Categories: Firefox Security

Helping users keep plugins updated

Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old versions of plugins can cause crashes and other stability problems, and can also be a significant security risk. For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version.

After installing the Firefox security update, users with an out of date version of the Adobe Flash Player will see this message:

Warning about out of date Flash

Our intent is to get the user’s attention, and direct them to the Adobe web site where they can download the most up to date version.

For users who are already running the latest version, or who don’t have the Adobe Flash Player installed, the page will look very much like what they would normally see after a Firefox security update:

Normal update page

Mozilla will work with other plugin vendors to provide similar checks for their products in the future. Keeping your software up to date remains one of the best things you can do to keep yourself safe online, and Mozilla will continue to look for ways to make that process as easy as possible for its users.

Johnathan Nightingale
Human Shield

36 comments on “Helping users keep plugins updated”

  1. Kroc Camen wrote on

    I fix people’s computers, at their homes for a living. I am dealing with the public and their computers every day. Nobody is able to get Flash installed because Flash’s stupid arse-backwards installer asks them to quit Firefox and the user doesn’t know what that means, or doesn’t realise that the downloads window is part of Firefox–and the plugin finder service no longer auto-installs Flash.

    Want more people to be up to date with Flash? Get the plugin finder service working again and get Adobe to improve their damned installers. Customers are almost relying on me to update Flash, I’ve had to talk people through closing Firefox properly over the phone I don’t know how many times.

    Seriously, go get a bunch of people, put them in front of computers and get them to install Flash by downloading it with Firefox and you’ll understand the problems that need solving. A web-page warning will not solve the hurdles users are experiencing trying to install an up to date version of Flash.

  2. Larry Seltzer wrote on

    First, I do want to congratulate you on what is a big step in the right direction. Is this only going to happen at update time? That’s the impression I get from this blog. But Flash versions could get out of date between Firefox updates. Perhaps the plugin should check at all startups? And as long as you’re working with Adobe it’s probably even more important to make such a check for Acrobat and Reader.

  3. Christopher Blizzard wrote on

    This is only the first step in a multi-step process that we’re going down:

    1. The first is to do a check when we update the browser. This is what we’ll include with 3.5.3.

    2. Second, we’re going to have a regular page that you can go to to check the state of other plugins as well. This will happen sometime this month.

    3. Firefox 3.6 will check for newer versions of plugins just like we check for newer versions of Firefox or extensions. If it sees that you have one that’s out of date, you’ll be sent to that page.

    4. We’re going to try to get to the point where you can upgrade the plugin via the plugin service that we currently use for installations.

    5. We’re also talking about using Adobe’s Express Install system, which can update flash from the flash plugin without having to use a separate installer.

    So that’s the long term plan for now. Some of it will be in 3.6, some of we’ll be doing in parallel and some of which is longer term.

  4. sdf wrote on

    Ah, that’s awesome, auto-update will be the best.

  5. James John Malcolm wrote on

    Christopher: Sounds like a great long term plan. Steps 4/5 can’t come quickly enough!

  6. WildcatRay wrote on

    Christopher, is there a bugzilla tracking bug for these additions/changes to Minefield & Namoroka where we can follow this? Thanks.

  7. Larry Seltzer wrote on

    Thanks Chris

  8. Pedro Giffuni wrote on

    I hope this is only activated for i386-Win.

    It would be a lot nicer if there were a way for the browser NOT to ask for the flash plugin: there is no native flash player for my OS (FreeBSD-amd64).

    I can live without flash but I would just be a lot happier if the browser didn’t ask to look for an inexistent update every time I want to check the news.

  9. No way wrote on

    How in hell can a FREE SOFTWARE check for the version of a PROPRIETARY SOFTWARE? This doesn’t make any sense to me.

  10. Mike Beltzner wrote on

    The check will only tell you about needing a Flash update if you have Flash installed.

    The project Christopher mentions is outlined on https://wiki.mozilla.org/Plugins:PluginCheck

  11. Tony wrote on

    To Adobe’s credit, their latest release of Flash uses an Adobe Express Install service. At least on Windows machines both for Firefox, Opera and Safari plus Internet Explorer, which downloads and installs the Flash plugin automatically without the end-user prompt (users of Vista and Win7 will encounter two User Account Control (UAC) prompts). It got rid confusing previous method of installing and saving the application file, closing the browser(s) and associated program, installing and then restarting the computer. Is it possible Firefox integrate the Adobe Express Install service?

  12. Alex wrote on

    It looks like they have this in about:config. It’s for Firefox 2, but I’m sure the options will be the same (I can’t check because, sadly, this computer doesn’t have Firefox).

    1. Type about:config in the Firefox address bar. Hit Enter.
    2. Go to “plugin.scan.plid.all” (Plugin Finder Scan)
    3. Go to “plugin.default_plugin_disabled” (Additional Plugins Warning)
    4. Double click to change both values to “false”.

  13. Daniel Veditz wrote on

    Alex: those options are unrelated to this version check. The detection here is done by the web page people get after upgrading (any web page can do this, and Flash-heavy sites typically do; search for “Flash Version Detection Kit” for example)

  14. Jacopo wrote on

    How about GNU/Linux users?
    For example, in Ubuntu the package manager takes care of updating adobe flash plugin.
    So message could be useless..

  15. Daniel Veditz wrote on

    If the package manager is successful in keeping them up to date then they won’t see the message. If they see the message they will know to start asking questions about what’s not working and take steps to secure themselves.

  16. Tim Johnson wrote on

    Just ran Firefox 3.0.14 with Flash Player 9,0,246,0 installed on a Macintosh (Adobe updated 9 the same time as Flash Player 10 to fix the same security holes) and got the “Update Adobe Flash right now” message. The problem is many, many users refuse to use Adobe’s version 10.x bloatware. So there are TWO version of Firefox to check since Adobe also plans to issue security fixes to Flash 9.x for the foreseeable future.

  17. Kevin H wrote on

    Having just experienced this message, I have to say I don’t really like it.

    The implication was that there was a new High-Severity security bug that requires updates to Firefox and to Flash player to keep me safe. As though I only got half of the update that is required to fend off some new exploit. But having found the Release Notes (which used to be right there on the “Firefox Updated” tab, why’d you take that away?), I don’t see anything there that is related to plugins or to Flash.

    If Firefox recommends that I keep my plugins at the latest version for security and performance reasons, then you should say so. If there are specific security fixes that the latest version of flashplayer addresses, then you should link to them. Just saying, “YOU SHOULD UPDATE ADOBE FLASH PLAYER RIGHT NOW!” is a bit over the top and more alarmist than informative.

  18. Daniel Veditz wrote on

    The Firefox update fixed important security bugs which criminals may or may not weaponize into an attack. Unrelated to those we noticed you were running a version of Flash for which there are currently wide-spread active attacks. You will gain more practical safety at this moment from upgrading an out of date Flash than the Firefox update we just bothered you with. Don’t we have a responsibility to warn people if we can?

    As Chris Blizzard noted above we’re trying to feel our way forward with this and figure out what is appropriate, but we do think it’s very important to help our users secure their computers.

  19. jorgejhms wrote on

    I think this should work also for Gnash or swfdec.

  20. Bob D wrote on

    I am in agreement with a concept mentioned by Larry Seltzer in his first post above(#2) “Perhaps the plugin should check at all startups?”. However, rather than check at EVERY startup, a better policy should be once a day at the browser’s first startup. Users would launch the browser that would only take them to a blank page with the statement along the lines of “The browser is currently checking for updated plugins, please wait a moment while this is accomplished. Thank you for your patience”. If any plugins need updating, they are then redirected to a page from Mozilla to update them (as mentioned elsewhere on Mozilla’s site) or directly to the vendor’s update site for the plugin. If no updates are needed, then the browser should direct the user to their homepage or other startup page listed within their preferences.

  21. Pauli wrote on

    I have firefox 3.5 and have not been able to get into any webinar sites. It seems to download whatever is needed at the site and then shuts down as soon as I try to enter the meeting. Anybody else had this problem?

  22. Michael Bell wrote on

    I don’t care for it at all. I personally disable most of my adobe flash because of annoying ads. I use flash bloacker and other tools. I really hate FF now because I’m being forced to update when I don’t want to. When did Adobe’s problem with user’s become a Mozilla problem?

    Now, the GetPlusPlus updater just crashes on startup…this is useless!

  23. cuz84d wrote on

    Chris, Does this apply to the trunk? I’ve been updating Minefield of and on lately with Flash 8.x on XP and have yet to see it redirect me to the webpage.

  24. Daniel Veditz wrote on

    The functionality described in this post is implemented on our web site, there is no client support yet. After an update Firefox regularly opens our “whatsnew” page so for this initial experiment we simply inserted this check into that flow.

    There’s ongoing work to implement a similar kind of check in the client itself, but that hasn’t landed yet.
    https://wiki.mozilla.org/Firefox/Projects/Plugin_Update_Referrals

  25. cuz84d wrote on

    @Bob D.. good idea, just like Add-Ons think they got to check everytime I load FF with the dialog box getting in the way of my browsing experience.. other implementations show a model window that checks or asks to check… why does Ff do it both ways? I don’t mind if it asks to check when I start, but the Add-on window doing an auto-check after the browser starts and getting in the way is annoying. I would rather see the status bar flash or let me know its checking for updates for Add-ons or plugins and have it ask me or point me to a setting showing me how to setup asking me. I may have different settings on FF 3.5.3 than I do on FF 3.6 or 3.7.

    Oh wait that is buried deep down in Tools->Options->Advanced->Update.. it should be a main pane of Tools->Options (Call it Check for Updates Pane), and its not even linked to Help->Check for updates which is inconsistent. I don’t think updates are part of Advanced Options in FF. They should be basic options. I think most people forget there is an options UI somewhere in FF. Also Plugins should have additional option to select ask to update this add-on just like the enable/disable.

    I think sometimes the Find-Updates function should be more like the download manager.. I don’t need to see it run, but I may want it to run with a single progress bar informing me its running. That way I can start or keep browsing.. and do updates in the background like the Check for Updates already does. If the Add-on Manager window comes up, I don’t even know if I can close it while its running. I don’t like to restart FF for every single update, but individual ones I want to install/update should just all queue up and install all at once by clicking on a master install new updates for those I selected I want to update instead of single updates. (which wastes time, so I turn off -update Add-ons because I know they are updated or I don’t care about updating them) But make it discoverable.

    It seems we have too many ways to do the same thing with add-ons/updates/plugins, etc.

    I say make it easier, more discoverable and less annoying and make updates a one-stop shop and we should think about just using Tools->Check for Updates to access the update UI options and Add-ons manager from a single source. (this should keep users focused and help them understand how to update FF better)

    Since I have never FF look for the new plugins webpage, maybe we could just have the browser invoke the first tab as about:checkforupdates which can go to the update plugin page or update firefox page when needed.

    I got so many ideas here.. but it shouldn’t be hard to take something here and run with it to make FF better overall.

  26. Glen Turner wrote on

    I’ve got Fedora 11, up to date. Firefox complains that Flash is out of date, and when I click through to the Adobe website it offers to download 10.0.32.18. Which is odd since
    $ rpm -q flash-plugin
    flash-plugin-10.0.32.18-release
    Besides the obvious, why is Mozilla suggesting I download a file from the Internet rather than suggest updating using the operating system’s package manager (for operating systems which have package managers)?

  27. deepnet wrote on

    Is there any way that a virus could be spoofing this message?

    I got this message earlier today and since I know I’ve put off updating Flash I clicked on the install link, because I trust Firefox and even though I knew it might just be a marketing ploy.

    But to my dismay it also installed a suspicious-looking program called “Adobe Download Manager” which looked like it was doing the upgrade. But now I’ve just noticed that an icon called “McAfee Security Scan” has appeared on my desktop that runs a program in a new Program Files folder of the same name, even though I have not installed ANYTHING except the Adobe upgrade today.

    There is an entry for it in the Add / Remove Programs control panel of Windows too. The timestamps on the files are from about the same time I would’ve run the Adobe install.

    Is anyone else seeing this? Is there any McAfee component to the Adobe upgrade? I’m concerned that I have just installed a virus.

    One other note is that my internet access is through Comcast on the East Coast of the U.S. and they are known for running things that intercept and alter network traffic like systems to suppress Bittorrent downloads. They also distribute McAfee for free with service… could they be piggybacking somehow on the Adobe install to force installation of the McAfee product?

    …okay, I’m seeing notes elsewhere on the net that seem to indicate that there was an automatically-checked checkbox in a dialog related to the Adobe upgrade that I must have missed and this McAfee product is a “lite” crippleware product installed as a result of it. So I am assuming that this was all just an opportunistic marketing operation to take advantage of peoples’ trust in Firefox.

    This really sucks. I am not going to trust Firefox again.

  28. Daniel Veditz wrote on

    We’re not too happy about that, either. In the past the Adobe download page served a plain installer, not this download manager thing with opt-out marketing tie-ins. Unfortunately what you got is now the default experience for getting Flash player from Adobe’s site, and I hope unhappy Flash users let them know how they feel about it.

    In the face of active wide-spread attacks and given the number of vulnerable Firefox users it seemed better to do something than nothing, and the best we could come up with quickly (and legally) was to link to Adobe’s site. In the future we hope we can come up with a better experience in cooperation with plugin vendors. For this experiment we didn’t have the time to wait for the glacially slow corporate business negotiations that could take.

  29. Daniel Veditz wrote on

    We’re not too happy about that, either. In the past the Adobe download page served a plain installer, not this download manager thing with opt-out marketing tie-ins. Unfortunately what you got is now the default experience for getting Flash player from Adobe’s site, and I hope unhappy Flash users let them know how they feel about it.

    In the face of active wide-spread attacks and given the number of vulnerable Firefox users it seemed better to do something than nothing, and the best we could come up with quickly (and legally) was to link to Adobe’s site. In the future we hope we can come up with a better experience in cooperation with plugin vendors. For this experiment we didn’t have the time to wait for the glacially slow corporate business negotiations that would require.

  30. jesse Ruderman wrote on

    What if we gave users instructions for triggering Flash’s update mechanism, rather than pointing them to download an installer for a new version? I’m pretty sure the update mechanism doesn’t try to shovel other things onto your computer.

  31. Conor wrote on

    This sounds like an issue I am running into. I have display on a Linux box for a client which is showing a series of webpages which use flash. Everything is up-to-date. (Ubuntu Hardy Heron 8.04, Firefox 3.0.14 etc). The page loads and displays fine for about 24 hours and then randomly decides it does not have the correct version of Flash! Very strange since the website remains the same and no one is touching the computer(the keyboard and mouse are removed!).
    Is it checking against some version number on the website which perhaps is not compatible with the latest linux flash release?

  32. Matle wrote on

    I suggest removing Flash Plugin from Firefox, now that Adobe decided to leave the road of business ethics and forces installation of completely unrelated, potentially dangerous software on Flash Player updates. It doesn’t matter if the user updates or not, in both ways he’s having a big risk now.

  33. VanillaMozilla wrote on

    Gee, thanks for that check. I didn’t know I even had Flash installed.

    Now, can we please get notification of Firefox updates? See bugs 318855 and 407875. I know they’re being worked on, but very, very slowly. The one bug report is almost 4 years old now.

  34. Jim Huneycutt wrote on

    Please tell me how to turn this blasted check off. I manage a lot of public access computers and I do NOT want public users installing ANYTHING. The message scares the crap out of the users and then they cannot install the plugin, even if they could figure out how, because they do not have permission to do so. I in fact periodically update the plugins as admin, but there is a delay in doing this.

    HELP!

  35. Jim Huneycutt wrote on

    Answer to my own question how to disable the bloody nag screen:

    I set the value of browser.startup.homepage_override.mstone to “ignore” and the redirect has stopped. Took me half a day of googling to find this though. Whenever one of these new “features” gets dreamed up, why doesn’t the nag screen also tell you the above fix so you can kill the blasted message if you so chose, security warnings duly noted, etc.

    I my case I HAD updated the browser with the latest version of Flash, but for some reason Firefox could not detect it. I verified I had the latest using the Adobe Flash test page.

    I hope someone else finds the page redirect config useful.

    Thank you.

  36. sikiş wrote on

    I am in agreement with a concept mentioned by Larry Seltzer in his first post above(#2) “Perhaps the plugin should check at all startups?”. However, rather than check at EVERY startup, a better policy should be once a day at the browser’s first startup. Users would launch the browser that would only take them to a blank page with the statement along the lines of “The browser is currently checking for updated plugins, please wait a moment while this is accomplished. Thank you for your patience”. If any plugins need updating, they are then redirected to a page from Mozilla to update them (as mentioned elsewhere on Mozilla’s site) or directly to the vendor’s update site for the plugin. If no updates are needed, then the browser should direct the user to their homepage or other startup page listed within their preferences.