Why can't firefox and Flash player get YOUR ACT TOGETHER?
Why is every version of Flash player a security risk? Why can't firefox and Flash player get YOUR ACTS TOGETHER? I think I'd rather risk a security weakness rather than put up with this dysfunctional relationship between these groups. This has been going on for YEARS! Do I have to DUMP firefox and go with another browser?
All Replies (8)
I know it's frustrating. Here's my understanding:
Firefox is open source software that allows anyone to see its internal code and make modifications. Companies using proprietary IP protection for their plugins generally do NOT allow their stuff to be bundled with Firefox because they do not want to give away the internal code of their plugins to users.
Chrome and Edge don't have that limitation since they have proprietary licenses. They have arranged with Adobe to quietly keep their versions of Flash up-to-date in the background.
So with Firefox, Flash will always be a separate thing to update. But the Flash installer sets up an auto-updater on your system which I think runs at Windows startup, so you should not be constantly having to manage Flash updates manually if Adobe's software is running normally. ??
Capwinder said
Why is every version of Flash player a security risk? Why can't firefox and Flash player get YOUR ACTS TOGETHER? I think I'd rather risk a security weakness rather than put up with this dysfunctional relationship between these groups. This has been going on for YEARS! Do I have to DUMP firefox and go with another browser?
The Flash Player has had critical vulnerabilities with proven in wild exploits at times in almost all versions of the different types of Flash Players from Adobe since Dec 2014.
https://helpx.adobe.com/security.html
Mozilla would prefer to not put versions of Npapi Flash Player on blocklist as Mozilla did not put any Flash Player versions on the blocklist for a period between Feb/Mar 2013 and Dec 2014 as the security concerns in Flash Player were not severe enough to warrant doing so then. The problem is when versions were added on blocklist in Dec 2014 for click to play soft blocking so many people were still using a old version of Flash Player from early 2013 because they never bothered to update. https://addons.mozilla.org/blocked/
That might very well be, but why is the latest version of firefox blocking the latest version of flash?
Capwinder said
That might very well be, but why is the latest version of firefox blocking the latest version of flash?
By blocking, do you mean you can't adjust its global permission to the desired option on the Add-ons page? Either:
- Ctrl+Shift+a (Mac: Command+Shift+a)
- "3-bar" menu button (or Tools menu) > Add-ons
In the left column, click Plugins. On the right side, look for "Shockwave Flash" and check the permissions control:
- "Always Activate" - default when Flash is first detected, unless it is vulnerable
- "Ask to Activate" - default for other plugins and for Flash if it's vulnerable
- "Never Activate" - rarely selected by Firefox
Firefox always places flash in the Ask to activate category. I updated flash 2 weeks ago to v23 something and it is still "vulnerable", according to firefox. My initial question still stands, why can't these groups work together to end this. Is firefox being too paranoid or is Adobe saying there is nothing wrong with flash?
Capwinder said
Is firefox being too paranoid or is Adobe saying there is nothing wrong with flash?
Firefox only wants what's best for you and other users.
Adobe Flash may have other interests.
(edited: jscher2000 pointed out to me that Oracle is not the company behind Adobe Flash; thank you, jscher2000)
Modified
I always keep Flash on Ask to Activate myself for security/load speed/reduced annoyance reasons. Therefore, I don't have personal knowledge of exactly how it works when you prefer Always Activate. However, I would suspect that once Flash gets knocked down to Ask to Activate due to a vulnerability alert, it just stays there and if you want it back on Always Activate, you have to do it yourself. Is there a problem making that change stick after the update, or you would really prefer that Firefox do it automatically?
Capwinder said
Firefox always places flash in the Ask to activate category. I updated flash 2 weeks ago to v23 something and it is still "vulnerable", according to firefox. My initial question still stands, why can't these groups work together to end this. Is firefox being too paranoid or is Adobe saying there is nothing wrong with flash?
Actually it is Adobe that says their Flash Player Plugins are vulnerable and Mozilla then decides whether it is severe enough to add to blocklist for click to play soft blocking. https://helpx.adobe.com/security.html
The Flash Player plugin is only set to Ask to Activate (click to play) if you have a older version that was added to blocklist due to critical vulnerabilities. Any version (such as current) not in version range on blocklist is not affected and can be set to always activate.
No Flash Player versions was added to list between Sept 23 and Oct 28 so the 23.0.0.162 was actually not added to list at time until Oct 28 when 23.0.0.185 and older was added.
Two weeks ago would mean you have the previous version from Adobe as Flash Player 23.0.0.185 came out Oct 11 and the current Flash Player 23.0.0.205 came out Oct 26.
https://addons.mozilla.org/blocked/ October 28, 2016: Flash Player Plugin 22.0.0.211 to 23.0.0.185 (Win&Mac)
If you do have 23.0.0.205 installed on Windows then perhaps you still have the previous version also that did not get uninstalled and the message is due to the previous version in use and being detected. https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
Modified