17 comments

[ 3.0 ms ] story [ 55.4 ms ] thread
Why would it make sense to allow running a vulnerable version of a plugin with just a click?

Perhaps with a hidden preference, for people who absolutely need an old version (to run some internal business app that fails with new versions, for instance), but by default?

There are a number of reasons that we're taking these steps.

First, click to play for vulnerable plug-ins will make driveby exploits less likely to be successful.

Second, it gives users some protection while while they wait for a time to upgrade a plug-in that's more convenient to them.

Third, we've learned that if you simply take the plug-in away, users don't upgrade, they switch to one of the other browsers on their system which isn't taking their (potentially similarly vulnerable) plug-in away.

This is not the only answer, though. It's a step in an ongoing process to protect more users and one that I believe all browser vendors are converging on.

> Third, we've learned that if you simply take the plug-in away, users don't upgrade, they switch to one of the other browsers on their system which isn't taking their (potentially similarly vulnerable) plug-in away.

That make sense, and that sounds like the real reason. The first two reasons would work just as well with disabling the plugin entirely without the click to bypass. However, if you think people will ignore the warnings and run another browser entirely, that seems like a good argument for letting them use the plugin with Firefox, as long as you have an appropriately severe warning about what it means to let a site access a vulnerable plugin.

> However, if you think people will ignore the warnings and run another browser entirely, that seems like a good argument for letting them use the plugin with Firefox, as long as you have an appropriately severe warning about what it means to let a site access a vulnerable plugin.

An informed user can also make a judgment depending on how trustworthy they think the site is.

There are many reasons why you'd want to allow an older version, such as there simply isn't a newer version available.

Just to give an example, Flash on ARM (non-Android) is old, however, most of the attacks won't work, due to the different architecture (that's not to say it's safe, just that most people aren't targeting non-android ARM devices yet.)

The odds of seeing any sort of update for it (I think, but don't quote me on it, it's version 10 or 11) are slim to none based on Google not releasing a version of Chrome for non android devices, nor does Adobe do the work of preparing Flash for these devices.

I'm not saying these machines are worry free, but I definitely don't concern myself near as much as for my amd64 boxes

How can flash have a serious vulnerability EVERY WEEK and it's over TWELVE years old?

That kinda blows my mind. I mean it's not an entire OS, just flash.

Yeah, it's just a framework for writing almost arbitrary types of applications in. What could possibly be so hard about that?
Virtual machine, not framework. Flex would be a framework though.
I was just using the word framework in its general sense, not in the narrower technical definition.
I take it you have a fairly negative opinion of Flash. That's okay by me, since I do too. Anyway, would you ever work on that project? I sure wouldn't, because it would look like a horrible black mark on my resume. Some projects are bad enough to where it leaves a stink on the people who touch it.

Once a project gets to that point, who can you hire to work on it? I'm guessing you're not going to get the best and the brightest. So, you get whoever's left. I think you can see where this is going.

I call this cycle "The Bozo Loop".

Interesting theory. My theory is that Flash doesn't make Adobe any money, so they don't have any resources working on it.

I'd happily work on Flash if it was a Google product, for example. I don't think it's a black mark, but if it was, I would just say, "Oh, I optimized a virtual machine for running lightweight dynamic languages" or something that's not obviously "I designed the Macromedia Flash Plugin". (But I wouldn't want to work for Adobe, even though they do have some successful products.)

>My theory is that Flash doesn't make Adobe any money

They would have dropped it like a hot potato if that would have been the case.

They make money with the fairly expensive authoring tool.

I think there's a mix of bad mojo all around for the Flash player:

-It's a quite old codebase at this point(approaching 20 years)

-There's a huge amount of backwards compatibility expected - 11 major versions and counting

-The technology is not easily tamed - it's a whole suite of formats and protocols integrated together, each one of which has its own complexities.

-There's proprietary codecs in there, an open source player would be more expensive to support and reduce some strategy flexibility...which ties in with the last point...

-It's not the center of attention because historically the tool is making the real money, as parent states.

Adobe can still share plenty of blame for this, though. Even though they're in a monopoly position with most of their products, they are hesitant to make sweeping changes that can comprehensively address new needs - they opt to keep piling on features as long as possible and that is helping to contribute to exploitable bugs in both Acrobat and Flash. Even Photoshop has exploits, though they're less devastating since only some users frequently open PSD files.

Flash is huge, it runs a dynamic-language VM which is always hard to secure, and it is constantly adding APIs. That sort of program tends to have security vulnerabilities all the time, in fact exactly like browsers do - they also fit the three traits mentioned above.

But, better to have one such program - a browser - than two - a plugin as complex as a browser, inside a browser.

I believe Safari already did this in the 6.0 version. I hadn't upgraded my Flash and I got a [Plugin Blocked] message wherever there should be some flash content.

After upgrading Flash I started seeing ads there again :P Not sure if upgrading was the right thing to do :D

(comment deleted)
This is a great, flexible solution. Props to Firefox team for making an extra effort to protect their users.