Feeds

back to article Mozilla catches half of Firefox users running insecure Flash

More than half of all Firefox users ran an unsafe version of Adobe's Flash Player, according to statistics collected last week as users installed the latest release of the popular open-source browser. Of the 6 million or so people who upgraded to either 3.5.3 or 3.0.14 of Firefox on its debut last Thursday, slightly more than 3 …

COMMENTS

This topic is closed for new posts.
Silver badge

use the right language

How not to do it:

> "your current version of Flash Player can cause security and stability issues" [...] "you should update Adobe Flash Player right now."

a bit better:

"Your current version of Flash Player can cause firefox to crash, and is unsafe because it can allow hackers to install their software on your computer which could allow them to collect details of anything you do online, including the websites you browse, the emails you send, your passwords, and any other personal information including details of your internet banking. This information may potentially allow hackers to impersonate you online. You can remove this security risk by updating Adobe Flash Player now, and keeping it up to date."

Should help. Aside from telling them to remove the bloody plugin altogether, which ain't going to happen.

0
0
Thumb Down

My Printer's Ink Level Monitor Needs An Update Too!

I'm 100% positive my flash and jave are out of date, I disable all the shit services at start-up (Quick Annoy/auto annoy/ annoyance trays). I MAY deal with an upgrade when I come to JRE/Flash content that requires a newer version to view. I've found useful alternatives to most bloated apps that update too often and try to run unnecessary services(Jog on Adobe Reader), but JRE and Flash are the biggest sticklers to date. Since I surf behind AB+ and NoScript, sandboxed(sandboxIE) by default, I don't think my risk is all that great. If I'm wrong I'll copy over a fresh VM image or restore the host system's image.

Yeah, I do update the OS, AV, Anti-Spy and firewall, that be well enough for me.

0
0
Linux

Depends on how you installed flash

Those of us who install flash via the Fedora repo downloaded from Adobe's website would be included in the insecure bunch, as Adobe haven't released an updated RPM file for the flash plugin. I'm guessing the other linux distros would be in a similar situation. Come on adobe!

0
0

Bloat contributes to this

As Flash / Acrobat / iTunes / whatever version increment they get bigger and bigger and slower and slower - so even if security flaws are present there's a disincentive to let them upgrade themselves.

0
0
Thumb Down

Yep, I clicked....

...it failed to install.

Meh?

0
0
J 3
IT Angle

@use the right language

...and Joe A. Public fell asleep around the 4th word of the third line...

0
0
FAIL

Flash installer won't completely update

They shouldn't be so quick to blame users for this. Think Adobe set me up for this problem. Still have the vulnerability and am supposedly updated to the latest version. No matter how many times I've updated Flash, it has never been able to get rid of a vulnerable Flash10b.ocx file. It and FlashUtil10b.exe were somehow installed as read-only during a Flash upgrade earlier this year. Uninstall doesn't delete them. I've never been able to change the attribute, even using some tricks that MS technet and other 'experts' out there claim should work. Always get 'access denied' when I try. All this on an otherwise pretty solid WinXP SP3 machine where I've always been the user and have always logged in as admin. (There have never been any other users.) So far, the only solution that Adobe, MS and other tech sites speak of as a 'can't fail' is mess with the registry. And I'm about ready to try that as a last resort, but will only do so after I've had time to build an adequate 'safety net' before delving into such a potentially risky activity. What has me so ticked is the fact that every time I've tried to uninstall / reinstall Flash (just did so again a few minutes ago), it never tells me that it was unable to delete and upgrade the vulnerable file. If my Kaspersky Internet Security didn't tell me differently, Adobe's updates would lead me to believe that I'm safe. For now I use Flashblock and only enable Flash where I think / hope I'm safe.

0
0
Thumb Down

Flash10 is crap

I would never update to Flash10 again. Flash 10 is a piece of crap. After upgrading to 10 (I have 1G ram and a 2.4G cpu), a lot of web site can't play video properly as before. The videos hang at some point at 100% cpu load. What a crap. Yes It support 3d effect but it is of no use to me. I want my video back.

0
0
Bronze badge

re. Bloat contributes to this

Fully agree. Not to be a Linux fanboi too much, as it has some rough edges. But, one really nice thing w. Ubuntu is its self-patching system that gets all the patches, for all your system and _application_ files. Of course, sometimes Ubuntu lags behind in application releases (ahem... Eclipse 3.2??? ).

On Windows, it would be so much better if there was a central system for apps, not just MS's, to register themselves and poll their respective servers for updates. Because, frankly, I am sick of every stupid vendor running its own little resident turds at startup.

Well, as long as they didn't go fully the MS route and require a reboot after each update.

Good job, Mozilla!

0
0
Bronze badge
WTF?

Fedora rpm out of date?

Well on Fedora 11, rpm -qi flash-plugin reports:

Name : flash-plugin Relocations: (not relocatable)

Version : 10.0.32.18 Vendor: Adobe Systems Inc.

Release : release Build Date: Sat 18 Jul 2009 04:10:18 BST

Install Date: Thu 30 Jul 2009 23:00:16 BST Build Host: fplayerbuild4-lnx.labs.corp.adobe.com

Group : Applications/Internet Source RPM: flash-plugin-10.0.32.18-release.src.rpm

Size : 10323979 License: Commercial

Signature : DSA/SHA1, Fri 24 Jul 2009 17:57:44 BST, Key ID 3a69bd24f6777c67

Packager : Adobe Systems Inc.

URL : http://www.adobe.com/downloads/

Summary : Adobe Flash Player 10.0

Description :

Adobe Flash Plugin 10.0.32.18

Fully Supported: Mozilla SeaMonkey 1.0+, Firefox 1.5+, Mozilla 1.7.13+

which looks pretty up to date to me...

0
0
Flame

What page?

Perhaps if they hadn't the habit of always showing a useless "your firefox have been upgraded, you're running the most secure and advanced browser in the whole history of browsers(welcome to the community, we thank you for your choice BLAH BLAH BLAH)" page every time you start firefox after it's been upgraded, then perhaps I would read it at least a bit before thinking "you bloody bloatware you waste my time".

Why people did not click is IMHO simply because they did not read.

0
0
Anonymous Coward

McAfee security opt-out

The best os that you are directed to an Adobe web page with the McAfee security program checked by default, I wonder how much Adobe will make off of this? I wish Firefox would just direct link to the download rather than Adobe's BS page.

0
0
Silver badge

Theres a safe version of Flash?

Yup flashblock!

0
0
WTF?

FlashBlock can't block Flash ATTACKS

@Tom7:

FlashBlock is fine and dandy as an annoyance blocker, but it's not reliable for security.

You need NoScript for that:

http://hackademix.net/2008/06/08/block-rick/

0
0
FAIL

@BlueGreen "use the right language"

TL;DR.

0
0
Alert

@Jae_Allyn

Yeah this annoyed me when I uninstalled flash off a machine & it still left it's main entrails on my hard disk. For some reason they add a "deny" into the NTFS ownership/access settings. Not even the sysinternals delete next reboot tool will kill it... until...

As an adminitrator take ownership of the offending file & remove the deny access. Then you can delete it, yey! (In XP, turn off "simple file sharing" in tools->folder options to make the security tab appear in the file properties dialog - then fiddle, or if you are feeling brave use the command prompt!)

Adobe products have always been irritating. Acrobat reader leaves all the uncompressed install files 100Mb of them on your HD hidden away and reinstalles speed-launcher every minor upgrade. I'll download a new installer when I want to upgrade, thanks Adobe! Dreamweaver (CS3) installs Bonjour for some reason (can you remove it without breaking DW? anyone know??). Flash is irritating!

I personally don't have it (or Silverlight) installed for Firefox. Cleaner nicer faster loading web pages. With ABP very few adverts. Very few companies have flash only websites anymore (probably figured out what a waste of bandwidth it was) and I can simply load IE up which I do have flash installed for when I want to watch a youtube video of a monkey flicking poo.

0
0
WTF?

Insecure Flash

There's a safe version?

0
0
Gold badge
Troll

35% can be a good thing.....

So a load of FF users got an unexpected popup saying something like "Oh noes, is sekurrity risk detected in softwarez xx, clicky here for safety upgard nows!!" and only 35% clicked on it?

My, things are looking up!

Presumably those 35% are the ones whose machines are malware laden shiteboxen equipped with a FREE!!!!11!! antivirus scanner telling 'em that everything's ok...

0
0
Megaphone

Ultimate User Experience

Surely for the ultimate user experience the updates should not only be automatic but silent as well?

Nothing more anoying than when I turn my PC on to do a specfic task and I have to spend 20 mins wading through the various crapware update requests before I can get on with what i wanted to do in the first place.

Computers are just tools (not that kind) to most people; they don't want to be fannying around updating stuff every bloody day. Firefox, for example, should just get on with bloody updating and stop asking! If all these updates are as important as they say they are, what better way to get nearly 100% take-up?

0
0
Silver badge

I was out of date...

...and I think I am pretty good at keeping my system up-to-date. As it was, it took about 3 attempts to get the upgrade to work. I never checked to see if the vulnerable files were removed, but I get now warnings from scans - I'll check manually tonight.

It would be better if Windows had a Debian-like package system where everything can be kept up to date. It's stupid for each vendor/application to have to run it's own update service or check on every launch; how much time is lost with that crap?

Such a package/repository system can only ever be as good as whoever is managing said packages though. Ubuntu, for instance, is lagging behind with FireFox and other applications.

I can totally understand Canonical wanting to keep Ubuntu on a controlled, six month cycle but FF is an *app*, it should have dick to do with the OS (which would be kernel, X, gnome/kde, samba etc to most users). Why are the apps allowed to be the latest and greatest?

As for Adobe...I just wish there was an alternative.

0
0

use the right language

"Oops, I just crashed because you are using an out of date version of flash player? Update now?"

0
0
Bronze badge
WTF?

Fucking marvelous

I upgraded to FF 3.5.3 on my EEE 701, it complained about the out of date flash 9.something, I ignored that as I tried a 10.x flash previously and it was too slow for the poor little thing. However now it just hangs when it comes across any flash content.

I gave in and tried installing flash by clicking on the missing plug-ins bar, that failed both as user and root, a manual install from the Abobe hasn't worked either. So now I'm without flash and can't access half the sites I need to.

Mozilla aint Microsoft, leave our plug-ins the fuck alone, we are running things the way we are for a reason.

0
0
DJL
Linux

Update success?

Having read the original article on here I instantly clicked the update link when I appeared (if I ahdnt read the artciel I probably would have missed it due to always seeing that oage on every upgrade...)

I installed from the RPM provided but next time I started firefox - same message.

So now I dont know whether the update failed (I tried again and was told it was already installed) or whether the version detection is not working right?

Maybe I have 2 versions installed and firefox is somehow getting hold of the wrong version?

I originally installed firefox from the SUSE repositories but I had to get firefox 3.5 from a binary package (which sits in my home directory) - so I have 2 versions of firefox coexisting happily - maybe this is why? This being the case it should be easily solved by having firefox prompt for the root password to do an update of itself...

I also run flashblock so I consider myself to be *reasonably* safe...

0
0
Silver badge

FlashBlock can't block Flash ATTACKS - neither can NoScript

I use no-script but most windows users I know find it too complicated and allow everything anyway.

0
0
Heart

NoScript

The only truly safe plugin for Firefox.

0
0
Bronze badge

Popup every time it is used?

Perhaps they should put a popup on every page that uses flash.

You have an old insecure version of flash.

> update the flash plugin

> don't allow flash on this page

> disable the flash plugin

> temporarily allow flash on this page

0
0
Flame

Too hard

I see the squeals of pain from trying to update just one machine with these updates.....

What are we supposed to do when "our machines" are thousands in a corporate environment, and the users of those machines have no clue what all this is even about.....

0
0
Pint

Insane Shooter

Hey, a lot of you fellow Window's users could avoid a lot of headaches involved when keeping

non core applications up to date if you used this:

http://secunia.com/vulnerability_scanning/

Secunia scan works great for me. Been using it for some years now. Browser version works fine but I prefer the full (free as in beer) installed version as it does a better scan.

I don't' farking fuss so much over keeping track of the irresponsible jackwads at Adobe and Apple (quicktime nightmare)

And why does thee register have different logins/paswords for this Channel register than on the register site?

WTF.

and a host of other packages like I used to do. THis tool just lets me have some resemblance

of peace of mind by reminding me something is 'out of date' security wise.

Is it the answer to safe computing? No, but it sure helps me.

0
0
FAIL

incorrect detection

FF incorrectly decided I had an out-of-date version... but was running the latest. so perhaps they have quite a few other false positives!

0
0
Silver badge
FAIL

False Positives

I'm was running the latest version of Flash put when I upgraded (forcibly) I clicked on the link and it failed to reinstall Flash and gave a cryptic error message instead. Poor error handling and a for 100% certain false positive on Flash version detection from Firefox.

I suspect Firefox is beginning to run into the same difficulties IE hit years ago - keep users happy and secure without causing bloat or slowing down their online experience, sooner or later everyone ends up at the same place - there is no real innovation in the browser market except Opera (hahahahaha, just kidding about the Opera thing)

For a minute FF had a nice thing going but the constant updates, massive resource use, and general incompatibility problems with many websites and random weirdness, I'm about ready to go back to IE full time. There's really not much of a difference anymore.

0
0

Why would folks NOT upgrade flash?

Greetings and Salutations...

Well, I spent several days last week cleaning a particularly nasty worm off one client's computer that got its hooks into the system via a YouTube video that CLAIMED that they needed to upgrade their flash player to view. This sort of thing makes a person gunshy about updating, and, the average user cannot always tell when it is a legitimate upgrade suggestion, or, a foul piece of code trying to screw up their system.

It was bad enough that I ended up having to wipe the hard drive, and do a clean install of Windows to get rid of it.

0
0
Thumb Down

How many who were flagged really need to upgrade?

On my other system, used for archiving and a few online functions (but not anything that plays Flash stuff), I go the message when I updated Firefox. So I'm one who was flagged, but so what? Can a rogue push malware to Flash without my accessing a bad web site?

0
0
FAIL

Which Flash are we talking about here?

I am one of the "guilty". Why? I didn't know the answer to too many questions when presented with the flash upgrade notice by the Firefox update:

Does Firefox use it's own version of Flash? Well fine. But I'm not going to use multiple different mechanisms to upgrade the same piece of software - that way lies madness (and broken systems). It would make sense to use the flash that comes on my mac "natively" and appears to be upgraded along with Safari.

Does Adobe have a reputation for installing sneak extras? I had just read an article in el Reg which I recalled as indicating the answer to this was not clear. If I cannot trust vendors not to secretly install bloatware or adware, it is effectively a security problem because I will tend to avoid security upgrades. (Not that we are in much doubt as to Adobe's reputation when it comes to security, but the point is still worth making.)

I was about to do a Mac update which included an Adobe update, but I did the Firefox one first because it didn't require a reboot, so yes, probably my Flash was out of date when I did it. Was it going to be out of date after the Apple update had run?

If Mozilla want to help me get to the bottom of the long-running Flash security nightmare, then give me an easy path from their front page to a page which checks the standard OS place (and their own location if it is different) and gives me a version difference and links to further info if I want it, and information as to any hidden extras that the supplier is trying to fnord. We seem to have reached the point where in pandering to those who want an easy one-click solution to security updates means that those of us who do know what is going on don't have enough information to make informed decisions about our upgrade risks unless we make it a career.

0
0
Thumb Up

@@Jae_Allyn

I was going to say throw me an e-mail and I will tell you how to remove it mainly because Im at work and didnt feel like typing that much but I see Chris M has beat me to it :) Anyway what he said should work and if all else fails try the Flash removal tool from adobe (found here: http://kb2.adobe.com/cps/141/tn_14157.html) other then that umm....BFU should work as well

0
0
FAIL

MacOS 10.6.0 Users get the warning

Just to note, when you install MacOS 10.6.0 your Flash PlugIn is AUTOMATICALLY replaced with a downlevel copy of the file EVEN IF you had the correct current version. Thus you get this warning. The just released MacOS 10.6.1 upgrade corrects the problem by installing the correct version of the PlugIn. This problem is only 50% Apple's Fault since after the time 10.6.0 went "Golden Master" and the DVDs were being pressed, Adobe issued the newer Version (so it was not able to be on the DVD). The part that Apple is IMO responsible for is the installer's failure to do a sanity/version check and bypass the PlugIn install if it found a newer version already installed.

0
0
Pirate

Re: use the right language

s/hacker/cracker or script kiddie/; s/remove/mitigate/

There. That should do it :-)

0
0
This topic is closed for new posts.