PSA: Firefox blocks Adobe Flash content on all websites

[xenopeek]

Update:

• Adobe Flash 11.2.202.491 is available currently for Linux Mint 13 and 17.x, and for LMDE 1 and 2, through Update Manager. This fixes the security vulnerabilities.
  
  With these steps Firefox on Linux Mint no longer blocks Flash content on all web pages. Well, till the next Flash vulnerability sees light of day. You might want to leave Adobe Flash on disabled or remove it altogether. Various distros are making that also the default for their next releases, shipping without Adobe Flash installed. Like me you will likely be surprised how many websites showed the annoying message asking to allow Adobe Flash but work perfectly fine without it once you've removed Adobe Flash.

----

Firefox has started blocking Adobe Flash content on all websites from today. This is security precaution by Firefox in response to a number of severe security vulnerabilities in Adobe Flash that have been exposed. You are vulnerable if you are using Firefox with Adobe Flash on Linux.

The list of vulnerabilities is: https://helpx.adobe.com/security/produc ... 15-18.html. Some more background information: http://arstechnica.com/security/2015/07 ... ava-0-day/.

Recently a large number of documents from the spyware development company "Hacking Team" have been exposed and these documents contain details on several unpatched security vulnerabilities in Adobe Flash. These vulnerabilities are severe and as these documents contain detailed information on how to exploit them there is a high risk that these are now actively being exploited by malware creators. Firefox will continue to block Adobe Flash content till Adobe has patched all these security vulnerabilities.

Q: How can I recognize that Firefox is blocking Adobe Flash content?
You will either see a bar like this at the top of pages that have blocked Adobe Flash content (click to enlarge):

Or you will see an image like this overlapping the blocked Adobe Flash content (click to enlarge):


Q: I don't see any messages in Firefox about blocked Adobe Flash content. What's up?
If you have temporarily or permanently allowed Adobe Flash content on a website, you won't be shown these messages on that website again (for temporarily for a limited time). It may also be the case that the page you are on doesn't have any Adobe Flash content.

Or possibly your Firefox hasn't refreshed its blocklist yet and is thus not yet actively blocking Adobe Flash content. The blocklist is periodically refreshed. You can force the blocklist to refresh immediately by following the steps under Forcing a Blocklist Ping.

Q: Can't I just disable Firefox blocking Adobe Flash content?
No. You can only allow Adobe Flash content temporarily or permanently on a per website basis. I would urge you to disable Adobe Flash altogether for the time being or if you do need Adobe Flash on some website to only allow it temporarily. If you disable Adobe Flash altogether Youtube will automatically switch to use HTML5 playback for videos.

Q: How can I disable Adobe Flash altogether?
Open Firefox and in the address bar type about:addons and press enter. Find Shockwave Flash in the list of plugins and change it from "Ask to Activate" to "Never Activate".

Q: Can't I just uninstall Adobe Flash?
Yes but this will only affect Firefox and other web browsers that use that version of Adobe Flash. Google Chrome and (optionally) Chromium use a different version of Adobe Flash (PepperFlash) in which these vulnerabilities have already been fixed on Linux. Disabling the plugin in each web browser you use suffices and you don't need to uninstall Adobe Flash to be secure.

If you do want to remove the Adobe Flash plugin from your system (the one used by Firefox) you can do so by searching for "flashplugin" in Sofware Manager an uninstalling it from there. Or on the terminal enter this command:

Code: Select all

apt purge flashplugin*

That should remove the packages adobe-flashplugin, mint-flashplugin-steam, and mint-meta-codecs (for Linux Mint 17.x; other editions or versions of Linux Mint may differ but the command remains the same. This removes Adobe Flash for your web browser and for Steam (the game store client). It also removes a meta package (which is okay); this is just a package used to easily install a bunch of other packages and doesn't contain any files itself.

Q: Are other web browsers also affected?
Yes, but for Google Chrome and Chromium the vulnerabilities are already fixed by Google on Linux. Any web browser other than an updated Google Chrome or Chromium using Adobe Flash is vulnerable. I would urge you to disable Adobe Flash altogether in other web browsers as well or at least change it to "Ask to Activate".

Q: What can I do if I (also) use Google Chrome or Chromium?
Type chrome://plugins in the address bar and press enter. Confirm that Adobe Flash in the list of plugins has version 18.0.0.209 or newer. If it doesn't have that version yet, open Update Manager and apply any update for Google Chrome, Chromium Browser, and PepperFlash Plugin.

Alternatively, if you want to disable Adobe Flash in Google Chrome or Chromium type chrome://plugins in the address bar and press enter. Find Adobe Flash in the list of plugins and click "Disable".

Alternatively, to change Adobe Flash to "Ask to Activate" in Google Chrome or Chromium type chrome://settings in the address bar and press enter. Scroll to the end of the page and click on "Show advanced settings...". Under the heading Privacy click on "Content settings...". Under the Plugins heading there change it from "Run all plugin content" to "Let me choose when to run plugin content".

[Cosmo.]

Following this Adobe Security Bulletin the new version of flash for Linux (NPAPI) will be released in between this week. So the advice is to simply wait 2 or 3 days.

[waynea]

Surely everyone should now be disabling Flash permanently as a clear and present danger.
It seems that scarcely a day goes by without another zero day being discovered....

[gastrof]

Following this Adobe Security Bulletin the new version of flash for Linux (NPAPI) will be released in between this week. So the advice is to simply wait 2 or 3 days.

Thanks Cosmo.

Guess no YouTube for a few days, then...

[xenopeek]

If you disable Adobe Flash, YouTube switches to HTML5 playback automatically on Firefox. Google Chrome and Chromium default to use HTML5 playback on Youtube regardless of you having Flash installed HTML5 playback is used by millions of people daily. Should work pretty well.

[gastrof]

If you disable Adobe Flash, YouTube switches to HTML5 playback automatically on Firefox. Google Chrome and Chromium default to use HTML5 playback on Youtube regardless of you having Flash installed HTML5 playback is used by millions of people daily. Should work pretty well.

I'm still such an airhead with regards to all this, I don't know how to disable Flash in Firefox. (It's amazing I got Linux to work in the first place. SO MUCH TO LEARN!)

Edit:
DUH. The instructions were right there in this thread.

[coder123]

Thanks so much xenopeek. I was about to make a thread asking what gives since I bothered to let update manger run (as well as taking other steps to get the flash plugin updated.

[TravLR]

Thanks for the announcement. The fix you wrote fixed this for me!

[norm.h]

I downloaded version 11.2.202.491 in Synaptic this afternoon - all seems OK now.

[pesio12]

I updated to the latest flash release (202.491). And put flash on always active (through tools>add-ons). Is everything okay - can I do that ? Or will I have the major security wholes ?

[xenopeek]

You can do that, but likely there are more security holes in Adobe Flash. There are bugs in many programs but anything that is in your web browser and runs code from remote server is extra exposed to the risks out there.

[gastrof]

I followed the suggestion to set the Flash plug-in to "Never activate".

Firefox switched over (apparently) to use HTML5, and not only was I able to use YouTube as always, it seemed to allow me to get high def versions of the videos with less problems due to my service provider not playing nice.

Today there was an update for Flash. I installed it, but I'm not sure what to set the plug-in for to get it back to how it was before. (That's right. I didn't take note of the old setting.)

A comment above makes it sound like this fix may not even solve the problem so Flash STILL shouldn't be used.

Just what's what with all this?

And, if Flash IS safe to use again, what setting should I use on the plug-in to get it running again? "Always Activate" or "Ask to Activate"?

[xenopeek]

The default setting before this would have been "Always Activate". It would be wiser to set it to "Ask to Activate", so you don't run any Flash content except when you want to (minimizing risks to just that Flash content you allow, instead of all Flash content). Or just don't enable it at all I've removed Flash altogether.

Adobe Flash is closed source software. Only Adobe can find AND fix vulnerabilities in the Adobe Flash plugin for Firefox on Linux. However, as demonstrated the bad guys can also find vulnerabilities. The ones fixed in the latest version have been sitting around for years and only came to light through some documents from a spyware company that got exposed. Are they the only ones finding such vulnerabilities and not reporting them but exploiting them? Probably not. This remains at the core of my problem with close source software; anybody can find vulnerabilities in it, but only one company can decide to do something about it. So you will always be at risk. (Disregarding the problem that Flash content itself is also closed source.)

On top of that, Firefox on Linux doesn't provide a security sandbox for the Adobe Flash plugin (nor for the PepperFlash/FreshPlayer plugin for people considering that as an alternative). Compare that to PepperFlash on Google Chrome or Chromium that is running in a security sandbox. That wouldn't have helped with these vulnerabilities, but it does mitigate some of the risks associated with Flash content.

If you must use Flash, I'd suggest only doing so in Google Chrome or Chromium. If you do want it in Firefox also, find some way to mitigate the risks (like containing Firefox entirely in a security sandbox with firejail, or using extensions like NoScript and similar).

[Cosmo.]

There is one additional difference between the setting to always deactivate and ask to activate (also named click to play). If flash is set to always deactivate, HTML5 gets used, if applicable (youtube); so this leads so far to the same result as deinstalling flash. With click to play HTML5 does not get used automatically.

[xenopeek]

That's indeed true. Google Chrome on the other hand does use HTML5 playback for YouTube, regardless of Flash being enabled or not. Anyway, it's another reason to just remove Adobe Flash altogether

[JusTertii]

Xenopeek,

Why not simply install Pepper flash for Firefox? I've found a how-to here. Do you think it's a good idea for Firefox users?

Regards,

JT

[xenopeek]

No JusTertii, that doesn't make a difference: Firefox doesn't run that in a security sandbox, so the only difference is a different version of Flash. It's only Google Chrome and Chromium that use a security sandbox for PepperFlash.