Should Flash plug-in be activated by default in new profile?

Discussion of general topics about Mozilla Firefox
User avatar
Mo_D
Posts: 774
Joined: January 4th, 2006, 6:34 pm

Should Flash plug-in be activated by default in new profile?

Post by Mo_D »

I have the Flash plug-in installed in my main profile and set to “never activate”. If I create a new profile, Flash is automatically set to “always activate”. That seems counter-intuitive to Mozilla’s policy towards blocking Flash by default.

The other issue I noticed is that in my main profile, the Flash version is marked as outdated and vulnerable. In the new profile, there is no such indication, although it is the same version.

These two issues combined seem a little dangerous.

This may become irrelevant once Firefox goes click-to-play on Flash content, but for people running older versions, I thought it was worth mentioning.
User avatar
Happy112
Posts: 485
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Re: Should Flash plug-in be activated by default in new prof

Post by Happy112 »

Hi Mo_D !
Complete stab in the dark, but could it be that your Flash is now up to date : Flash Player - latest version 25.0.0.148 and
Shockwave Flash - latest version 25.0.r0 ?
That would explain why it's no longer marked as outdated and vulnerable.
But again : complete stab in the dark .....
User avatar
Grumpus
Posts: 13238
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Re: Should Flash plug-in be activated by default in new prof

Post by Grumpus »

From what I've read Flash is a default in the newer Windows versions (52 +) of Firefox with a number of other plugins disabled.
If you had VLC or Quicktime in the plugins list they would not show unless you had added the boolean item plugin.load_flash_only in about:config set to false.
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Should Flash plug-in be activated by default in new prof

Post by therube »

A nice feature, IMO, would be to have available "global" Prefs, such that a new Profile follows such global Prefs rather then any other defaults.

In particular, pertaining to updating.
If you disable updates, then open a new Profile, by default, updates are enabled, & until such time as you manually disable updating in that new Profile, you are subject to have an update queue, such that when you return to your original Profile - with updates disabled, you will get updated nonetheless.

So a way to globally disable updates, or set Flash to disabled, would be nice.


about:plugins still show the path to the Flash plugin?
Make sure it is the expect file in the expected location.

Could be that when you installed the Flash update, that Flash was in use in the main browser, & until you restart the browser...
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
Happy112
Posts: 485
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Re: Should Flash plug-in be activated by default in new prof

Post by Happy112 »

Probably a redundant remark, but as of Firefox release version 52, support for ALL plugins was dropped, EXCEPT for Flash.
Personally, I think it's rather user-friendly having the choice to set Flash to either 'always activate' or 'never activate'.
User avatar
Mo_D
Posts: 774
Joined: January 4th, 2006, 6:34 pm

Re: Should Flash plug-in be activated by default in new prof

Post by Mo_D »

therube wrote:A nice feature, IMO, would be to have available "global" Prefs, such that a new Profile follows such global Prefs rather then any other defaults.
I certainly understand your reasoning, but a new profile is used to diagnose issues and is expected to be in a particular default state. Having individual preferences available would throw a monkey wrench in to that diagnosis process.
therube wrote:In particular, pertaining to updating.
If you disable updates, then open a new Profile, by default, updates are enabled, & until such time as you manually disable updating in that new Profile, you are subject to have an update queue, such that when you return to your original Profile - with updates disabled, you will get updated nonetheless.
Yes, I found this out the hard way. No big deal for me, but it could be a big deal for some people. Again, it's not necessarily expected behavior. If you think it through, it makes sense, but the average user might not expect it.
therube wrote:about:plugins still show the path to the Flash plugin?
Make sure it is the expect file in the expected location.
Main profile

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 25.0.0.127
State: Disabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 25.0 r0


New profile

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0


Current Mac version available from Adobe.com: 25.0.0.163

therube wrote:Could be that when you installed the Flash update, that Flash was in use in the main browser, & until you restart the browser...
Not sure what you mean by that. Maybe the info I copy/pasted above from about:plugins will answer your question.
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Should Flash plug-in be activated by default in new prof

Post by barbaz »

Sounds like your main profile has a recently updated blocklist, while the new profile doesn't (yet).
User avatar
Mo_D
Posts: 774
Joined: January 4th, 2006, 6:34 pm

Re: Should Flash plug-in be activated by default in new prof

Post by Mo_D »

barbaz wrote:Sounds like your main profile has a recently updated blocklist, while the new profile doesn't (yet).
I assume that update would run on launch, or 2nd launch, like software update? But it didn't. Or maybe only 24 hours later since the blocklists are updated daily?

This new profile was created today, but I noticed the same thing on a new profile I created yesterday. I deleted yesterday's profile yesterday after I finished the test I was doing. I'll launch this new one tomorrow and see if it updates.

That's all somewhat academic. The vulnerability still remains. I imagine others like me rarely update Flash anymore since I rarely use it. Someone could launch a new profile with a very old version of Flash automatically activated.
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Should Flash plug-in be activated by default in new prof

Post by therube »

127
Well there you are.
You are out of date.

(I wouldn't know about Mac.)

In the new profile, there is no such indication
Maybe the new Profile just hasn't gotten around to updating blocklist.xml.

Compare blocklist.xml between old & new.
(Or maybe just sear blocklist.xml for, 25.0.0.127 - it should be there.
Do this with FF closed, cause if you open it, it might update ;-).)
Not sure what you mean by that.
Flash can't update if it is in use.
So it will wait, could wait, until the next browser restart, & if you're the type that doesn't restart...
(At least it's like that in Windows. I wouldn't know about Mac.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
Happy112
Posts: 485
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Re: Should Flash plug-in be activated by default in new prof

Post by Happy112 »

therube wrote:
127
Well there you are.
You are out of date.

Please, see my earlier post : the latest version of Flash Player is 25.0.0.148
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Should Flash plug-in be activated by default in new prof

Post by therube »

Right.
But at the time, we didn't know what actual version Mo_D was running.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
Mo_D
Posts: 774
Joined: January 4th, 2006, 6:34 pm

Re: Should Flash plug-in be activated by default in new prof

Post by Mo_D »

You guys are killing me. I have already posted the version of Flash I am running, and the most recent version available for Mac (which is the OS I am running). Get past that. We could be talking about any outdated plug-in.

There’s a reason I posted this in General instead of Support. I’m not looking for help, I’m pointing out a vulnerability made possible from creating a new profile.

In addition, I’m questioning whether Mozilla has this set up in the best (safest) possible way.
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Should Flash plug-in be activated by default in new prof

Post by therube »

If you consider Flash dangerous, then no.

Anyhow, did you check your blocklist.xml?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
Happy112
Posts: 485
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Re: Should Flash plug-in be activated by default in new prof

Post by Happy112 »

Mo_D wrote:You guys are killing me. I have already posted the version of Flash I am running, and the most recent version available for Mac (which is the OS I am running). Get past that. We could be talking about any outdated plug-in.
You're right. Sorry. Speaking for myself : I'll stay off your back.
There’s a reason I posted this in General instead of Support. I’m not looking for help, I’m pointing out a vulnerability made possible from creating a new profile.
And thank you for that !!!
In addition, I’m questioning whether Mozilla has this set up in the best (safest) possible way.
Would you consider posting this here :
https://qsurvey.mozilla.com/s3/FirefoxInput/
User avatar
Mo_D
Posts: 774
Joined: January 4th, 2006, 6:34 pm

Re: Should Flash plug-in be activated by default in new prof

Post by Mo_D »

therube wrote: Anyhow, did you check your blocklist.xml?
I did not. I forgot to do that before I deleted the profile. What I did do was open the profile this morning to see if Flash was marked as outdated, and it still was not. Then I visited mozilla.org and support.mozilla.org to see if that would trigger a blocklist update. It did not. Then I visited youtube and played a video. In the past, when I still used Flash regularly, this would normally trigger a notification that an update was available. But this did not trigger a blocklist update either. Finally, I visited adobe.com and played a video there. After visiting adobe, then the plug-in was marked as outdated, which I assume means the blocklist would have been updated if I had checked it.

So the blocklist process is still a bit of a mystery to me. I know it's updated once daily, and is supposed to be updated at startup. Beyond that, I dunno. Whatever the process, it seems too slow to save you in the scenario I'm describing. It seems to me that a fresh blocklist should be fetched on launch of a new profile. Even copying the existing blocklist seems like it would be preferable. If I’m correctly parsing what is happening, a blocklist is not downloaded until it is triggered by a script from adobe.com, or a certain amount of time (24 hours?) has passed.

This is from my current profile: blocklist lastupdate="1483471392954" What the heck is that? How many seconds ago? Out of curiosity, I just created another new profile and it has the same exact number. And the Flash plugin is still not shown as outdated. Searching for “25.0.0.” within the blocklist turns up no results. There are multiple items that appear to relate to Flash, so I can’t tell which is the right one.

I don’t need to know how all this works, but I am a little curious now. I’m sure there’s documentation somewhere…
Post Reply