Mozilla To Bug Firefox Users With Old Adobe Reader, Flash, Silverlight 247
An anonymous reader writes "Mozilla today announced it will soon start prompting Firefox users to upgrade select old plugins. This will only affect Windows users, and three plugins: Adobe Reader, Adobe Flash, and Microsoft Silverlight. Mozilla says Firefox users will 'soon see a notification urging them to update' when they visit a web page that uses the plugins."
update (Score:5, Funny)
Update at 5:10PM EST: No dice. “At this time, Mozilla does not have additional information to share beyond the blog post content,” a Mozilla spokesperson told The Next Web in a statement. “We’ll be sure to update you once we have additional details to share regarding the timing, version(s) impacted and visual look of the message.”
Re: (Score:2)
Suggestion:
gxmessage -noescape -borderless -title WARNING! -buttons UPGRADE:44,ALLOWBANKINGDATA:666,PORNSPAM:333 -center "This is warning you that you have a defective OLD plugin. Press a button, any button but we suggest the UPGRADE button. Otherwise press the ALLOWBANKINGDATA button to send your banking data to a criminal, press the PORNSPAM button to have your PC hijacked and receive porn that will shatter your fragile little mind."
Re: (Score:2)
I think Firefox (or rather Mozilla) cares about their users' experience primarily.
In this respect Silverlight is as much an "established competitor to Flash" as malware is.
Re: (Score:2, Funny)
I regard all Adobe products as malware, I thought everyone did.
What to replace Photoshop or Illustrator? (Score:3)
Re: (Score:2)
Baloney, and doubly so that they picked silverlight over Java. Silverlight is used for precisely one website, and is updated (IIRC) through windows update. Java has its own BS updater, and is probably the most widely used malware vector.
Re: (Score:2)
Version lag; DRM (Score:2)
What's with all the nerd rage over Silverlight?
Two things: First, Moonlight has historically been exactly one version behind Microsoft's implementation, making it useful for displaying messages to the effect "You are using an outdated version of Silverlight. Please update Silverlight at Microsoft.com and then display this page again." Second, Microsoft encourages Silverlight video providers to require Windows Media digital restrictions management but makes no provision for Moonlight to implement DRM.
Re: (Score:2)
People use Silverlight?
Re: (Score:3, Interesting)
Re: (Score:2)
It doesn't mean they are using computers with silverlight installed.
Roku, game consoles, google players, a lot of TVs and DVD/blueray players, tablets, and phones play netflix.
Re: (Score:3)
It doesn't mean they are using computers with silverlight installed.
Roku, game consoles, google players, a lot of TVs and DVD/blueray players, tablets, and phones play netflix.
This doesnt make any sense. They cant count Roku as silverlight traffic because Roku and other embedded platforms DO NOT use silverlight.
Re: (Score:2)
Yes that is the point I'm making
Re: (Score:2)
Yes that is the point I'm making
Somehow I read first message as "30% of internet bandwidth in North America was being used by Silverlight. Netflix still uses Silverlight ergo Netflix = 30%". My bad.
Re: (Score:2)
The other 70% was being used to download updates to Adobe Reader and Flash.
Re: (Score:2)
Re: (Score:2)
I'll go with "not all Netflix devices use Silverlight". I would bet that Silverlight is a minority of Netflix's traffic. I'm pretty sure the set-top boxes, game consoles and optical disc players with Netflix aren't using Silverlight. Wii and PS3 doesn't use it. I know Netflix iOS doesn't use Silverlight in a conventional sense, if at all. I don't even use my computers to watch Netflix, it's a console or a set-top box.
turn it off? (Score:5, Interesting)
anyone know if it can be turned off? I got some crap that gets broken with new versions of reader.
Maybe i'll just have to switch browsers.
Re: (Score:2)
Re:turn it off? (Score:4, Interesting)
Re:turn it off? (Score:5, Insightful)
I run Win2k ...
Firefox has detected an old version of Windows. It is strongly recommended that you upgrade Windows to the latest version.
Without buying something (Score:2)
It is strongly recommended that you upgrade Windows to the latest version.
I'm not aware of a way to do so without buying something.
Re:turn it off? (Score:5, Informative)
I run Win2k and Flash can't be upgraded any more anyway. And I use Acrobat 4. I don't want any later version. I don't want to be nagged to upgrade things. I know what I have and I know what I need.
Actually, when you look at the Archived Flash Player versions [adobe.com], it seems that the 10.x line (the last one compatible with Windows 2000) still gets some kind of minor updates.
Re:turn it off? (Score:5, Insightful)
Opera is probably the wisest browser choice for Win2K.
Then again, using an OS that stopped getting security updates more than 2 years ago on an Internet-connected computer implies you don't care much about making wise choices.
Re: (Score:2, Interesting)
Opera is probably the wisest browser choice for Win2K.
Which is my default browser. . But some sites just don't work and the I resort to Firefox.
Then again, using an OS that stopped getting security updates more than 2 years ago on an Internet-connected computer implies you don't care much about making wise choices.
Or it shows that I don't trust the OS whether updated or not and have a hardware firewall and third party security software. And use a version of Windows that doesn't try to call home or have IE embedded so deeply in it.
Maybe having been online for over 20 years and never having a malware infection implies I actually have a clue. (Or maybe I'm just too dumb to realise how much malware is on my PC, feel free to believ
Re: (Score:2)
You don't have to use IE on the Internet, so it shouldn't matter whether IE is on your computer.
I gave up on Windows 2000 two or three years ago when most developers stopped supporting it and compatibility quality gradually degraded as a result.
Good user habits are important, but it's not a comprehensive solution. For one, even reputable sites get hacked.
Re:turn it off? (Score:4, Insightful)
You don't have to use IE on the Internet, so it shouldn't matter whether IE is on your computer.
Its very hard to stop Windows form using IE in one way or another. Every now and then it pops up when hardcoded in some applications. But I've blocked it at the firewall so it's effectively neutered (I hope).
I gave up on Windows 2000 two or three years ago when most developers stopped supporting it
It's only this year the apps I need to use have started to become incompatible. MS made changes to their compilers last year I think and basically forced the issue. While modders are fighting a rearguard action to patch Win2k, I'll probably move to XP next year. I regularly use a lot of quite old software so am dragging my feet. I could do it all in emulation on a newish PC, and may end up doing that a few more years later. Maybe hosted on Linux. Unix was my first OS, so I'd be happy if I could get back to that and still use my DOS and Windows apps.
Re: (Score:2)
Re: (Score:2)
Its very hard to stop Windows form using IE in one way or another. Every now and then it pops up when hardcoded in some applications. But I've blocked it at the firewall so it's effectively neutered (I hope).
No, its not. Office and help files both use IE in varying capacities. But regardless, it would help if you were actually running a version of IE that wasnt horribly broken, slow, and vulnerable to viruses.
You think youre being clever and that somehow newer versions of windows are better, but as an IT consultant who deals with all too many virus issues, please just accept that out of date software is a really bad idea for anyone browsing the web. More than anything you might be protected by the fact that
Re: (Score:2)
Re: (Score:2)
You think youre being clever and that somehow newer versions of windows are better, but as an IT consultant who deals with all too many virus issues, please just accept that out of date software is a really bad idea for anyone browsing the web
No, I think I'm broke and can't afford to buy a new PC and OS and Adobe Creative Suite 6. So I make what I have work. Rather than spend a lot of time and money on the shiny and at the end of the day not actually be more productive, since 50% of the computer is devoted to security software and second guessing everything I want to do..
More than anything you might be protected by the fact that viruses are broken on Win2k.
Exactly.
We're talking about Microsoft updates. They're never "up to date". I've got a friend with Win 7 laptop, it's always got 100s of MB of Windows updates pending. I inst
Re: (Score:2)
Re: (Score:2)
1. Seriously, he comes from a time when anyone posting to slashdot would know how to avoid malware vectors regardless of the system he runs. I'm sure he knows all of this..
2. ASLR and DEP are useful but often break old software that uses self modifying code.
3. The internet was 'dangerous' in 1998 too. Arguably more dangerous in terms of sevice denial to individual hosts because it was so much easier then (winnuke etc), but these were easily dealt with if one knows what's up. Today, the biggest threat is s
Re: (Score:2)
Seriously, he comes from a time when anyone posting to slashdot would know how to avoid malware vectors regardless of the system he runs. I'm sure he knows all of this..
Antivirus, firewalls, and "being clueful" will not protect you from viruses. There was a time when it would, and GP seems to be stuck in that time. These days, no-click 0-day exploits are all the rage, but lesser hacking rings rely on older exploits in the hope that people (like GP) neglect to patch regularly.
As for the internet being "dangerous" in 1998, no, not in the same way. You can find exploits straight off of Google depending on the day and query; ive had the top results for things like "frame re
Re: (Score:2)
Antivirus, firewalls, and "being clueful" will not protect you from viruses. There was a time when it would, and GP seems to be stuck in that time. These days, no-click 0-day exploits are all the rage, but lesser hacking rings rely on older exploits in the hope that people (like GP) neglect to patch regularly.
And yet, after 20 years online, I remain without any infections. Every time I try to explain my methodology, people just come along and tell me that either I'm lying or that I already having a dozen rootkits and haven't noticed.
As for the internet being "dangerous" in 1998, no, not in the same way. You can find exploits straight off of Google depending on the day and query; ive had the top results for things like "frame relay cisco 1700" take me to attack sites. Big name sites like Facebook can infect you through their ad system. The days where you could just "stick to sites you know" are long, long gone, and the idea that you can just be clever and not run binaries off the web to stay safe is likewise outdated. I browse some pretty sleazy sites. Still, not infected. (Well, not since I got WDEF from a floppy on a Mac in about 1991.)
I'm not unfamiliar with more up to date software. I clean viruses off my friends' and family's PCs, using XP and Win 7, and set them up with some antivirus and firewalls. I put Ubuntu on my daughters' laptop, since she's not going to listen to me about what's safe and what's not, so I didn't give her a choice.
I'm not evangelising my methods, but they do work for me, for the software tasks I need and the hardware I have. The only serious issues I've had in the last 10 years have been hardware related. But I don't imagine I'm invulnerable, I make backups.
Re: (Score:3)
Re: (Score:2)
Maybe having been online for over 20 years and never having a malware infection implies I actually have a clue
The fact that you think being "savvy" has anything to do with getting a virus-- as opposed to running woefully out of date, known vulnerable software-- shows that you do not.
Protip: 90% of virus attacks require no user interaction-- just out of date software.
Re: (Score:2)
While I detest the whole IE 6 fiasco, and generally IEs before that were useless, mixing "the whole COM idiocy" into the discussion shows you're, well, clueless. COM is a way of instantiating and calling methods on objects. Nothing more, nothing less It comes with a bunch of OLE APIs for other things (say structured storage, control embedding, ...), but nobody forces those upon you. I'd say there's nothing to complaing about w.r.t. COM, apart from the fact that the design has some unnecessary idiosyncracies
Re: (Score:2)
I'm pretty sure you will see your response as a knee-jerk response since someone stepped on a sensitive toe of yours.
Re: (Score:2)
Re: (Score:2)
That's bull. Why should anybody have to spend hundreds of dollars to replace a perfectly functional system?
Re: (Score:2)
...And this is why we have a botnet problem.
Seriously, his system is 13 years old. Either A) decide you can live with wine and get on a linux distro that still gets updates, or B) decide you really do need Windows and pony up the $100 so that we dont have to deal with your spambot infested box.
Re: (Score:2)
No it's not.. We have a botnet problem because people download and run crap to see their porn and to 'make 5000 a week in their home office'
Once again, ignorance is displayed. Something like 90% of infections are thru vulnerable plugins, and require no user interaction. Every year at Pwn2Own, machines from Windows to OSX across a number of browsers are compromised with NO user interaction.
Most of the bots are on windows XP and 7, and soon 8.
Most of the computers are on those OSes, which makes that kind of a tautology.
That you really think that modern viruses require user interaction, and insist on running outdated software, kind of scares me.
Re: (Score:2)
They don't have to buy a new machine. They could also change to a Linux distribution that is suited to their hardware performance-wise and still runs current versions of those plugins (not that I think anyone really needs Silverlight).
Re: (Score:2)
Depends if he offers to cover the expense of every person on the internet that has to deal with the spam and DDOS attacks his machine is likely participating in.
I don't care if your car is 10 years old, but when it's bealching smoke like a refinery and the brakes only work on Tuesday, you have just become a liability and a threat to every other person on the road. In short, now you ARE my problem, so take the damn machine it and get it road/net worthy!
Re: (Score:2)
Re: (Score:2)
The drawback of using an OS that stopped getting security updates more than two years ago is that any new exploits are unlikely to be fixed.
The benefit of using an OS that stopped getting security updates more than two years ago is that because of its low marketshare it's much less likely to be targeted.
Re: (Score:2)
Re: (Score:2)
Plenty of damage without admin privileges (Score:2)
XP is still one of the largest targets for malware there is thanks to its brain dead "hey let's all run as admin!" design
Malware can do plenty of damage without administrative privileges. It can infect all executables that are installed in your user account in "Install just for me" mode. It can destroy or disclose the documents in your user account. It can use your computer's network connection to serve spam or child pornography.
Re: (Score:2)
I remember when JS was introduced to Acrobat in version 4 - it was surprisingly permissive allowing systems calls for instance. I think they (Adobe) has certainly learned a lot about the wonderful world of security in the 6 major versions since then.
Two questions... (Score:2)
1) Why are you using the Adobe Reader web browser plug-in? Downloading and opening PDFs is much safer.
2) Why are you using a version of Adobe Reader that has known security vulnerabilities? If Reader doesn't do what you want, there are alternatives.
Keeping software up to date is important for staying safe. But perhaps this is not a concern for you.
Re: (Score:2)
Instead of a lecture, do you have an answer to the question that was originally posted? All we are getting is BS and no solution as to how to disable the damn thing.
Re: (Score:2)
1) OP is to lazy to update his software, so we told him to update his software. (most likely).
2) OP uses an Intranet system that requires old versions, in which case he should let IT deal with it and stop fucking up corporate computers.
3) OP is the IT from scenerio 2 and should be fired for not knowing how to do his job/her.
Re: (Score:2)
Enjoy your viruses.
As others have suggested, its probably a really really good idea for you to remove that plugin and just download the pdfs manually. The internet would collectively appreciate it if you didnt join the botnet.
Re: (Score:2)
Re: (Score:2)
Is that the royal "We"?
Anyway there is a difference between the least shitty web browser and an excellent web browser, although the 64bit Nightly build on Win7 isn't too bad.
Re: (Score:3, Funny)
We believe that Firefox is an excellent web browser.
I think a similar thing might have been said by some guy in my signature.
Re: (Score:2)
> "We believe that Internet Explorer is a really good browser" - Steve Jobs, 1997
Steve Jobs said that at Macworld Boston 1997 when announcing a deal with Microsoft where they would make IE the default on the Mac, essentially in exchange for Microsoft to continue producing MS-Office for the Mac. He got BOOED loudly when announcing that. Anybody really interested in that quote should see the video. The way he said it, you could tell he had a virtual gun to his head.
http://www.youtube.com/watch?v=WxOp5mBY9I [youtube.com]
Re: (Score:2)
Sadly he was right, because Internet Explorer was actually better than Netscape.
Re: (Score:2)
The main thing I remember about internet explorer for the mac is that it translates edit box text to macroman (or presumablly another legacy mac encoding on systems set up for dffierent languages) before letting the user edit it and then translates it back. This was a MAJOR pain for any website that lets users edit existing unicode text.
Re: (Score:2)
Re: (Score:3)
Allow me to elaborate on laurelraven's 3-letter pimp-slap. ADP (Automatic Data Processing) has a market cap of 28.83B. According to ADP's 10-k from 2009, ADP processed payroll for 570,000 companies, delivered 51 million year-end tax statements (W-2), delivered 39 million employer payroll tax returns and deposits.
That's a pretty large site. Judging by the ignorance of your response, I'd say this is your first experience in taking the piss. Remember, the dinosaurs were on top of the Darwinian survivalist
Great, more prompts (Score:2, Insightful)
If you know what the right thing to do is, just do it. If you don't know, don't bug the user about it. I get the calls when you show the unwashed masses around me yet another incomprehensible prompt about some thingamabob inside their computers that they didn't know was there in the first place. Make it work or shut up.
Before (Score:4, Insightful)
Re:Before (Score:4, Interesting)
You realize, of course, that not all of us need or want to stay at the bleeding edge of every product we use?
Most people just want the same thing they used yesterday to work today. Most people get really, really annoyed when what worked yesterday starts nagging them to upgrade today (or worse, "Adobe Flash (malware) has been blocked for your protection" - Fuck you, Moz!).
Keep it up, guys... Google can't thank you enough for pushing us to use Chrome. And yes, I know that Chrome updates itself, but it doesn't change (aka "break") anything each time.
Re: (Score:3)
Re: (Score:2)
I don't have a problem with autoupdating (though I absolutely do think every piece of software should explicitly ask first).
I have a problem with non-manual updates that break things - Like Flash. Like older plugins. Like Fiddler. Like the size of my goddamned personal toolbar icons (lookin' at you, FF4!).
I have no problem whatsoever with semi-automatically repairing bugs, or even adding new features under the hood. I have a huge problem with breaking legacy support w
Applications that phone home (Score:2)
Another common (and erroneous) belief says that every computer everywhere must work online.
This is the consequence of applications that phone home to validate the subscription to the application.
A mostly-offline home media machine. I don't give a damn if it has 10 year old software riddled with security holes, I don't give a damn if it has up-to-date antivirus software, I don't give a damn if it has FireFox 3 and Flash 7 on it - It plays all my music, it plays all my movies
But how do you add music and movies to it? Doesn't the movie playing application have to phone home to download the movies or at least to validate your subscription to movies? If not, what am I missing?
Re: (Score:2)
Re: (Score:2, Funny)
I think that updating Adobe's PDF reader every minute means you'll still be behind the curve. The amount of effort they put into updating that thing is amazing. My ability to read textual documents using it has come a long way in the last 5 years - there's just no comparison between reading pdf documents then and now.
Workaround (Score:3)
Re: (Score:2)
To bypass this nagging, just continue to use an old release of Firefox.
I use 3.5.7 (for various reasons, including better support for some protocols), and trust me, the nag dialog is there too. Got one yesterday before I read the /. article, was like "wtf?"...
Life is short. (Score:3)
When sites say I "need" Java or Flash, I just click the little x on the upper right corner of the screen. More time for real life.
Flash needed to prepare to go outside (Score:2)
When sites say I "need" Java or Flash, I just click the little x on the upper right corner of the screen. More time for real life.
Unless the web site that uses Java or Flash is one of the web sites that helps you prepare "for real life". For example, the (U.S.) National Weather Service used to use Java to cycle images in its radar loops; now it uses Flash. I use the radar loop to see whether I can squeeze in outdoor activity before or after the rain hits.
Mozilla targetting wrong people (Score:5, Interesting)
As a Linux user, Mozilla should be targetting Adobe not me. For example, Adobe released a not working version of their flash player, it changes the colours of video on places like Youtube if you have hardware acelleration enabled. To get proper colours you have to disable hardware accelleration, which has a massive impact on system performance, even on a dual core machine.
To add to the problem, Adobe said they will no longer be working on Flash for Linux (at least the 64 bit version). So they released a known buggy version, and refuse to revert to previous version that worked.
Me updating is not the problem, it's companies like Adobe that need to be targetted.
Blue people (Score:2)
No more blue people on YouTube.
What, did they file a DMCA takedown for Avatar again?
Fine! Make me update silver light (Score:2)
I'll just disable it again.
Business model: Annoy your users (Score:2)
Then there's Chrome constantly bugging me to log in and give other details so I can be tracked as if I was the star of The Running Man.
Why hello, Opera. How've you been?
Re: (Score:2)
While I sympathize with anyone who's trying not to get tracked in an internet that's become saturated with ways to be tracked, this May story seems relevant [slashdot.org]. I have a feeling that any such deal fell through after so much time, but you might want to remain vigilant, report misplaced baggage, buy American, et cetera.
(I had to undo 2 up mods to reply here; my apologies to those who lost the points.)
Disable (Score:5, Insightful)
I have no problem with Mozilla doing this as long as the user (or admin) can disable it through about:config.
Re: (Score:2)
Search for "blocklist"...
Pale Moon? (Score:5, Interesting)
Perhaps this browser will give you your "Firefox" experience without the upgrade "bugging" that Mozilla is introducing.
Re: (Score:2)
I tried PaleMoon, and alas is has all of the pausing and memory consumption problems of Firefox. With those issues still intact, 64-bit optimizations and other performance tweaks are meaningless.
Please, Mozilla, stop yelling at the plug-ins and fix the damn browser core, already!
catering to the tards (Score:5, Informative)
Flash's own updater royally sucks (Score:4, Insightful)
Flash Player's own updater never seems to appear until I reboot the computer, which is quite a rare event for me (sleep mode works fine, no need for shutting down). This is a bad design.
It took me a while to figure out what triggers the Flash Player updater to appear: It's in the Scheduled Tasks area. It runs daily at about 12:30PM, and It's set to stop trying to update 72 hours after it starts. So if you rarely reboot your computer, you don't get Flash Player updates.
None of this should be needed. (Score:5, Insightful)
None of this should be needed.
Microsoft should just allow third party critical updates through Windows Update. Flash, Reader, and Java flaws account for most of the malware installs, and most users are bad at keeping these things up to date. Running a stack of update utilities is irritating to advanced users and confusing to novice users. All this does is make the malware industry happy.
Re: (Score:2)
I am wondering why the Java plugin is not on the list. Its security track has been bad for quite a while, and its on way more PCs tha silverlight
If they put really insecure shit like Java on the list, several shady revenue streams might be threatened. And when that happens, the lucky ones get an unexpected visit from Fingers and Lefty and their baseball bats. The unlucky ones die slowly after a few bullets from an untraceable weapon.
Re: (Score:2, Informative)
The Java plugin already was on that list. They already warn for old versions of Java when the plugin is used.
Re: (Score:3)
In this day and age a minority of the web actually requires applets. The option should be to 'whitelist' only particular websites.
[Aside: I have a public JRE installed on a windows box for work purposes. I may be vulnerable to rogue Java Web Start apps but there's a scary security warning each time I click on a JNLP link.
As for applets, I can sleep easy knowing there's no chance of infection. It's a 64bit JDK... All of the browsers from Mozilla, MS and Google are 32bit. So on my Windows machine no browser c
Re: (Score:3)
Netflix, Lovefilm and Sky TV all use it here in the UK because no-one's broken the DRM yet.
Re: (Score:2)
Indeed, one of the major sporting competitions here in Australia uses a Silverlight plugin to load videos via a flash plugin.
On my Linux box I have Chrome setup with Moonlight for that particular website. I use Chromium sans flash for regular HTML5 video browsing. (Firefox is a bit heavy for a P4).
Re: (Score:2)
> uses a Silverlight plugin to load videos via a flash plugin
What is the Flash plugin for in this scenario?
Re: (Score:2)
Well either the silverlight plugin was displaying a fancy gui just to load the videos and do the actual playback in flash OR
Moonlight might have been offloading the playback.
Re: (Score:2)
If you are still running W2000, then Flash, Acrobat, etc are the least of your concerns.
Re: (Score:2)
What's exactly the problem with Win2K (outside of being Windows) if you're not directly facing a hostile network and are not suicidal to use Microsoft's client software (IE, Outlook, etc)?
Re: (Score:2)
The methods the malware industry commonly use. If you can't run the patched version of Flash, you can visit a legitimate website and get attacked by an infected advertising server. Easily.
Re: (Score:2)
What "protection" do you have in mind? Because for client programs I see no difference. You might be hit by a bug in the TCP/IP stack or in the stub DNS resolver, but I don't recall any serious ones there. So Windows 2K is only exactly as atrocious as Windows 7 or 8 is (there's that UAC snake oil, but it's really only mitigation of further damage after you already lose). In reality, save for low-level networking, security is all about actual network-facing programs, and if you keep them secure, you shou
Re: (Score:2)
I disagree.
The TCP/IP stack and other OS libraries not getting security updates is certainly a concern. However IMO for a machine behind an "outgoing connections only" firewall/NAT and running client software that makes little use of OS facilities (for example firefox uses it's own SSL library, not the windows one) it is a relatively minor concern. Lack of security updates to client apps that deal with untrused data is a FAR bigger concern IMO.
Re: (Score:2)