This thread was archived. Please ask a new question if you need help.
How about letting US choose if we want always active or click to activate?
This forcing us to click to activate crap is no good. Why do you have to because you're in this war with Adobe?
Profanity remarks removed. Please follow Mozilla Support rules and guidelines.
Modified by philipp
Does it activate on Adobe's test page? https://www.adobe.com/software/flash/about/
As for running as user vs. root, I'm sure that significantly diminishes the types of exploits that could be run, but I don't think it eliminates the concern completely, since presumably users can read/write files, use the network, etc.Read this answer in context 👍 0
All Replies (20)
No update is available for Linux yet. Next post has the correction.
War with Adobe? Please do a web search for "hacking team" to understand why Mozilla soft-blocked version 220.127.116.11 of the Shockwave Flash plugin.
Also, we support volunteers aren't responsible for blocking plugins, but we can help you cope with it if you give us the chance.
Adobe released an update today to resolve the critical issues it admitted were in the 18.104.22.168 version. You can get 22.214.171.124 on this page:
In the first table, look for the row for "plugin-based browsers" and you can use either the EXE or the MSI installer.
No one can promise that this kind of block will never happen again. Should that occur, if you are not accustomed to using the "Ask to Activate" feature for a plugin, here's what to expect:
When you visit a site that wants to use Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.
If you see a good reason to use Flash, and the site looks trustworthy, you can go ahead and click the Lego-like icon in the address bar to allow Flash. You can trust the site for the time being or permanently.
But some pages use Flash only for tracking or playing ads, so if you don't see an immediate need for Flash, feel free to ignore the notification! It will just sit there in case you want it later.
Modified by jscher2000
Sorry, didn't notice you run Linux. According to today's bulletin:
"Adobe will provide an update for Flash Player for Linux during the week of July 12. The update will be available by visiting the Adobe Flash Player Download Center. Please continue to monitor the PSIRT blog for updates."
Actually I can't because .209 isn't out for Linux yet, and I have the latest that is available installed and still get this message.
Yes, they have a version for Google Chrome, but as I stated I don't want my every activity on the web monitored and recorded permanently in Google's servers.
Looks like the Linux release (Flash Player 126.96.36.1991) is available now: https://www.adobe.com/products/flashplayer/distribution3.html
I have installed the updated flash, and after doing so the "Always Activate" option was again present in plugins, but selecting it didn't stop Firefox from blocking every new flash website and asking if I want to activate. So it's still very much broken. I've downloaded the source and will attempt to build and rip that code out myself and then never touch a Mozilla update again.
Does the Add-ons page, Plugins section show that Firefox detected the update? If not, usually exiting Firefox and starting it up again will pick up the change. If not, there may be a damaged settings file.
Yes it shows the current version, and yes I did restart Firefox after installing it, before the Always Active was grayed out, now it's not but selecting it hasn't changed behavior. I'm really tired of software groups getting in pissing wars with each other and I guess the whole point of open sourced software is you can make a new fork if you think the existing direction sucks. Really while Flash might have security flaws, the big flaws are in the operating system it's usually riding on top of Windows. Applications should not have to be responsible for protecting a broken operating system. It's not like Mozilla hasn't had it's share of security issues either.
If this problem only affected Windows or Firefox, I'm sure Adobe would have said so in its bulletins.
Anyway, if "Always Activate" is selected and stays selected -- i.e., you close the Add-ons page, and it's still "Always Activate" when you reopen it -- then you should not be asked to activate Flash. When you see that, could you check whether the site-specific permission was switched? You can use the Permissions panel of the Page Info dialog:
- right-click the page and choose View Page Info > Permissions
- (menu bar) Tools menu > Page Info > Permissions
- click the padlock or globe icon to the left of the site address > More Information > Permissions
In the section toward the top of the panel, it's the row for Adobe Flash.
Always activate is still set, but it asks anyway. Don't remember the specific page so can't really go back and check permissions. In Linux, or MacOS, Flash doesn't run as root, it runs as the user invoking it, so it can only affect that user, not system files like it can in Windows. A simple work-around in MacOS or Linux is create a separate user for web browsing if you're really worried about it. Firefox shouldn't play Nanny. And on Windows were it can trash the entire OS because the OS is crap and doesn't protect itself, evolution in action.
Does it activate on Adobe's test page? https://www.adobe.com/software/flash/about/
As for running as user vs. root, I'm sure that significantly diminishes the types of exploits that could be run, but I don't think it eliminates the concern completely, since presumably users can read/write files, use the network, etc.
I acknowledge that Flash had a published vulnerability. My issue is with Mozilla Firefox refusing to give ME permission to decide what level of risk I find acceptable. I fought this same battle with the Ten-Four-Fox idiots when I had a power Mac. I thought now that I'm on an Intel based machine with Linux that I would be past this nanny crap. I would be fine with a warning when I set it to Always Activate, but to have it grayed out altogether or to ignore the setting is not okay. I finally did get it to work by uninstalling Flash, installing Gnash (which totally didn't work right with YouTube, it would keep playing the same video when I selected another), and then re-installing Flash. Somehow in that process it started working again.
Most of the time such a block is a soft block (Ask to Activate) and you should be able to activate the plugin via a Lego block icon on the location/address bar.
You would have to disable blocklisting to have full control, but that way you won't notice that something is wrong and we strongly advice against doing this (with an old and no longer supported OS for current plugin versions this might be a valid reason).
A simple warning. in big red letters even if you like, when you disabled it would be suffice.
The previous (vulnerable) versions are not blocked completely but are soft blocked as you can click to activate. https://support.mozilla.org/en-US/kb/set-adobe-flash-click-play-firefox
The 188.8.131.521 for Linux has been the current since Adobe released it late Wednesday last week as they were late since the Windows and Mac OSX versions came out early Tuesday. The 184.108.40.2061 is not the current as came it out July 8.
Modified by James
I would say there are three groups of users in this case. Those who truly know what they are doing, those who think they know what they are doing and those who not know what they are doing. Those who truly know can likely figure out how to bypass the block with little effort and understand the consequences. That warning would likely not be noticed or forgotten about.
A lot of the people who came here complain about the soft blocking of old versions did not know they were using a older version as they thought they had the latest. Some also thought the soft blocking (click to activate) was for some reason other than the older versions being affected by critical vulnerabilities.
Yes the last months since December has been annoying with the more frequent updates from Adobe in their attempts to try to fix the vulnerabilities and Mozilla sift blocking the previous versions each time.
Mozilla before December 2014 did not add any Flash player plugin versions to blocklist since Feb/Mar 2013 as the security concerns in the then Flash player versions were not serious enough to warrant adding any to blocklist until December 2014.
I had 220.127.116.111 installed. Originally I had 18.104.22.1681 installed but as soon as .491 came out I installed it. Mozilla still bitched. I stopped and restarted the browser. It STILL bitched. It's working now, after uninstalling, installing Gnash, uninstalling Gnash, and then reinstalling flash it decided to work. Mozilla didn't just block the previous version, they blocked the most current version. Frankly I don't want one software developer group deciding to block my access to another software developers product, period. I don't care to be caught in the middle of pissing wars between Adobe and Mozilla or any other vendor.
It's also a lot easier to go in and change things when where to do so is actually documented somewhere. The dearth of useful documentation about the about:config variables and the plethora of them, make that difficult. Strangely, your web editor response to the B button by quoting what is highlighted, not exactly what I had intended.
When Firefox does not seem to be using the current versions of Plugins try tying in about:plugins on Location (address) bar as Firefox will scan and show what Plugins it detects to use and where they are located on system.