How about protecting my browser from an Adobe crash? I know you're working on isolated tabs, but hurry up already!

Re:Real protection? (1)

maxume (22995) | about 5 years ago | (#29323165)

Flashblock (or noscript) does a pretty good job at this; most of the flash content that you want to run is also flash content that the creator cares about debugging well (as opposed to advertisements and such).

Re:Real protection? (1)

nickysn (750668) | about 5 years ago | (#29323461)

It's called nspluginwrapper and has been in Fedora for ages. It wraps the Firefox plugins and executes them in a separate process. If that separate process crashes, the crashed plugin stops working temporarily. Reloading the page restarts the plugin again. It also allows running 32-bit plugins in a 64-bit browser. It only isolates the plugins and not the browser code, but the browser is quite stable nowadays, so I consider it an overkill and a waste of resources to run each tab in a separate process. If there are bugs in the browser, that cause crashes - they should be fixed. Firefox does that pretty well here. If people use old versions, make an easy to use auto-update, and don't push updates that break things for people, so they become afraid to update. :) Firefox also does that well. So isolating just the f*cking plugins is enough :) Sure, it's a marketing point for Google Chrome (and it's probably more useful there, because their codebase is new and less well tested, so probably more crash-prone; but I haven't used it really, so I don't know), but it's not something I really miss. I'd be more happy to see something like nspluginwrapper ported to Windows.

Re:Real protection? (1)

CajunArson (465943) | about 5 years ago | (#29324051)

That's funny... nspluginwrapper tended to cause most of the problems I had with flash... since Adobe came out with the 64 bit Linux releases, I can't remember the last time the browser crashed due to Flash issues.

Re:Real protection? (0)

Anonymous Coward | about 5 years ago | (#29324169)

The 64-bit flash plugin reliably crashes the browser if I ever close a tab that a flash video has played in. Irritatingly, nspluginwrapper also reliably hangs. Which I suppose is better than crashing, but I still have to shut down the whole browser to restore a flash-capable session (or use gnash, shrug).

Yeah, I reported the issue. Straight into /dev/null it seems. The problem has existed since release of the 64-bit plugin.

I assume it doesn't happen for everybody, but it's happened on every computer I've tried it on with AMD/ATi graphics cards - but with either of the two open source radeon drivers or the closed binary, and with or without plugin hardware accel enabled.

Oh hey (1, Insightful)

Anonymous Coward | about 5 years ago | (#29323093)

I use chrome which sandboxes plugins so most/any vulnerabilities are likely to do no more than crash the current tab. Why not make the entire browser secure from the ground up rather relying on the human element to keep things right?

Re:Oh hey (0)

Anonymous Coward | about 5 years ago | (#29323635)

Wrong. Chrome only provides tolerance against unintended crashes; malicious or vulnerable plugins can still access all your files and install any rootkit they want.

Sandboxes are a good thing, but they're still nowhere near as powerful as what you describe.

Re:Oh hey (1)

Mashiki (184564) | about 5 years ago | (#29323837)

The browser is secure. I've mentioned this in other security forums, but flash & java went the way of ActiveX several years ago. "Playing outside the sandbox", a bad, bad idea. Soon as that happened, not only did it open a sluice of security vulnerabilities, but it broke the traditional sandbox concept of safe browsing. Now that doesn't stop the occasional stuff like buffer overruns, or divide by zero bugs to get control of a system. Bugs are bugs, but when you're able to send redirect requests to an external app, installed on the system with no user control... i.e. Browser>plugin>secondary\/trinary software we've got ourselves a serious problem.

The only solution I see is for the current development of flash to stop as it is. Move to app level support, and a new browser only based plugin to be released that doesn't break the sandbox rule. Because people are stupid, computers are still semi-complex bits of software and hardware. And not everyone is smart enough to keep it up to date. And that applies for all OS's.

And before some smartass decides to post "use a mac" good idea, too bad they're vulnerable to java and flash problems(stupid people are stupid). And linux flavors are good, but either don't work properly for most people, or are still under the mature point for most people OoTB.

infor8ative niggaNigga (-1, Redundant)

Anonymous Coward | about 5 years ago | (#29323121)

fly...don't 7ear

Finally (1)

DaveGod (703167) | about 5 years ago | (#29323213)

Even as a long time FF user I keep going to the Plugins menu, looking for and wondering why there isn't a "check for updates" button, just like there is for extensions.

Most plug-in authors do have their own auto-update programs but I dislike using them - I keep having to disable them from loading at boot, and they seem to do other crap I don't want like try to installl their other crapware. Even just trying to download flash they want you to install some download manager first; there used to be a proper installer hidden away as a re-distributable but I can't find it any more. Adobe Reader auto-updates but decides to install Actobat.com (which seems to be an Air application and not a web link) and it putting a shortcut on the desktop also irritates. Java update seems relatively benign but need to remember to untick the Yahoo! search bar, I'll tolerate the advert for OpenOffice. QuickTime have at least stopped having the iTunes bundle as the default, but every time I update it seems to forget my settings.

Not so long ago we were warning newbies to be wary of any software that tries to pull stunts like these.

They forgot Adobe Reader/Acrobat. (1)

dicobalt (1536225) | about 5 years ago | (#29323249)

Everyone is using ancient versions of that also.

2o7.net (1)

saur2004 (801688) | about 5 years ago | (#29323263)

The reason I have not updated my very old version of Flash is because I heard about Omniture and 2o7.net [slashdot.org] and no they have not sufficiently explained themselves to their user base.

In the meantime... (2, Informative)

MrNonchalant (767683) | about 5 years ago | (#29323265)

Here's a page that checks your Flash version and lists the latest version for the different browsers/operating systems: http://www.adobe.com/software/flash/about/ [adobe.com]

Version checking applications (2, Insightful)

Wowsers (1151731) | about 5 years ago | (#29323277)

I don't think it would go down too well if version checking was built into the current version of Skype for Linux.

"Dear Linux user, your version of Skype has not been updated for 2 1/2 years, there are no new updates planned, and x86_64 versions are out of the question. Please feel free to vent to eBay where they will helpfully file your comments in /dev/null.

Thank you for choosing Skype."

Re:Version checking applications (1)

j_sp_r (656354) | about 5 years ago | (#29323757)

A newer beta was released a week ago. Still no x86_64 but I don't care that much (just install the 32 bit packages with it)

More hand holding, more bloat. FF is getting shit (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29323347)

More hand holding from the browser that is running itself into the ground....

This might only be a subtle feature, but it is yet more bloat being lumped into FF. If users want to be notified of an out of date flash plug in they should put pressure on Adobe to better their proprietary software, Mozilla shouldn't be applying workarounds for Adobe's shortcomings. And besides, if they are checking flash, they might as well check Java. And Quicktime. And.....

If Mozilla wanted to check plug in versions are up to date, they should put that functionality into an extension and make it optional.... Some people don't even install flash, and I haven't for years because of its security track record, and because it is only used for banner ads and on line gimmicks.

Mozilla are ruining FF by chasing IE users to increase the numbers of FF users. The only way to get people who don't care about which browser they use to use your browser is to make a lot of hot air about how easy your browser is to use, and how it will hold your hand on line. FF could have done this by not wrecking their product by simply providing a package of FF and useful extensions for IE migrants (aka new FF users), and a bare browser package for those that want it.

Re:More hand holding, more bloat. FF is getting sh (1)

coryking (104614) | about 5 years ago | (#29323615)

Why don't you just use Lynx or wget? You anti-"bloatware" people seem to make a stink about anything that isn't plain ASCII anyway.. why not just go all out and use the least "bloated" client on earth? I'm serious. Use wget. It seems more your style.

upgrade? Why not block (2, Insightful)

IceFox (18179) | about 5 years ago | (#29323677)

If the user doesn't upgrade does it disable the plugin?

One thing that'd protect users... (0)

Anonymous Coward | about 5 years ago | (#29323741)

Would be running it in a separate subprocess so it doesn't inevitably crash the whole browser when you close a damn tab containing a youtube video.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>