21

Good evening!

Today, I turned off my computer without any problems and went out. When I came back and tried to surf the net, I saw that my firefox started giving me this problem:

"Shockwave Flash is known to be vulnerable"

I did a research about it and uninstalled and installed back the adobe flash player plugin but it didn't work. Also my flash player is up to date. (Version: 11.02.202.481). And I use Lubuntu by the way.

Thank you for your support!

Mabox
  • 243
  • 2
  • 8
  • 3
    So what's your question? All I see are a bunch of declarative statements. Stack Exchange sites are for specific, answerable questions -- I don't see any question in your question. I encourage you to edit it to clarify what you are asking (and what research you've done). Don't make us guess or assume what your question is. – D.W. Jul 15 '15 at 00:21

3 Answers3

21

Mozilla, which develops Firefox, imposed the block because recently unearthed bugs in Flash were being actively used by cyber-thieves.

The bugs were detailed in a cache of documents stolen from security firm Hacking Team that was hit by attackers last week.

Adobe said it took Flash's security "seriously" and was planning bug fixes.

Source

There is now no way to make it always active without some prompting, but you should be able to allow Flash for individual content by pressing the Activate Adobe Flash:

enter image description here

Or you can enable it for the site, and even choose to remember that you want it active for that site:

enter image description here

  • 1
    I know Firefox disables the plugin because it's old, and their code wants to see a more recent version - the way around this is the wrapper plugin which utilizes Chrome's Pepper Flash plugin instead of the old Linux native plugin for Flash. – Thomas Ward Jul 14 '15 at 19:10
  • 1
    Your note about the Firefox disabling Flash due to recent vulns isn't the only reason though, and has applied for the Linux side since they discontinued newer versions because Version Num < SomeVal. True, the recent major vulnerabilities have pushed this to ALL current versions of Firefox and such, however this issue of Flash not being enabled has been around since before the latest vulns. The solution is to update it (which we can't do since there's no new plugins since Adobe pulled support), or use Chrome (and either chrome itself or the firefox wrapper that uses Pepper Flash) – Thomas Ward Jul 14 '15 at 19:12
  • @ThomasW.: Yes this is true, however, the specific warning the OP was getting is because of Mozilla making it so that Flash is on 'Ask to Activate' mode, and this has been prompted by the latest vulnerabilities being disclosed. This may be something that they were planning to do for a long time as it is no longer properly supported, however, this is not the direct reason for them putting it on this mode as default at this time. –  Jul 14 '15 at 19:17
  • ACK on that, however, it's still possible it was dropped in the 'unsafe, prompt to run' category previously too, was overridden, and then that was forced again. Not sure, but i've seen that too recently. (I am a strong supporter of killing Firefox Flash anyways, but eh) – Thomas Ward Jul 14 '15 at 19:26
  • Torodial, its a well written answer, upvoted..although you should consider emphasizing on the vulnerability a bit more before giving the workaround I think..Thomas's answer seems far logical to me.... – heemayl Jul 14 '15 at 19:36
  • 2
    Terrible UX. I couldn't care less if Flash disables itself on random websites, I only have flash enabled on Youtube, but the fact that it prompts me again to reenable it with a small-ass icon in the address bar is awful and just the latest example of software trying to be too clever. It could have a popup, like, you know, every other prompt in firefox? – Thomas Jul 14 '15 at 19:42
  • 4
    Flash 11 for Linux is still getting security updates, but the problem here is that Adobe overall has a terrible track record of actually creating said updates in the first place. – Michael Hampton Jul 14 '15 at 21:51
  • 2
    @Thomas It's also getting dangerously into the territory of "software trying to push its creators' agenda" IMO (regardless of whether that agenda helps users or not) – user253751 Jul 15 '15 at 00:19
  • @immibis And if Adobe's agenda has been to kill off the Firefox NPAPI plugin for Linux? That's a given that they've been trying for a while, what with them killing support with version 11 – Thomas Ward Jul 15 '15 at 02:49
  • @ThomasW. I'm not sure how that's relevant. Mozilla should not go out of their way to try and kill Adobe's product, for any reason. Adobe can still kill their own product if they want. – user253751 Jul 15 '15 at 07:29
  • @immibis I think Firefox is just hastening its death. In any case, I think this is a nice summary of the timeline of events. As well, as a security person, I can understand why they did it - to protect the end-user consumer from bad things as a result of the 'insecure' version. I think that while you're right, treading toes here is bad like the agenda shows, I'd rather disable the plugin than risk having my system totally exposed to RCE (remote code execution) exploits in the wild. – Thomas Ward Jul 15 '15 at 12:15
  • An issue with installing/using chrome is that AFAIK, it may potentially introduce its own major security vulnerability via the new module which allegedly can turn the microphone on and record whenever it feels like it and then phone it home to Google. I assume chromium won't do this, but AFAIK, pepperflash won't work with it, so using it doesn't help. – Joe Jul 15 '15 at 20:55
  • Update: when clicking on [Activate Adobe Flash] the page https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update is now shown with no option to continue .... – false Jul 17 '15 at 16:32
19

The accepted way to get Flash in Ubuntu and Linux, and a recent version, is with Google Chrome, as it's the only browser shipping a Flash version.

Adobe stopped supporting Flash for Linux (even in Firefox) around version 11. They no longer produce any 'new' Flash releases for Linux and the way Firefox handles plugins. Due to the really really old version number (18 is the latest Flash overall, and 11 is the last supported Firefox plugin version available for Linux), and other security concerns, Firefox automatically disables these 'old' versions. This applies to all Operating Systems, not just Ubuntu and *nix. (While @ParanoidPanda is correct they now enforce that for a few extra versions across all platforms, this isn't the primary reason for this warning in Ubuntu/Firefox).

However, even though Adobe pulled native support for Firefox's plugin API formats for Linux and such, Adobe and Google have an agreement. This agreement lets Google ship updated Flash that uses the Pepper API framework, and it is included in Google.

There are wrapper programs that can be installed into Firefox that leverage the use of the Pepper Flash in Chrome, provided you install Chrome. However, most users just switch to Chrome when this is the case.

I would suggest that you install Chrome and use that for browsing and using Flash sites (provided you keep it up to date).

Note however that there is no way to bypass this change in Firefox's policy. There is a page in the Security Team's knowledge base that details this issue a little more, or at least, provides a timeline for all the events related to this.

Community
  • 1
Thomas Ward
  • 74,764
  • 1
    Question: Does Chromium support Pepper Flash? Anyway, it's probably better to avoid using Flash on websites; a site that still uses Flash probably isn't up-to-date with security. – Paddy Landau Jul 21 '15 at 12:30
  • 1
    @PaddyLandau I believe there is a guide somewhere to get Pepper Flash working in Chromium, or even a package to do that, however don't quote me on that as I don't use Chromium so I can't attest to it. – Thomas Ward Jul 21 '15 at 13:33
  • 1
    I can confirm Chromium supports Pepper Flash. My current installation: Chromium 43.0.2357.130 (Ubuntu 15.04) OS Linux Flash plugin 11.2.999.999 /usr/lib/adobe-flashplugin/libpepflashplayer.so –  Jul 22 '15 at 05:03
  • 1
    @ThomasW. The package that installs Pepper Flash for Chromium is called pepperflashplugin-nonfree and the NPAPI plugin still receives security updates as mentioned in your last link to the Wiki. – LiveWireBT Jul 24 '15 at 12:41
1

Trying to answer the obvious question:

What to do?

  • Make sure that the computer is connected to the Internet and update your installation with:
    • update-manager from the dash
    • or sudo apt-get update and sudo apt-get dist-upgrade from the terminal (check if the first command returns errors, a reason why I don't recommend chaining both with && here)
    • or what ever package manager or front end for it your distribution/flavor uses.
  • Check that the Flash version number in the corresponding plugin page in the settings of your browser exactly matches the version number published on Adobes site for Flash.
    • If it doesn't try sudo apt-get install --reinstall flashplugin-installer for the NPAPI plugin (Firefox and others) or replace it with pepperflashplugin-nonfree if you use Chromium.
  • If your browser still reports that this plugin is vulnerable and no newer version is currently available, make a choice:
    • Use alternatives such as HTML5 whenever they are available.
    • Choose another browser. (Chrome has already earned the doubtful reputation of being a modern day equivalent to Flash Player.)
    • Wait for an updated version of the plugin for your browser. This can range from days to months or years.
    • Choose that it is not worth the risk to run Flash.
      • Provide useful(!) feedback to whoever is responsible that this content is only distributed through Flash.
      • If it's only video or audio and in the absence of an HTML5 implementation, try downloading the video/audio stream or file using popular tools for this task or manually digging through the source of the site. (This may be considered a crime in some cases.)
    • Run Flash anyway. (Check the options in your browser.)
      • Pro: The vulnerability existed before and nothing happened [to you].
      • Con: A severe vulnerability is now known to all ransomware developers for free. Ransomware is a fast and "serious" business.
LiveWireBT
  • 28,763