Categories: Firefox Security

Helping users keep plugins updated

Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old versions of plugins can cause crashes and other stability problems, and can also be a significant security risk. For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version.

After installing the Firefox security update, users with an out of date version of the Adobe Flash Player will see this message:

Warning about out of date Flash

Our intent is to get the user’s attention, and direct them to the Adobe web site where they can download the most up to date version.

For users who are already running the latest version, or who don’t have the Adobe Flash Player installed, the page will look very much like what they would normally see after a Firefox security update:

Normal update page

Mozilla will work with other plugin vendors to provide similar checks for their products in the future. Keeping your software up to date remains one of the best things you can do to keep yourself safe online, and Mozilla will continue to look for ways to make that process as easy as possible for its users.

Johnathan Nightingale
Human Shield

36 comments on “Helping users keep plugins updated”

  1. Kroc Camen wrote on

    I fix people’s computers, at their homes for a living. I am dealing with the public and their computers every day. Nobody is able to get Flash installed because Flash’s stupid arse-backwards installer asks them to quit Firefox and the user doesn’t know what that means, or doesn’t realise that the downloads window is part of Firefox–and the plugin finder service no longer auto-installs Flash.

    Want more people to be up to date with Flash? Get the plugin finder service working again and get Adobe to improve their damned installers. Customers are almost relying on me to update Flash, I’ve had to talk people through closing Firefox properly over the phone I don’t know how many times.

    Seriously, go get a bunch of people, put them in front of computers and get them to install Flash by downloading it with Firefox and you’ll understand the problems that need solving. A web-page warning will not solve the hurdles users are experiencing trying to install an up to date version of Flash.

  2. Larry Seltzer wrote on

    First, I do want to congratulate you on what is a big step in the right direction. Is this only going to happen at update time? That’s the impression I get from this blog. But Flash versions could get out of date between Firefox updates. Perhaps the plugin should check at all startups? And as long as you’re working with Adobe it’s probably even more important to make such a check for Acrobat and Reader.

  3. Christopher Blizzard wrote on

    This is only the first step in a multi-step process that we’re going down:

    1. The first is to do a check when we update the browser. This is what we’ll include with 3.5.3.

    2. Second, we’re going to have a regular page that you can go to to check the state of other plugins as well. This will happen sometime this month.

    3. Firefox 3.6 will check for newer versions of plugins just like we check for newer versions of Firefox or extensions. If it sees that you have one that’s out of date, you’ll be sent to that page.

    4. We’re going to try to get to the point where you can upgrade the plugin via the plugin service that we currently use for installations.

    5. We’re also talking about using Adobe’s Express Install system, which can update flash from the flash plugin without having to use a separate installer.

    So that’s the long term plan for now. Some of it will be in 3.6, some of we’ll be doing in parallel and some of which is longer term.

  4. sdf wrote on

    Ah, that’s awesome, auto-update will be the best.

  5. James John Malcolm wrote on

    Christopher: Sounds like a great long term plan. Steps 4/5 can’t come quickly enough!

  6. WildcatRay wrote on

    Christopher, is there a bugzilla tracking bug for these additions/changes to Minefield & Namoroka where we can follow this? Thanks.

  7. Larry Seltzer wrote on

    Thanks Chris

  8. Pedro Giffuni wrote on

    I hope this is only activated for i386-Win.

    It would be a lot nicer if there were a way for the browser NOT to ask for the flash plugin: there is no native flash player for my OS (FreeBSD-amd64).

    I can live without flash but I would just be a lot happier if the browser didn’t ask to look for an inexistent update every time I want to check the news.

  9. No way wrote on

    How in hell can a FREE SOFTWARE check for the version of a PROPRIETARY SOFTWARE? This doesn’t make any sense to me.

  10. Mike Beltzner wrote on

    The check will only tell you about needing a Flash update if you have Flash installed.

    The project Christopher mentions is outlined on

  11. Tony wrote on

    To Adobe’s credit, their latest release of Flash uses an Adobe Express Install service. At least on Windows machines both for Firefox, Opera and Safari plus Internet Explorer, which downloads and installs the Flash plugin automatically without the end-user prompt (users of Vista and Win7 will encounter two User Account Control (UAC) prompts). It got rid confusing previous method of installing and saving the application file, closing the browser(s) and associated program, installing and then restarting the computer. Is it possible Firefox integrate the Adobe Express Install service?

  12. Alex wrote on

    It looks like they have this in about:config. It’s for Firefox 2, but I’m sure the options will be the same (I can’t check because, sadly, this computer doesn’t have Firefox).

    1. Type about:config in the Firefox address bar. Hit Enter.
    2. Go to “plugin.scan.plid.all” (Plugin Finder Scan)
    3. Go to “plugin.default_plugin_disabled” (Additional Plugins Warning)
    4. Double click to change both values to “false”.

  13. Daniel Veditz wrote on

    Alex: those options are unrelated to this version check. The detection here is done by the web page people get after upgrading (any web page can do this, and Flash-heavy sites typically do; search for “Flash Version Detection Kit” for example)

  14. Jacopo wrote on

    How about GNU/Linux users?
    For example, in Ubuntu the package manager takes care of updating adobe flash plugin.
    So message could be useless..

  15. Daniel Veditz wrote on

    If the package manager is successful in keeping them up to date then they won’t see the message. If they see the message they will know to start asking questions about what’s not working and take steps to secure themselves.

  16. Tim Johnson wrote on

    Just ran Firefox 3.0.14 with Flash Player 9,0,246,0 installed on a Macintosh (Adobe updated 9 the same time as Flash Player 10 to fix the same security holes) and got the “Update Adobe Flash right now” message. The problem is many, many users refuse to use Adobe’s version 10.x bloatware. So there are TWO version of Firefox to check since Adobe also plans to issue security fixes to Flash 9.x for the foreseeable future.

  17. Kevin H wrote on

    Having just experienced this message, I have to say I don’t really like it.

    The implication was that there was a new High-Severity security bug that requires updates to Firefox and to Flash player to keep me safe. As though I only got half of the update that is required to fend off some new exploit. But having found the Release Notes (which used to be right there on the “Firefox Updated” tab, why’d you take that away?), I don’t see anything there that is related to plugins or to Flash.

    If Firefox recommends that I keep my plugins at the latest version for security and performance reasons, then you should say so. If there are specific security fixes that the latest version of flashplayer addresses, then you should link to them. Just saying, “YOU SHOULD UPDATE ADOBE FLASH PLAYER RIGHT NOW!” is a bit over the top and more alarmist than informative.

  18. Daniel Veditz wrote on

    The Firefox update fixed important security bugs which criminals may or may not weaponize into an attack. Unrelated to those we noticed you were running a version of Flash for which there are currently wide-spread active attacks. You will gain more practical safety at this moment from upgrading an out of date Flash than the Firefox update we just bothered you with. Don’t we have a responsibility to warn people if we can?

    As Chris Blizzard noted above we’re trying to feel our way forward with this and figure out what is appropriate, but we do think it’s very important to help our users secure their computers.

  19. jorgejhms wrote on

    I think this should work also for Gnash or swfdec.

  20. Bob D wrote on

    I am in agreement with a concept mentioned by Larry Seltzer in his first post above(#2) “Perhaps the plugin should check at all startups?”. However, rather than check at EVERY startup, a better policy should be once a day at the browser’s first startup. Users would launch the browser that would only take them to a blank page with the statement along the lines of “The browser is currently checking for updated plugins, please wait a moment while this is accomplished. Thank you for your patience”. If any plugins need updating, they are then redirected to a page from Mozilla to update them (as mentioned elsewhere on Mozilla’s site) or directly to the vendor’s update site for the plugin. If no updates are needed, then the browser should direct the user to their homepage or other startup page listed within their preferences.

More comments:1 2