Upcoming versions of Mozilla's Firefox browser will automatically warn users running versions of Adobe's Flash Media Player that contain known security bugs, according to a published report. The check will be invoked each time the popular open-source browser is updated, according to the report which was published Thursday by The …
This is good, but shouldn't the onus be on Adobe to include a mechanism to check for updates in its Flash Player?
For what its worth, I'm a believer that not applying security updates should be punishable by hard labour. Much like a car needs to pass an annual MOT to be allowed on the road, computers should have to be fully patched to be allowed on the Internet. And yes, a "computing test" is also part of my manifesto, should the people of Britain ever get desperate enough to vote me in as their leader (can't be too far away now...)
A title is required, and must contain letters and/or digits.
@Doc Spock: a requirement to always have the latest version of everything is ridiculous, there are several programs where i deliberately run older versions because the latest shit is 10 times the size 10% of the speed and 10 times more annoying to try and use, and often has 10 times the number of security vulnerabilities as a result
however people should be required to be responsible for the security of their computer - an extremely small number of ISPs scan for botnet traffic and cut off infected customers automatically, this should be compulsory for all ISPs (with customers having the option to opt out of the service if they have a valid reason, which would require answering a few simple questions to confirm you know the difference between a subnet and a linux install disk) - and while you're at it add IPv6 support (might as well if they have to roll out new equipment anyway)
disconnecting because a company claims they think someone on the connection might have done something they didn't like (the music/film industry demands) is never justified, however disconnecting people because they are actively attacking other users on the internet - that is completely justified (however if it's silent malware that just harvests your bank/credit card details and doesn't attack other systems, leave them to it... it's their own damn fault)
Why isn't it automatic?
I've always wondered why security-oriented updates aren't automatically downloaded and applied. Or at the very least, ask the user if they'd like to update, and then take care of the rest when they click yes. The chore of downloading and installing Flash (and some other software too) with every 10.x.x.x update is way too much for a typical computer user. It's easier to click ignore than go through the process. Not to mention you can be sure that a large majority of your userbase will be guaranteed to be running the same version (great from a compatibility standpoint).
Feature-updates, on the other hand should at least require user consent. Wanting to avoid software bloat or instability is a valid reason to avoid an update. I love firefox's update process!
Re: ISPs scanning for botnet traffic
"an extremely small number of ISPs scan for botnet traffic and cut off infected customers automatically, this should be compulsory for all ISPs"
A worthy aspiration, but hard to think of a wording that could be enforced. Should ISPs be required to run particular software (like in China) and take particular action (like three strikes and you're out), or should it be limited to "reasonable steps", which given the race-to-the-bottom nature of the UK ISP business probably means "everything short of actually spending money"? (Then again, if spam really is 90% of internet traffic, as we're led to believe, and ISPs are screaming about limited bandwidth all the time, you'd have thought there was an existing incentive to get off their far arses.)
Perhaps the next time someone in the UK finds themselves attacked (as defined under the UK's computer mis-use act) by a machine operating out of a UK ISP's network should try suing the ISP for negligence.
On the other hand, perhaps lawyers are the last thing we need to add to the problem. As a general observation, if society wants to alter behaviour then it has three options. We can ask nicely, we can make it cost money, or we can make it illegal. In my experience, these measures should be tried in that order. Back on the first hand, as I noted just above in regard to spam, we *do* appear to have tried the first two.
It would help if Adobe didn't use shit installer download software - I've tried a few times now to get the latest update and the stupid "getplus" installer takes hours to download it. Maybe it's the servers, maybe it's the "getplus" downloader - all I know is that a company of their size really should have a reliable system!
flaws in the program ?
"Flaws in the program are routinely exploited by criminals to install keyloggers and other malicious software on end-user machines"
Shouldn't that be flaws in the underlying platform allow for the installation of malicious software. That platform invariably being the WinTEL one. The one with the built-in buffer overflow feeture ?
I agree that running the latest version of everything is not always a good idea, that is why I specifically said the latest *security updates*. That is, by all means run old software, just make sure that it has no known vulnerabilities.
(I think we both share the same viewpoint)
I can confirm this has actually already been implemented in Firefox 3.5.3, it recently alerted me to the fact that Mac OS X 10.6 had downgraded my version of Flash and I should upgrade! It's a big banner that appears on first launch on the firefox updated screen
Better one innit
What's *really* needed (short of a simple ban on closed-source software) is for someone to sponsor an Open Source equivalent of the Flash player.
The words "This would never have happened if you had the Source Code" (TWNHHIYHTSC) are as true today as they ever have been.
Sad thing is it won't stop my parents calling me up asking if they should install the update...
Totally agree on cutting off users that have become part of botnets, I can't understand why ISPs don't do really simple stuff like blocking all port 25 traffic. Sure some users want to run mail servers, everyone else wouldn't notice if the port was open or closed. Users who want to run mail servers can have the port opened and the ISP should be required to check for open relays periodically on any users who have an open port 25.
More hand holding
More hand holding from the browser that is running itself into the ground....
This might only be a subtle feature, but it is yet more bloat being lumped into FF. If users want to be notified of an out of date flash plug in they should put pressure on Adobe to better their proprietary software, Mozilla shouldn't be applying workarounds for Adobe's shortcomings. And besides, if they are checking flash, they might as well check Java. And Quicktime. And.....
If Mozilla wanted to check plug in versions are up to date, they should put that functionality into an extension and make it optional.... Some people don't even install flash, and I haven't for years because of its security track record, and because it is only used for banner ads and on line gimmicks.
Mozilla are ruining FF by chasing IE users to increase the numbers of FF users. The only way to get people who don't care about which browser they use to use your browser is to make a lot of hot air about how easy your browser is to use, and how it will hold your hand on line. FF could have done this by not wrecking their product by simply providing a package of FF and useful extensions for IE migrants (aka new FF users), and a bare browser package for those that want it.
Again : Good, but...
Again, good, still better than nothing. But imagine what most of the ignorant users will do with such a warning.. I can see it very clearly : they will say "ooh what the hell is this???!" and close it so they won't be scared by the announcement anymore.
Are you being a prat on purpose? Most of the holes in the flash plugin are blissfully cross-platform, like the plugin itself.
Anyway, nice idea, I hope MS and Opera pinch it.
Re: ISPs automatically disconnecting customers
This idea is absolutely unworkable and is never going to happen. It may be fine on a corporate network where the local geek (sysadmin) can pop over to the infected user's office and clear things up, but how exactly is your average, clueless home user supposed to sort their own PC out? Especially since they are now disconnected from the net and can thus no longer access the required software to remove the infection. Also, I suppose none of you have had the misfortune to deal with the customer services department of your average ISP? Most can barely speak English let alone guide a newly disconnected user on how best to disinfect their PC!
No, this idea has fail written all over it and I'm surprised others have spoken up in support of it.
But what if the update...
...is itself flawed. I mean, how many Reg articles have been about updates that break stuff?
And BTW, to whoever said Windows is the reason Flash is flawed, it may interest you that Flash exploits have also been able to play hobnob with MacOS and Linux installations, too. As for an open-source version of Flash, I recall that is in progress but is so far behind current versions as to be generally unusable in the field.
@AC (5/9 16:18): Re: ISPs automatically disconnecting customers
With some ISPs you have to authorise each PC before it can get out on the net. Unauthorised PCs display a page explaining that it needs to be authorised and how to do it. A similar approach to PCs thought to be harbouring malware should not be beyond the wit of Man (sic).
All the more reason that I wish....
All the more reason that I wish the W3C would get their heads screwed on straight and throw their weight behind Ogg Theora being specified in the <VIDEO> tag markup. Open standards always seem to win out on security, stability, and format stability in the long run. Kudos to Wikipedia and Firefox for deciding to go forward with serving and cleint side support for Ogg Theora....hopefully others like Opera, Chromium and others will get behing Theroa, Google perhaps on YouTube....
Not just alert, but block known unsafe versions.
Abobe are such damned laggards that Mozilla should go further and force the issue, given that Flash regularly compromises Firefox and OS security!
Yes, Adobe should provide a proper updating feature and proper security, but until they do:
* Firefox should disable insecure Flash versions, just like they do with with incompatible extensions and Plugins
* Firefox should nag for a download, just like it does for uninstalled plugins.
* Firefox should show an insecure plugin dialog, if no fixed Flash version is available, to shame Adobe!
* Firefox should run Flash in a separate sand-boxed process, like Java does, to stop its crap code compromising the browser and being a repeated security risk.
BTW, I refuse to have Adobe Acrobat (and Reader) on my PC too, because there are lighter weight, more-secure PDF software available now.
Re: Why isn't it automatic?
> ask the user if they'd like to update, and then take care of the rest when they click yes.
You clearly haven't seen many 'Jo Average' users in action. They normally wade through a shit storm of update dialogue boxes and crapware registration dialogue boxes from the Norton trial version that the PC came with two years ago - hitting "Cancel" because they "don't want to break anything". Every time they switch the machine on.
Maybe more people would install updates...
...if Adobe, and others, stopped puffing out every new version (and yes instead of just issuing security plugs they always create a complete new version) with more and more cruft.
I want a program which plays Flash, not which also offers me a search bar, tea maker, online shopping mall, and numerous other pieces of crap I'll never use! And as for them now pushing their 'download manager' in order to install it... grrr!
Adobe updater caused problems
We had problems with, I think it was Adobe PDF reader 7 or something; it was impossible to turn the updater off; it took a registry hack to do it. Initially we didn't think that much of it, until the updater decided to download a completely different application and install it on everyones desktops.
Good God, that was frustrating and cost us a lot of time removing the updater and also cleaning up the picture album or whatever it was. Corporates treat peoples computers as if they are battlegrounds on which to wage their software wars; it is no wonder why we prevent automatic update systems from running, because we don't know or trust what they are doing to our systems.
You know, thinking back over the last few years, much more of our time and effort has been spent cleaning up unwanted software and breakages through updates than we've spent on cleaning up virus attacks.
Adobe, while you are at it ... can you also please provide 64-bit versions of Flash for Windows and Mac OS X?
No, no NO!
ISPs should have none of the responsibility for scanning for... well, anything. They should be treated as Common Carriers. Once you allow scanning for anything it'll feature creep. They should be there to provide a connection to the Internet- as suggested by the name "Internet Service Provider"- regardless of which bits of the Internet you want to access or for what purpose.
They should- at most- have the ability to pipe a certain user's data off to the Police or suchlike when presented with a very specific court order.
@A J Stiles
>What's *really* needed (short of a simple ban on closed-source software) is for someone to >sponsor an Open Source equivalent of the Flash player.
There is one but it's crap. Adobe made the spec open several years back but there's been little will to make a good open source version, I'm guessing because the normal version is free (as in beer) and that's all most people care about.
"This is good, but shouldn't the onus be on Adobe to include a mechanism to check for updates in its Flash Player?"
No that's the job of the package manager.
"I've always wondered why security-oriented updates aren't automatically downloaded and applied."
If you have a package manager, they are. You have a choice -- 1) Fully automatic (updates download and install). 2) The update manager tells you when there are updates, updates download but are not installed until you select them -- (security updates are listed first). 3) Manual -- the update manager tells you when there are updates, but they aren't downloaded OR installed until you tell them to. Probably there's an option 4) Supress any checks for updates, but I've never checked.
You must be coming from Windows, I noticed the excessive number of update checkers and general junk popups telling me there were updates for software on it. How annoying.
Now with all this said, I think it's fine for Firefox to warn that the plugin is out of date -- if the package manager does it's job you'll never see it but it's good to have some warning your browser plugins are insecure.
@Henry Wertz 1
Yes, but if you were the sort of person who would be happy to only ever install software that was part of a package of apps approved by the O/S maker and managed / updated by their tools, WTF would you be doing using a PC anyway?
We already have a perfectly good solution for people who think that way, it's called an iPhone.
Now if it also warned...
...that your version of Windows is also out of date and a security risk that might be an even better improvement.
The problem with that is the message is probably redundant, as all version of Windows probably have security flaws.
Oh well, nice try.
Default port 25 blocking is effective.
My ISP (in France) had a big problem of compromised customers spewing spam, which they addressed in a routine firmware update. You can re-open the port only by delving deep in the configuration -- i.e. you would have to know that you wanted to do it and why. The ISP is no longer considered a spam source.
It's actually quite simple to solve this problem. Your Internet connection fees need to be charged by the byte, with itemized bills going out to users that lists the sites/IPs they have connected to. Nothing will make an end user update their software more quickly than being asked to pay for a few gigs worth of botnet traffic; it'd be like discovering your kid has been dialling premium-rate phone numbers and likewise would be shut down immediately. The savvy ISP would then sell a cheap subscription services where they would install patches and updates to the end users. Profit all round, problem solved.
I'd also point out that it would have the delicious side effect of putting all those advertising popups out of business overnight as people would not want to pay for a zillion Netflix pop-unders from casalemedia (etc.). As well as pushing the web to become leaner and lighter, something that is long overdue.
Where will it end
So firefox is going to take on the responsibility of telling people when their non-firefox adobe product isn't up to date. I guess Adobe happy to know they don't need to bother doing that anymore? Why would they build this into the product and not just make it part of some "updates notification" plugin?
So what happens when:
1. The Firefox devs get bored of maintaining this notification service?
2. Why just Adobe, if it's that important then should they do it for all products and add-ins?
The idea is commendable, but ultimately unworkable. They are taking ownership for a task that isn't theirs to own, and will ultimately just create more work for someone who has to keep track or the notifications. If that person goes on holidays, who will do it then?
(okay its two words sorta merged into one. But it fixed my flash vulns)
@adam foxton & never going to happen
It's a good principle but the world is always more complex than that. The Internet is a common effort and ISPs have the responsibility to be good Internet citizens, ie. stop spam and DOS attacks originating from their networks. It is not hard and is done (semi) automatically by some ISPs on their home customer networks. When SMTP outgoing spikes massively you are put in a quarantine network where all port 80 traffic is redirected to a notice page saying your PC is a spam bot. A phone call gets your connection back. Surely UK law mandates that ISPs monitor their networks and keep them in order. They risk losing their business if their house is not in order, or should.
@AC Re Stupid Adobe
Never mind having a reliable download manager, how about a reliable beta testing, flaw finding/response team. Christ on an AT-AT, microsoft drag their heels with some updates but Adobe seem positively apathetic. Sadly, without flash player, i cannot enjoy my interwebs experience as i should..
Where's the open source equivalent?????
@Henry Wertz Package Managers
Microsoft are too afraid of anti-trust to put in a proper package/update management system for home users. They have a very good solution in WUAU (Windows Update / Automatic Update) but they only use it for first-party software.
They also have package management solutions for you to run your own package database (both free through MSI / Group Policy and for-pay through SMS), but they won't run their own, which forces each different product to have a separate update system on Windows. What's really annoying about that is that many manufacturers use their update system to put out crapware (like Yahoo/Google toolbars) to Windows machines that they get paid for installing.
At least Apple include Flash, Acrobat Reader and Java as first-party installs, so they update those through Apple Software Update on OS X. Microsoft got stopped from including Java as first-party some years ago, and have been sulking about this ever since.
Not used an OS with a package manager then? You are quite free to install any software you damn well choose but any software you get from a repository will be updated automatically when a new version is available -- that includes any third party repositories you trust (in my case, Sun for Virtual Box), there is no manufacturer's approval process necessary.
Personally, I'm quite happy with the arrangement -- while I have the knowledge to compile applications from source if need be I quite like to spend some of my time using my computer rather than making it work.
He take the biscuits
Why Firefox not just fix the bug instead of just tell the users about them?
With the IE we see that they can fix them quick with the update on the next day and user is not filled with worries. Why can the Firefox not be the same?
I will guess that it is the open source cause of problem - if the coding man might be on holiday or busy with his exams then they must just put out the notice for a while to warn me not to use the Firefox until they fix it? This is why I must pay for my software for the safety and to be nicely relieved of my tensions.
There are legitimate reasons for using an older version of flash, such as compatibility testing, research into vulnerabilities, backwards compatibility et al. It would REALLY piss plenty of people off if they found that thier test system had been automatically updated for them without any choice in the matter the moment they connect it to the interwebs.
Also, it is not the job of the Mozilla foundation to publish fixes for Adobe. If the bug was in their software, your spiel about IE would make some sense.
Now all that we need...
... is a feature in Flash Player that warns you when you're using an insecure version of Firefox.... :-P
Typical stupid Adobe
Its turned off & on 'able for the few times I actually need it.
But I wish theyd sort their software out & provide a better means of updating
blocking port 25
has been standard for at least 10 years now.
at one point i was making a phone call to ISP's where spam originated, and half didn't understand what my issue was. Of course back then spam was only 20% of all mail.
I am one of the oldest ISP's in the world, andover the years, spam filtering has cost me many, many thousands of dollars.
So, spay and neuter your pets and spammers. The world will be a better place.