Helping users keep plugins updated

Johnathan Nightingale

36

Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old versions of plugins can cause crashes and other stability problems, and can also be a significant security risk. For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version.

After installing the Firefox security update, users with an out of date version of the Adobe Flash Player will see this message:

Warning about out of date Flash

Our intent is to get the user’s attention, and direct them to the Adobe web site where they can download the most up to date version.

For users who are already running the latest version, or who don’t have the Adobe Flash Player installed, the page will look very much like what they would normally see after a Firefox security update:

Normal update page

Mozilla will work with other plugin vendors to provide similar checks for their products in the future. Keeping your software up to date remains one of the best things you can do to keep yourself safe online, and Mozilla will continue to look for ways to make that process as easy as possible for its users.

Johnathan Nightingale
Human Shield

36 responses

  1. Pauli wrote on :

    I have firefox 3.5 and have not been able to get into any webinar sites. It seems to download whatever is needed at the site and then shuts down as soon as I try to enter the meeting. Anybody else had this problem?

  2. Michael Bell wrote on :

    I don’t care for it at all. I personally disable most of my adobe flash because of annoying ads. I use flash bloacker and other tools. I really hate FF now because I’m being forced to update when I don’t want to. When did Adobe’s problem with user’s become a Mozilla problem?

    Now, the GetPlusPlus updater just crashes on startup…this is useless!

  3. cuz84d wrote on :

    Chris, Does this apply to the trunk? I’ve been updating Minefield of and on lately with Flash 8.x on XP and have yet to see it redirect me to the webpage.

  4. Daniel Veditz wrote on :

    The functionality described in this post is implemented on our web site, there is no client support yet. After an update Firefox regularly opens our “whatsnew” page so for this initial experiment we simply inserted this check into that flow.

    There’s ongoing work to implement a similar kind of check in the client itself, but that hasn’t landed yet.
    https://wiki.mozilla.org/Firefox/Projects/Plugin_Update_Referrals

  5. cuz84d wrote on :

    @Bob D.. good idea, just like Add-Ons think they got to check everytime I load FF with the dialog box getting in the way of my browsing experience.. other implementations show a model window that checks or asks to check… why does Ff do it both ways? I don’t mind if it asks to check when I start, but the Add-on window doing an auto-check after the browser starts and getting in the way is annoying. I would rather see the status bar flash or let me know its checking for updates for Add-ons or plugins and have it ask me or point me to a setting showing me how to setup asking me. I may have different settings on FF 3.5.3 than I do on FF 3.6 or 3.7.

    Oh wait that is buried deep down in Tools->Options->Advanced->Update.. it should be a main pane of Tools->Options (Call it Check for Updates Pane), and its not even linked to Help->Check for updates which is inconsistent. I don’t think updates are part of Advanced Options in FF. They should be basic options. I think most people forget there is an options UI somewhere in FF. Also Plugins should have additional option to select ask to update this add-on just like the enable/disable.

    I think sometimes the Find-Updates function should be more like the download manager.. I don’t need to see it run, but I may want it to run with a single progress bar informing me its running. That way I can start or keep browsing.. and do updates in the background like the Check for Updates already does. If the Add-on Manager window comes up, I don’t even know if I can close it while its running. I don’t like to restart FF for every single update, but individual ones I want to install/update should just all queue up and install all at once by clicking on a master install new updates for those I selected I want to update instead of single updates. (which wastes time, so I turn off -update Add-ons because I know they are updated or I don’t care about updating them) But make it discoverable.

    It seems we have too many ways to do the same thing with add-ons/updates/plugins, etc.

    I say make it easier, more discoverable and less annoying and make updates a one-stop shop and we should think about just using Tools->Check for Updates to access the update UI options and Add-ons manager from a single source. (this should keep users focused and help them understand how to update FF better)

    Since I have never FF look for the new plugins webpage, maybe we could just have the browser invoke the first tab as about:checkforupdates which can go to the update plugin page or update firefox page when needed.

    I got so many ideas here.. but it shouldn’t be hard to take something here and run with it to make FF better overall.

  6. Glen Turner wrote on :

    I’ve got Fedora 11, up to date. Firefox complains that Flash is out of date, and when I click through to the Adobe website it offers to download 10.0.32.18. Which is odd since
    $ rpm -q flash-plugin
    flash-plugin-10.0.32.18-release
    Besides the obvious, why is Mozilla suggesting I download a file from the Internet rather than suggest updating using the operating system’s package manager (for operating systems which have package managers)?

  7. deepnet wrote on :

    Is there any way that a virus could be spoofing this message?

    I got this message earlier today and since I know I’ve put off updating Flash I clicked on the install link, because I trust Firefox and even though I knew it might just be a marketing ploy.

    But to my dismay it also installed a suspicious-looking program called “Adobe Download Manager” which looked like it was doing the upgrade. But now I’ve just noticed that an icon called “McAfee Security Scan” has appeared on my desktop that runs a program in a new Program Files folder of the same name, even though I have not installed ANYTHING except the Adobe upgrade today.

    There is an entry for it in the Add / Remove Programs control panel of Windows too. The timestamps on the files are from about the same time I would’ve run the Adobe install.

    Is anyone else seeing this? Is there any McAfee component to the Adobe upgrade? I’m concerned that I have just installed a virus.

    One other note is that my internet access is through Comcast on the East Coast of the U.S. and they are known for running things that intercept and alter network traffic like systems to suppress Bittorrent downloads. They also distribute McAfee for free with service… could they be piggybacking somehow on the Adobe install to force installation of the McAfee product?

    …okay, I’m seeing notes elsewhere on the net that seem to indicate that there was an automatically-checked checkbox in a dialog related to the Adobe upgrade that I must have missed and this McAfee product is a “lite” crippleware product installed as a result of it. So I am assuming that this was all just an opportunistic marketing operation to take advantage of peoples’ trust in Firefox.

    This really sucks. I am not going to trust Firefox again.

  8. Daniel Veditz wrote on :

    We’re not too happy about that, either. In the past the Adobe download page served a plain installer, not this download manager thing with opt-out marketing tie-ins. Unfortunately what you got is now the default experience for getting Flash player from Adobe’s site, and I hope unhappy Flash users let them know how they feel about it.

    In the face of active wide-spread attacks and given the number of vulnerable Firefox users it seemed better to do something than nothing, and the best we could come up with quickly (and legally) was to link to Adobe’s site. In the future we hope we can come up with a better experience in cooperation with plugin vendors. For this experiment we didn’t have the time to wait for the glacially slow corporate business negotiations that could take.

  9. Daniel Veditz wrote on :

    We’re not too happy about that, either. In the past the Adobe download page served a plain installer, not this download manager thing with opt-out marketing tie-ins. Unfortunately what you got is now the default experience for getting Flash player from Adobe’s site, and I hope unhappy Flash users let them know how they feel about it.

    In the face of active wide-spread attacks and given the number of vulnerable Firefox users it seemed better to do something than nothing, and the best we could come up with quickly (and legally) was to link to Adobe’s site. In the future we hope we can come up with a better experience in cooperation with plugin vendors. For this experiment we didn’t have the time to wait for the glacially slow corporate business negotiations that would require.

  10. jesse Ruderman wrote on :

    What if we gave users instructions for triggering Flash’s update mechanism, rather than pointing them to download an installer for a new version? I’m pretty sure the update mechanism doesn’t try to shovel other things onto your computer.

  11. Conor wrote on :

    This sounds like an issue I am running into. I have display on a Linux box for a client which is showing a series of webpages which use flash. Everything is up-to-date. (Ubuntu Hardy Heron 8.04, Firefox 3.0.14 etc). The page loads and displays fine for about 24 hours and then randomly decides it does not have the correct version of Flash! Very strange since the website remains the same and no one is touching the computer(the keyboard and mouse are removed!).
    Is it checking against some version number on the website which perhaps is not compatible with the latest linux flash release?

  12. Matle wrote on :

    I suggest removing Flash Plugin from Firefox, now that Adobe decided to leave the road of business ethics and forces installation of completely unrelated, potentially dangerous software on Flash Player updates. It doesn’t matter if the user updates or not, in both ways he’s having a big risk now.

  13. VanillaMozilla wrote on :

    Gee, thanks for that check. I didn’t know I even had Flash installed.

    Now, can we please get notification of Firefox updates? See bugs 318855 and 407875. I know they’re being worked on, but very, very slowly. The one bug report is almost 4 years old now.

  14. Jim Huneycutt wrote on :

    Please tell me how to turn this blasted check off. I manage a lot of public access computers and I do NOT want public users installing ANYTHING. The message scares the crap out of the users and then they cannot install the plugin, even if they could figure out how, because they do not have permission to do so. I in fact periodically update the plugins as admin, but there is a delay in doing this.

    HELP!

  15. Jim Huneycutt wrote on :

    Answer to my own question how to disable the bloody nag screen:

    I set the value of browser.startup.homepage_override.mstone to “ignore” and the redirect has stopped. Took me half a day of googling to find this though. Whenever one of these new “features” gets dreamed up, why doesn’t the nag screen also tell you the above fix so you can kill the blasted message if you so chose, security warnings duly noted, etc.

    I my case I HAD updated the browser with the latest version of Flash, but for some reason Firefox could not detect it. I verified I had the latest using the Adobe Flash test page.

    I hope someone else finds the page redirect config useful.

    Thank you.

  16. sikiş wrote on :

    I am in agreement with a concept mentioned by Larry Seltzer in his first post above(#2) “Perhaps the plugin should check at all startups?”. However, rather than check at EVERY startup, a better policy should be once a day at the browser’s first startup. Users would launch the browser that would only take them to a blank page with the statement along the lines of “The browser is currently checking for updated plugins, please wait a moment while this is accomplished. Thank you for your patience”. If any plugins need updating, they are then redirected to a page from Mozilla to update them (as mentioned elsewhere on Mozilla’s site) or directly to the vendor’s update site for the plugin. If no updates are needed, then the browser should direct the user to their homepage or other startup page listed within their preferences.

More comments: 1 2