Earlier this week, news got out that Apple was shipping an outdated version of Adobe’s Flash Player with Snow Leopard; if you updated to a more recent version before the upgrade to Snow Leopard, you would receive a downgrade. This older version had security holes in it, so Adobe advised everyone to upgrade. The Mozilla team has now announced that Firefox 3.5.3 and 3.0.14 will include a Flash version checker.
Thanks to the near-ubiquity of the Flash plugin, it’s a very attractive attack vector for people with malicious intent. It has been shown that 80% of the people who have Flash installed are using an outdated version, so the Mozilla team has decided to take matters into their own hands, and will include a version checker in Firefox 3.5.3 and 3.0.14.
“Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old versions of plugins can cause crashes and other stability problems, and can also be a significant security risk,” Mozilla’s Johnathan Nightingale writes, “For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version.”
The checker is not an integral part of Firefox itself, but is instead part of the “What’s new?” page after upgrading to the latest Firefox version. This page will inform users that their Flash version is out of date, and will direct them towards Adobe’s Flash site where they can download the latest version.
Mozilla will work with other plugin providers to build-in similar functionality for other plugins than Flash. Even though I’d rather see this as an integrated part of the browser, Firefox is at least taking the first proper steps to address the Flash issue.
What about Java?
What about Quicktime?
What about Unity?
What about VLC?
What about …
In the comments: (emphasis mine)
Good to see megacorporation Mozilla spending time and resources for little ‘ol non-profit Adobe.
Oh wait..
Is is disappointing to see an open source project helping distribute updates to proprietary extentions. This is like the Linux kernel team pushing out update notices for closed nvidia drivers.
Where does it end? Silverlight? Sun Java VM?
Heh, good point. How exactly will the open web ever happen if MOzilla, supposedly one of the biggest advocates of such, is helping to push Flash?
How exactly are they helping to push Flash? It doesn’t recommend installing Flash on computers which doesn’t have it already, it only check the version of an _already installed_ one. And that IS a good thing! No matter if the software in question is proprietary or not, it is always important to stay up-to-date to avoid any security issues.
Is is disappointing to see an open source project helping distribute updates to proprietary extentions.
Why is it disappointing? Are you implying that only people who use free software should receive easy security updates and that the others should suffer?
No. I just imagine that Mozilla has finite resources, and now some of those resources are going to be helping update a specific, proprietary vendor.
If this was part of an upgrade to the general update framework then there wouldn’t be a problem. It seems to be directed at helping Adobe only.
The browser should enable easy updates of its extensions and stuff. Adobe should just make possible for Mozilla to provide such a feature, which seems to be the case already (on Windows, version with its one-click install). Distribution vendors do also allow updating the nVidia modules through package managers.
Edited 2009-09-05 17:18 UTC
I’d like to see Adobe do it right and provide the Flash plugin through the normal Mozilla process. Updates could be captured with the rest of the plugin updates and it wouldn’t be a visit to firefox.com then a visit to Adobe on updates day.
The same for Microsoft’s .NET plugin; why is it not provided through the existing Mozilla plugin framework rather than a — be it not disableable — backdoor into the system.
I’m still glad something is being provided at all but going through the existing framework could only be better for end users.
Because is the job of the vendors to provide the pluggins in this case MS and Adobe, not Mozilla.
Edited 2009-09-05 18:37 UTC
It is the job of Adobe and Microsoft to offer the plugins if they choose too. What I’m saying is that Mozilla already has a plugin delivery framework. I go to Tools -> Add-ons and select the plugins I wish to download. Adobe and Microsoft should be using that delivery mechanism just like all other Firefox plugins do. This would:
A. make plugin downloads an end user choice as it should be (MS .net addon surprise).
B. make plugin updates easily noticed and installed through the existing add-on update check.
I don’t see how providing the plugins outside of the established delivery mechanism provided for the browser benefits the end user.
I agree. But they shouldn’t go out of their way to help one specific addon, IMHO.
At some point, you have to step back from the ideology horse and focus a little on the current state. It’d be fantastic to see proprietary formats in the minority; even more so to see Flash taken behind the bard and shot in the face. The unfortunate current state is that most websites now use flash if not over-use it and there are a whole lot of folks out there with little concept of safe computer use who are not keeping up to date.
If Mozilla can help end users keep more up to date and safer then we can go back to replacing the proprietary formats entirely. I’m all for anything a company can do to promote safe hex. I’ll even back MS where the implement true security functions rather than UAC type theater.
They’re doing it because any security woes with the plugins they (Mozilla/Firefox) end up getting the splash back. One only needs to look at the morons on this website who salivate at the mouth when a ‘security’ issue ‘plagues’ Safari on Mac OS X but they deliberately leave out the fact that it is relating to Flash or some third party plugin.
Maybe when people differentiate between the browser, the plugin, and who is responsible for what – then Mozilla/Apple wouldn’t need to distribute updates for plugins provided by third parties.
Doesn’t Firefox already have the ability to check for updates to installed extensions? I’m sure those Firefox messages about needing to update Adblock-Plus and Noscript meant something. Why not just add this for plugins and skip all this crap?
I new it wasn’t my imagination that flash was downgraded. So good and yet so bad… Java 1.5 still, and then downgrading Flash?
See, how easy that was?
As other’s have posted, Mozilla isn’t pushing the install of a plugin, they are simply providing a work around to notify the user about existing installs which are out of date. That’s not corruption, that’s providing a beneficial service to the end user where the original developer (adobe) hasn’t.
Try to think outside the Church of OSSentology for a minute. Your making the rest of us Foss loving folk look bad.
Hey! That’s my line! 🙂
Seriously, though, I worry about Mozilla Corp. All those many 10’s of millions of Google dollars they’ve come to depend upon do leave the door open to distorted thinking. Not necessarily in this case. But just in general.
BrendaEM just got a +1 from me for being vigilant. I make no assertion regarding the right or wrong of it.
I wouldn’t suggest that any business is inherently trustworthy. Even more transparent one’s should be considered with healthy suspicion. One simply should take that to the extreme of unhealthy suspicion by assuming conspiracy behind every action is all. Glad you liked the line though and that you gave the former a thumbs up for vigilance.
I never got all the hostility against flash.
I agree that full flash sites are a nightmare and of course I would love to see an open equivalent, but when a customer wants pretty moving stuff on his site, he wants it cheap and he wants it accessible from anywhere there really isn’t another option.
“accessible from anywhere” is not what it used to be.
Plugins have to be implemented by the one vendor where they choose and whilst they can provide a strong feature-set they cannot compete with open standards that anybody can implement on any device, anywhere.
You can never target everybody with Flash now that so many mobile platforms are available, and even those with Flash support a subset and the performance is abysmal compared to alternatives (e.g. HTML5 video).
I think you just spelled it out; Flash makes it too easy to inject ‘pretty moving stuff’ on to web pages, even when it’s not needed 98% of the time. Not to mention that it hijacks the right mouse menu.
Flash is Web 2.0’s version of the blink tag, but only 100x worse. I wouldn’t miss it if it went away tomorrow. At the very least, I think any web developer who uses Flash should be forced to sit through 10 dialogs of “Are you absolutely SURE that this f**king lame animation is needed at this time?” At least then, maybe people would think twice about using it (or OVERusing it I should say).
Edited 2009-09-05 23:37 UTC
You Flash advocating turd! That’s 99% of the time. Don’t try to spin it as 98%!
Nothing to do with the ascetic beauty or there lack of (as with the case of the blinking tag) – it is the fact that within 5 minutes you find that your CPU cycles are chewed up by a solitary plugin and your battery power nose dives because of its bloat.
If Flash plugin was open sourced tomorrow and the issues were addressed – I don’t see a person here oppose its use. Someone said that Flash is like the blink tag – I disagree. Flash is like the jackass who uses a Java applet that brings the whole browser to a screeching halt – I remember sitting in front of my Windows 95 (many years ago) machine running Netscape Communicator praying that the Java applet wouldn’t bring down the whole browser (which funny enough I’d have either a download going in the background or working on an email). I still have the same sudden rush of fear run through my system even to this day when I see a Java applet or Flash plugin loading.
I wish Apple would stop being a PITA and get behind Theora or at least try to convince Google to open up their recently acquired treasure chest of IP to get HTML5 moving forward so that Flash, Silverlight and Java can be purged from my machine. If there is a hell, I hope there is a special place designated for website developers, owners and the developers of those technologies.
Edited 2009-09-06 02:34 UTC
Flash also “takes over” your browser. I’ve noticed that in FF, on windows and linux, and I think it did it in IE and chrome, if you are playing a video in flash and you type in a new address or click a link, 90% of the time, it won’t go to the new page until the flash video has ended! REALLY annoying.
And worse, it won’t load in the background either; for example, I’ll open a youtube video in a tab but focus on another tab – and the video doesn’t start load until I switch to it! why can’t it load in the background so when I am ready it is already downloaded and I can play it? then if you close the tab – there is a massive delay because of the flash plugin and worse the memory is never released when the tab is closed, the plugin never unloads when the tab is closed.
I think that you misunderstood what I said. Of course flash have its problems but right now it offers something that nothing else does. A really fast and easy way to create animations/RIAs.
We’ve seen that this is where the web is going. SVG and the new canvas tag are doing the same thing that flash is doing. And I don’t think that the video tag would exist if it wasn’t for sites like youtube, and these sites wouldn’t exist if it wasn’t for flash.
Of course flash has major drawbacks. The first one is that it’s a performance hog. The second one is that it’s a closed format. And of course the web developers that don’t know when and where to use it.
All I am saying is that flash is doing some great things and it is doing them since 1996. We should not dismiss it as a piece of s*** just because it’s not an open format. In an ideal world flash would receive some major optimizations (maybe tap on the GPU too) and Adobe would open the format so others could make development tools.
As for the problems you are facing I have never had problems when closing a tab/window with flash in it (I am using Opera on both Windows and OS X). And flash videos can’t load on the background because browsers power down all plug-ins when their page is out of focus to save some cycles for the rest of the browser.
No one I know is dismissing it solely on the grounds of it not being an open format; to paraphrase Thom; if Flash was written by Hitler, Stalin, Satan and Pol Pot but the net result was a plugin that was light, stable and robust – I wouldn’t give a toss.
For most people the issue is Flash’s shear crappiness rather than it having anything to do with its open or closed nature. If it we were all worried about something being closed – no one would be running PC’s with its proprietary chips, firmware and CPU ISA.
It’s great that Mozilla is doing this, but the real problem is that Adobe needs to make it easier to manage Flash. I run Windows and I have Adobe Reader (free) installed. It comes with a program called Adobe Updater. Adobe Updater does not update Flash. My friend who freelances in computer illustration has one of the Adobe Creative Suites… Thee CS4 version. It has Illustrator, Photoshop, Flash Professional (to make those Flash animations) and probably some other stuff he doesn’t use. It also uses Adobe Updater to update the package. It updates Illustrator, Photoshop, and Flash Professional; but it DOES NOT update the Flash plugins for the browser. Never mind that CS4 automatically installs Flash (an old version, by the way) in all of your browsers.
OK, Flash itself comes with an update mechanism. If you never seen it though, I wouldn’t be surprised. By default, it only checks for a new version once every 30 days! You can change that setting, but only by visiting a web page on Adobe’s server! (This page to be exact http://www.macromedia.com/support/documentation/en/flashplayer/help… ) There is just so much wrong with this set up, I don’t even know where to begin.
I’m reminded of a recent quote on Bash.org:
“jesus if i can run this myspace page i could probs run crysis”
The web is better without Flash, but if we must have it, at least warn people when it’s out of date. This shouldn’t be Mozilla’s job; it should be Adobe’s job, and in an idea world it would be your OS distributor’s job.
In a super ideal world Adobe would fully open Flash and leave it up to third parties to implement and then certify compatibility via a certification scheme – having that sort of of technology handled by the browser producer who know what they’re doing.
When it recommends changing/updating software, it should suggest updating to the latest version of a good free software player such as Gnash:
* http://www.gnu.org/software/gnash/
When it recommends changing/updating software, it should suggest updating to the latest version of a good free software player such as Gnash:
Gnash might be good for a geek or someone who understand the limitations of it, but it still isn’t good enough to replace Flash on non-geek computers. It still is incompatible with Flash in many cases, it is very crash-prone on my computer (can’t say about others) and so on.
Sure, when Gnash works on 99% of the Flash websites without issues then it would make sense for FireFox to promote Gnash instead, but it’s just not there yet.