Good, but...

This is good, but shouldn't the onus be on Adobe to include a mechanism to check for updates in its Flash Player?

For what its worth, I'm a believer that not applying security updates should be punishable by hard labour. Much like a car needs to pass an annual MOT to be allowed on the road, computers should have to be fully patched to be allowed on the Internet. And yes, a "computing test" is also part of my manifesto, should the people of Britain ever get desperate enough to vote me in as their leader (can't be too far away now...)

Stupid Adobe

It would help if Adobe didn't use shit installer download software - I've tried a few times now to get the latest update and the stupid "getplus" installer takes hours to download it. Maybe it's the servers, maybe it's the "getplus" downloader - all I know is that a company of their size really should have a reliable system!

flaws in the program ?

"Flaws in the program are routinely exploited by criminals to install keyloggers and other malicious software on end-user machines"

Shouldn't that be flaws in the underlying platform allow for the installation of malicious software. That platform invariably being the WinTEL one. The one with the built-in buffer overflow feeture ?

@Mike007

I agree that running the latest version of everything is not always a good idea, that is why I specifically said the latest *security updates*. That is, by all means run old software, just make sure that it has no known vulnerabilities.

(I think we both share the same viewpoint)

Great Idea

I can confirm this has actually already been implemented in Firefox 3.5.3, it recently alerted me to the fact that Mac OS X 10.6 had downgraded my version of Flash and I should upgrade! It's a big banner that appears on first launch on the firefox updated screen

Better one innit

What's *really* needed (short of a simple ban on closed-source software) is for someone to sponsor an Open Source equivalent of the Flash player.

The words "This would never have happened if you had the Source Code" (TWNHHIYHTSC) are as true today as they ever have been.

The oldies

Sad thing is it won't stop my parents calling me up asking if they should install the update...

More hand holding

More hand holding from the browser that is running itself into the ground....

This might only be a subtle feature, but it is yet more bloat being lumped into FF. If users want to be notified of an out of date flash plug in they should put pressure on Adobe to better their proprietary software, Mozilla shouldn't be applying workarounds for Adobe's shortcomings. And besides, if they are checking flash, they might as well check Java. And Quicktime. And.....

If Mozilla wanted to check plug in versions are up to date, they should put that functionality into an extension and make it optional.... Some people don't even install flash, and I haven't for years because of its security track record, and because it is only used for banner ads and on line gimmicks.

Mozilla are ruining FF by chasing IE users to increase the numbers of FF users. The only way to get people who don't care about which browser they use to use your browser is to make a lot of hot air about how easy your browser is to use, and how it will hold your hand on line. FF could have done this by not wrecking their product by simply providing a package of FF and useful extensions for IE migrants (aka new FF users), and a bare browser package for those that want it.

Again : Good, but...

Again, good, still better than nothing. But imagine what most of the ignorant users will do with such a warning.. I can see it very clearly : they will say "ooh what the hell is this???!" and close it so they won't be scared by the announcement anymore.

@DOUG

Are you being a prat on purpose? Most of the holes in the flash plugin are blissfully cross-platform, like the plugin itself.

Anyway, nice idea, I hope MS and Opera pinch it.

Re: ISPs automatically disconnecting customers

This idea is absolutely unworkable and is never going to happen. It may be fine on a corporate network where the local geek (sysadmin) can pop over to the infected user's office and clear things up, but how exactly is your average, clueless home user supposed to sort their own PC out? Especially since they are now disconnected from the net and can thus no longer access the required software to remove the infection. Also, I suppose none of you have had the misfortune to deal with the customer services department of your average ISP? Most can barely speak English let alone guide a newly disconnected user on how best to disinfect their PC!

No, this idea has fail written all over it and I'm surprised others have spoken up in support of it.

But what if the update...

...is itself flawed. I mean, how many Reg articles have been about updates that break stuff?

And BTW, to whoever said Windows is the reason Flash is flawed, it may interest you that Flash exploits have also been able to play hobnob with MacOS and Linux installations, too. As for an open-source version of Flash, I recall that is in progress but is so far behind current versions as to be generally unusable in the field.

@AC (5/9 16:18): Re: ISPs automatically disconnecting customers

With some ISPs you have to authorise each PC before it can get out on the net. Unauthorised PCs display a page explaining that it needs to be authorised and how to do it. A similar approach to PCs thought to be harbouring malware should not be beyond the wit of Man (sic).

Not just alert, but block known unsafe versions.

Abobe are such damned laggards that Mozilla should go further and force the issue, given that Flash regularly compromises Firefox and OS security!

Yes, Adobe should provide a proper updating feature and proper security, but until they do:

* Firefox should disable insecure Flash versions, just like they do with with incompatible extensions and Plugins

* Firefox should nag for a download, just like it does for uninstalled plugins.

* Firefox should show an insecure plugin dialog, if no fixed Flash version is available, to shame Adobe!

* Firefox should run Flash in a separate sand-boxed process, like Java does, to stop its crap code compromising the browser and being a repeated security risk.

BTW, I refuse to have Adobe Acrobat (and Reader) on my PC too, because there are lighter weight, more-secure PDF software available now.

Re: Why isn't it automatic?

> ask the user if they'd like to update, and then take care of the rest when they click yes.

You clearly haven't seen many 'Jo Average' users in action. They normally wade through a shit storm of update dialogue boxes and crapware registration dialogue boxes from the Norton trial version that the PC came with two years ago - hitting "Cancel" because they "don't want to break anything". Every time they switch the machine on.

Maybe more people would install updates...

...if Adobe, and others, stopped puffing out every new version (and yes instead of just issuing security plugs they always create a complete new version) with more and more cruft.

I want a program which plays Flash, not which also offers me a search bar, tea maker, online shopping mall, and numerous other pieces of crap I'll never use! And as for them now pushing their 'download manager' in order to install it... grrr!

21st century

Adobe, while you are at it ... can you also please provide 64-bit versions of Flash for Windows and Mac OS X?

@Mike007

No, no NO!

ISPs should have none of the responsibility for scanning for... well, anything. They should be treated as Common Carriers. Once you allow scanning for anything it'll feature creep. They should be there to provide a connection to the Internet- as suggested by the name "Internet Service Provider"- regardless of which bits of the Internet you want to access or for what purpose.

They should- at most- have the ability to pipe a certain user's data off to the Police or suchlike when presented with a very specific court order.

@Henry Wertz 1

Yes, but if you were the sort of person who would be happy to only ever install software that was part of a package of apps approved by the O/S maker and managed / updated by their tools, WTF would you be doing using a PC anyway?

We already have a perfectly good solution for people who think that way, it's called an iPhone.

money talks

It's actually quite simple to solve this problem. Your Internet connection fees need to be charged by the byte, with itemized bills going out to users that lists the sites/IPs they have connected to. Nothing will make an end user update their software more quickly than being asked to pay for a few gigs worth of botnet traffic; it'd be like discovering your kid has been dialling premium-rate phone numbers and likewise would be shut down immediately. The savvy ISP would then sell a cheap subscription services where they would install patches and updates to the end users. Profit all round, problem solved.

I'd also point out that it would have the delicious side effect of putting all those advertising popups out of business overnight as people would not want to pay for a zillion Netflix pop-unders from casalemedia (etc.). As well as pushing the web to become leaner and lighter, something that is long overdue.

Where will it end

So firefox is going to take on the responsibility of telling people when their non-firefox adobe product isn't up to date. I guess Adobe happy to know they don't need to bother doing that anymore? Why would they build this into the product and not just make it part of some "updates notification" plugin?

So what happens when:

1. The Firefox devs get bored of maintaining this notification service?

2. Why just Adobe, if it's that important then should they do it for all products and add-ins?

The idea is commendable, but ultimately unworkable. They are taking ownership for a task that isn't theirs to own, and will ultimately just create more work for someone who has to keep track or the notifications. If that person goes on holidays, who will do it then?

@adam foxton & never going to happen

It's a good principle but the world is always more complex than that. The Internet is a common effort and ISPs have the responsibility to be good Internet citizens, ie. stop spam and DOS attacks originating from their networks. It is not hard and is done (semi) automatically by some ISPs on their home customer networks. When SMTP outgoing spikes massively you are put in a quarantine network where all port 80 traffic is redirected to a notice page saying your PC is a spam bot. A phone call gets your connection back. Surely UK law mandates that ISPs monitor their networks and keep them in order. They risk losing their business if their house is not in order, or should.

@AC Re Stupid Adobe

Never mind having a reliable download manager, how about a reliable beta testing, flaw finding/response team. Christ on an AT-AT, microsoft drag their heels with some updates but Adobe seem positively apathetic. Sadly, without flash player, i cannot enjoy my interwebs experience as i should..

Where's the open source equivalent?????

@Henry Wertz Package Managers

Microsoft are too afraid of anti-trust to put in a proper package/update management system for home users. They have a very good solution in WUAU (Windows Update / Automatic Update) but they only use it for first-party software.

They also have package management solutions for you to run your own package database (both free through MSI / Group Policy and for-pay through SMS), but they won't run their own, which forces each different product to have a separate update system on Windows. What's really annoying about that is that many manufacturers use their update system to put out crapware (like Yahoo/Google toolbars) to Windows machines that they get paid for installing.

At least Apple include Flash, Acrobat Reader and Java as first-party installs, so they update those through Apple Software Update on OS X. Microsoft got stopped from including Java as first-party some years ago, and have been sulking about this ever since.

@TeeCee

Not used an OS with a package manager then? You are quite free to install any software you damn well choose but any software you get from a repository will be updated automatically when a new version is available -- that includes any third party repositories you trust (in my case, Sun for Virtual Box), there is no manufacturer's approval process necessary.

Personally, I'm quite happy with the arrangement -- while I have the knowledge to compile applications from source if need be I quite like to spend some of my time using my computer rather than making it work.

He take the biscuits

Why Firefox not just fix the bug instead of just tell the users about them?

With the IE we see that they can fix them quick with the update on the next day and user is not filled with worries. Why can the Firefox not be the same?

I will guess that it is the open source cause of problem - if the coding man might be on holiday or busy with his exams then they must just put out the notice for a while to warn me not to use the Firefox until they fix it? This is why I must pay for my software for the safety and to be nicely relieved of my tensions.

@Bob Gateaux

There are legitimate reasons for using an older version of flash, such as compatibility testing, research into vulnerabilities, backwards compatibility et al. It would REALLY piss plenty of people off if they found that thier test system had been automatically updated for them without any choice in the matter the moment they connect it to the interwebs.

Also, it is not the job of the Mozilla foundation to publish fixes for Adobe. If the bug was in their software, your spiel about IE would make some sense.

Now all that we need...

... is a feature in Flash Player that warns you when you're using an insecure version of Firefox.... :-P