Mozilla catches half of Firefox users running insecure Flash

My Printer's Ink Level Monitor Needs An Update Too!

I'm 100% positive my flash and jave are out of date, I disable all the shit services at start-up (Quick Annoy/auto annoy/ annoyance trays). I MAY deal with an upgrade when I come to JRE/Flash content that requires a newer version to view. I've found useful alternatives to most bloated apps that update too often and try to run unnecessary services(Jog on Adobe Reader), but JRE and Flash are the biggest sticklers to date. Since I surf behind AB+ and NoScript, sandboxed(sandboxIE) by default, I don't think my risk is all that great. If I'm wrong I'll copy over a fresh VM image or restore the host system's image.

Yeah, I do update the OS, AV, Anti-Spy and firewall, that be well enough for me.

Depends on how you installed flash

Those of us who install flash via the Fedora repo downloaded from Adobe's website would be included in the insecure bunch, as Adobe haven't released an updated RPM file for the flash plugin. I'm guessing the other linux distros would be in a similar situation. Come on adobe!

Yep, I clicked....

...it failed to install.

Meh?

@use the right language

...and Joe A. Public fell asleep around the 4th word of the third line...

Flash installer won't completely update

They shouldn't be so quick to blame users for this. Think Adobe set me up for this problem. Still have the vulnerability and am supposedly updated to the latest version. No matter how many times I've updated Flash, it has never been able to get rid of a vulnerable Flash10b.ocx file. It and FlashUtil10b.exe were somehow installed as read-only during a Flash upgrade earlier this year. Uninstall doesn't delete them. I've never been able to change the attribute, even using some tricks that MS technet and other 'experts' out there claim should work. Always get 'access denied' when I try. All this on an otherwise pretty solid WinXP SP3 machine where I've always been the user and have always logged in as admin. (There have never been any other users.) So far, the only solution that Adobe, MS and other tech sites speak of as a 'can't fail' is mess with the registry. And I'm about ready to try that as a last resort, but will only do so after I've had time to build an adequate 'safety net' before delving into such a potentially risky activity. What has me so ticked is the fact that every time I've tried to uninstall / reinstall Flash (just did so again a few minutes ago), it never tells me that it was unable to delete and upgrade the vulnerable file. If my Kaspersky Internet Security didn't tell me differently, Adobe's updates would lead me to believe that I'm safe. For now I use Flashblock and only enable Flash where I think / hope I'm safe.

Flash10 is crap

I would never update to Flash10 again. Flash 10 is a piece of crap. After upgrading to 10 (I have 1G ram and a 2.4G cpu), a lot of web site can't play video properly as before. The videos hang at some point at 100% cpu load. What a crap. Yes It support 3d effect but it is of no use to me. I want my video back.

Fedora rpm out of date?

Well on Fedora 11, rpm -qi flash-plugin reports:

Name : flash-plugin Relocations: (not relocatable)

Version : 10.0.32.18 Vendor: Adobe Systems Inc.

Release : release Build Date: Sat 18 Jul 2009 04:10:18 BST

Install Date: Thu 30 Jul 2009 23:00:16 BST Build Host: fplayerbuild4-lnx.labs.corp.adobe.com

Group : Applications/Internet Source RPM: flash-plugin-10.0.32.18-release.src.rpm

Size : 10323979 License: Commercial

Signature : DSA/SHA1, Fri 24 Jul 2009 17:57:44 BST, Key ID 3a69bd24f6777c67

Packager : Adobe Systems Inc.

URL : http://www.adobe.com/downloads/

Summary : Adobe Flash Player 10.0

Description :

Adobe Flash Plugin 10.0.32.18

Fully Supported: Mozilla SeaMonkey 1.0+, Firefox 1.5+, Mozilla 1.7.13+

which looks pretty up to date to me...

What page?

Perhaps if they hadn't the habit of always showing a useless "your firefox have been upgraded, you're running the most secure and advanced browser in the whole history of browsers(welcome to the community, we thank you for your choice BLAH BLAH BLAH)" page every time you start firefox after it's been upgraded, then perhaps I would read it at least a bit before thinking "you bloody bloatware you waste my time".

Why people did not click is IMHO simply because they did not read.

FlashBlock can't block Flash ATTACKS

@Tom7:

FlashBlock is fine and dandy as an annoyance blocker, but it's not reliable for security.

You need NoScript for that:

http://hackademix.net/2008/06/08/block-rick/

@BlueGreen "use the right language"

TL;DR.

@Jae_Allyn

Yeah this annoyed me when I uninstalled flash off a machine & it still left it's main entrails on my hard disk. For some reason they add a "deny" into the NTFS ownership/access settings. Not even the sysinternals delete next reboot tool will kill it... until...

As an adminitrator take ownership of the offending file & remove the deny access. Then you can delete it, yey! (In XP, turn off "simple file sharing" in tools->folder options to make the security tab appear in the file properties dialog - then fiddle, or if you are feeling brave use the command prompt!)

Adobe products have always been irritating. Acrobat reader leaves all the uncompressed install files 100Mb of them on your HD hidden away and reinstalles speed-launcher every minor upgrade. I'll download a new installer when I want to upgrade, thanks Adobe! Dreamweaver (CS3) installs Bonjour for some reason (can you remove it without breaking DW? anyone know??). Flash is irritating!

I personally don't have it (or Silverlight) installed for Firefox. Cleaner nicer faster loading web pages. With ABP very few adverts. Very few companies have flash only websites anymore (probably figured out what a waste of bandwidth it was) and I can simply load IE up which I do have flash installed for when I want to watch a youtube video of a monkey flicking poo.

Insecure Flash

There's a safe version?

35% can be a good thing.....

So a load of FF users got an unexpected popup saying something like "Oh noes, is sekurrity risk detected in softwarez xx, clicky here for safety upgard nows!!" and only 35% clicked on it?

My, things are looking up!

Presumably those 35% are the ones whose machines are malware laden shiteboxen equipped with a FREE!!!!11!! antivirus scanner telling 'em that everything's ok...

Ultimate User Experience

Surely for the ultimate user experience the updates should not only be automatic but silent as well?

Nothing more anoying than when I turn my PC on to do a specfic task and I have to spend 20 mins wading through the various crapware update requests before I can get on with what i wanted to do in the first place.

Computers are just tools (not that kind) to most people; they don't want to be fannying around updating stuff every bloody day. Firefox, for example, should just get on with bloody updating and stop asking! If all these updates are as important as they say they are, what better way to get nearly 100% take-up?

Fucking marvelous

I upgraded to FF 3.5.3 on my EEE 701, it complained about the out of date flash 9.something, I ignored that as I tried a 10.x flash previously and it was too slow for the poor little thing. However now it just hangs when it comes across any flash content.

I gave in and tried installing flash by clicking on the missing plug-ins bar, that failed both as user and root, a manual install from the Abobe hasn't worked either. So now I'm without flash and can't access half the sites I need to.

Mozilla aint Microsoft, leave our plug-ins the fuck alone, we are running things the way we are for a reason.

Update success?

Having read the original article on here I instantly clicked the update link when I appeared (if I ahdnt read the artciel I probably would have missed it due to always seeing that oage on every upgrade...)

I installed from the RPM provided but next time I started firefox - same message.

So now I dont know whether the update failed (I tried again and was told it was already installed) or whether the version detection is not working right?

Maybe I have 2 versions installed and firefox is somehow getting hold of the wrong version?

I originally installed firefox from the SUSE repositories but I had to get firefox 3.5 from a binary package (which sits in my home directory) - so I have 2 versions of firefox coexisting happily - maybe this is why? This being the case it should be easily solved by having firefox prompt for the root password to do an update of itself...

I also run flashblock so I consider myself to be *reasonably* safe...

NoScript

The only truly safe plugin for Firefox.

Too hard

I see the squeals of pain from trying to update just one machine with these updates.....

What are we supposed to do when "our machines" are thousands in a corporate environment, and the users of those machines have no clue what all this is even about.....

Insane Shooter

Hey, a lot of you fellow Window's users could avoid a lot of headaches involved when keeping

non core applications up to date if you used this:

http://secunia.com/vulnerability_scanning/

Secunia scan works great for me. Been using it for some years now. Browser version works fine but I prefer the full (free as in beer) installed version as it does a better scan.

I don't' farking fuss so much over keeping track of the irresponsible jackwads at Adobe and Apple (quicktime nightmare)

And why does thee register have different logins/paswords for this Channel register than on the register site?

WTF.

and a host of other packages like I used to do. THis tool just lets me have some resemblance

of peace of mind by reminding me something is 'out of date' security wise.

Is it the answer to safe computing? No, but it sure helps me.

incorrect detection

FF incorrectly decided I had an out-of-date version... but was running the latest. so perhaps they have quite a few other false positives!

False Positives

I'm was running the latest version of Flash put when I upgraded (forcibly) I clicked on the link and it failed to reinstall Flash and gave a cryptic error message instead. Poor error handling and a for 100% certain false positive on Flash version detection from Firefox.

I suspect Firefox is beginning to run into the same difficulties IE hit years ago - keep users happy and secure without causing bloat or slowing down their online experience, sooner or later everyone ends up at the same place - there is no real innovation in the browser market except Opera (hahahahaha, just kidding about the Opera thing)

For a minute FF had a nice thing going but the constant updates, massive resource use, and general incompatibility problems with many websites and random weirdness, I'm about ready to go back to IE full time. There's really not much of a difference anymore.

How many who were flagged really need to upgrade?

On my other system, used for archiving and a few online functions (but not anything that plays Flash stuff), I go the message when I updated Firefox. So I'm one who was flagged, but so what? Can a rogue push malware to Flash without my accessing a bad web site?

Which Flash are we talking about here?

I am one of the "guilty". Why? I didn't know the answer to too many questions when presented with the flash upgrade notice by the Firefox update:

Does Firefox use it's own version of Flash? Well fine. But I'm not going to use multiple different mechanisms to upgrade the same piece of software - that way lies madness (and broken systems). It would make sense to use the flash that comes on my mac "natively" and appears to be upgraded along with Safari.

Does Adobe have a reputation for installing sneak extras? I had just read an article in el Reg which I recalled as indicating the answer to this was not clear. If I cannot trust vendors not to secretly install bloatware or adware, it is effectively a security problem because I will tend to avoid security upgrades. (Not that we are in much doubt as to Adobe's reputation when it comes to security, but the point is still worth making.)

I was about to do a Mac update which included an Adobe update, but I did the Firefox one first because it didn't require a reboot, so yes, probably my Flash was out of date when I did it. Was it going to be out of date after the Apple update had run?

If Mozilla want to help me get to the bottom of the long-running Flash security nightmare, then give me an easy path from their front page to a page which checks the standard OS place (and their own location if it is different) and gives me a version difference and links to further info if I want it, and information as to any hidden extras that the supplier is trying to fnord. We seem to have reached the point where in pandering to those who want an easy one-click solution to security updates means that those of us who do know what is going on don't have enough information to make informed decisions about our upgrade risks unless we make it a career.

@@Jae_Allyn

I was going to say throw me an e-mail and I will tell you how to remove it mainly because Im at work and didnt feel like typing that much but I see Chris M has beat me to it :) Anyway what he said should work and if all else fails try the Flash removal tool from adobe (found here: http://kb2.adobe.com/cps/141/tn_14157.html) other then that umm....BFU should work as well

MacOS 10.6.0 Users get the warning

Just to note, when you install MacOS 10.6.0 your Flash PlugIn is AUTOMATICALLY replaced with a downlevel copy of the file EVEN IF you had the correct current version. Thus you get this warning. The just released MacOS 10.6.1 upgrade corrects the problem by installing the correct version of the PlugIn. This problem is only 50% Apple's Fault since after the time 10.6.0 went "Golden Master" and the DVDs were being pressed, Adobe issued the newer Version (so it was not able to be on the DVD). The part that Apple is IMO responsible for is the installer's failure to do a sanity/version check and bypass the PlugIn install if it found a newer version already installed.

Re: use the right language

s/hacker/cracker or script kiddie/; s/remove/mitigate/

There. That should do it :-)