Warning: potentially dangerous Flash Player in Chromium!

[Pjotr]

Your Chromium might contain a dangerously outdated Flash Player, if you've installed pepperflashplugin-nonfree! This has been explained by xenopeek in the LMDE forum: http://forums.linuxmint.com/viewtopic.p ... 4#p1083116

I strongly advise to do as xenopeek writes in that message. It's a "hidden" vulnerability which you might easily overlook, and which may have serious consequences when unpatched: Flash Player is under heavy attack from criminal software on all sorts of websites.

The technical reason for this nasty security situation is, that pepperflashplugin-nonfree is not the actual plugin itself, but a tool which extracts Flash Player from a Chrome package which it downloads for that purpose. That's a one-time action.

If you want to update Flash Player in Chromium (which you certainly should want, for security's sake), then you can only do that by means of the dedicated extra tool that comes with pepperflashplugin-nonfree. Either by hand or by cronjob. Very unfortunate, but that's the way it is.

For me personally, it has been the reason to purge Chromium from my systems and replace it by Chrome. I hate this kind of "surprises".

Note: if you've already installed pepperflashplugin-nonfree and you want to continue using Chromium without Flash Player, then it's probably not sufficient to simply remove pepperflashplugin-nonfree. You probably need to purge Chromium from your system first and then re-install it "cleanly".

[thom_A]

Is it so hard to say Adobe Flash Player, instead of just Flash Player? What am I missing?

Anyway, I've never been comfortable updating Adobe Flash Player. Changelog is not even available. Every time I do (update), doesn't matter if it's Win/Linux, ads get even more sophisticated and invasive; they're annoying and all over the place. What else is the purpose of updating other than let them add more ads, as if the existing ones are not enough. Same thing with Firefox, Chrome and probably almost all browsers.

Seems they can never be avoided. Thinking of going back to Windows now. What's the point? They just can't seem to be satisfied with few and simple ads. They have to be flashy and make you buy something.

[Pjotr]

Is it so hard to say Adobe Flash Player, instead of just Flash Player? What am I missing?

Well, one word, obviously.

Thinking of going back to Windows now. What's the point?

Maybe the point is that Linux has some other, real advantages over Windows?

Anyway, please don't turn this thread off topic. Its subject is too important for that.

[BigEasy]

Well, one word, obviously.

[Fragezeichen]

Is it so hard to say Adobe Flash Player, instead of just Flash Player? What am I missing?

Thinking of going back to Windows now.

Is it so hard to say Microsoft Windows instead of just Windows? What am I missing?

[Pjotr]

It gets worse: I just got a report on the Dutch Ubuntu forums, that running "sudo update-pepperflashplugin-nonfree --install" won't give you the very latest Flash Player version in Chromium either.....

Apparently that command currently gives you 19.0.0.207, whereas it should be 19.0.0.226, as in Chrome. This would imply that the update server for Pepperflash isn't being maintained properly.

Great.

[Drygar]

There is only one solution and it is called get rid of Flash Player once and forever.
That is what I did after vulnerability #15493 shown some months ago.

How come one use software plugged of so many known and unknown vulnerabilities

[thom_A]

There is only one solution and it is called get rid of Flash Player once and forever.

How do you do that? I don't mind it, but the constant bugging for updates (whether Win/Linux) concerns me. Every time you do, ads proliferate and more invasive than ever. It's like you're updating for the purpose of helping them enhance the ads viewing experience.

[Pjotr]

There is only one solution and it is called get rid of Flash Player once and forever.

How do you do that?

Simple: launch Synaptic and remove all packages related to Flash Player.

I don't mind it, but the constant bugging for updates (whether Win/Linux) concerns me. Every time you do, ads proliferate and more invasive than ever. It's like you're updating for the purpose of helping them enhance the ads viewing experience.

The ads are not in the player. They are in the video's.

The updates for Flash Player are essential for the security of Flash Player and do not influence the presence of ads in the videos at all.

Finally: again I request to return on topic. This thread isn't about ads in videos, it's about how to use Flash Player safely in Chromium. As such, it's an important issue. If you wish to go on about the ads in videos, please start your own thread.

[thom_A]

Simple: launch Synaptic and remove all packages related to Flash Player.

The ads are not in the player. They are in the video's.

The updates for Flash Player are essential for the security of Flash Player and do not influence the presence of ads in the videos at all.

Finally: again I request to return on topic. This thread isn't about ads in videos, it's about how to use Flash Player safely in Chromium. As such, it's an important issue. If you wish to go on about the ads in videos, please start your own thread.

Thanks for your assurances and infos. I appreciate it.

[ZakGordon]

Thanks for the heads up Pjotr. And thanks to yazdzik for starting that other thread.

Should this not be in the main newbie questions forums too? Anyway i have manually updated my Chromium to the latest available version of pepperflash (19.0.0.245) , so how does one contact the people looking after the pepperflash non-free plugin? I think they should maybe be messaged to ask why the version for Chromium is not the latest current version you have in Chrome? And if they could fix that?

For myself i'm not a fan of google, in the way i'm not a fan of MS. Too much about data-gathering in those organisations dna for my liking. So i really, really do not want to install Chrome if i can avoid it. Although to be honest i'm not sure on the differences in relation to data-mining between Chromium and Chrome browsers, so maybe my distrust of all things google (i use duckduckgo as my search engine etc) is not needed here?

[xenopeek]

I think they should maybe be messaged to ask why the version for Chromium is not the latest current version you have in Chrome?

Chromium would be installed from the Ubuntu/Debian repositories that are used as a package base on Linux Mint/LMDE. Those provide long-term support packages. That means the Ubuntu/Debian maintainer fixes any discovered security issues that affect the version of Chromium in their repositories. You do get updates for Chromium to fix security issues. You don't always get new upstream releases of Chromium that add new functionality.

On Linux Mint 17.x you're at Chromium 45. Security issues have been patched till end of September: http://changelogs.ubuntu.com/changelogs ... /changelog

On LMDE 2 you're at Chromium 46. Security issues have been patched till mid October: http://metadata.ftp-master.debian.org/c ... _changelog

As for trusting Chromium, well you're shooting yourself in the foot aren't you? You have a completely open source web browser that has eyes on the code from multiple companies contributing to it and you're using a proprietary plugin from Chrome with it... If you really care about such things, you wouldn't be using Flash.

[ZakGordon]

As for trusting Chromium, well you're shooting yourself in the foot aren't you? You have a completely open source web browser that has eyes on the code from multiple companies contributing to it and you're using a proprietary plugin from Chrome with it... If you really care about such things, you wouldn't be using Flash.

Well i found this site that gave me a better understanding on the differences between Chromium and Chrome:

http://www.howtogeek.com/202825/what%E2 ... d=noscript

Has a few errors in it, but i did not know that Chromium is the base open source software, then Chrome is built by Google on that base. So that sort of answers my question. As Chrome is being built by Google (for profit) based on Chromium open source (not-for-profit), the chances of improvements in flash security flowing 'downhill' (back to Chromium) is less. So that might be one of the reasons for Chromium lagging behind Chrome in the flash security zone.

And i agree with you on Flash being less than ideal in terms of web security. Trouble is much of the internet is built on it, and for example when i use Pale Moon (more secure version of firefox) that has no Flash, quite a large portion of the internet becomes unusable, HTML5 still has a way to go.

So Chromium is strictly my 'youtube' browser, that is all i use it for. I switch of as many tracking/report back to google services as possible and while it sadly does not have an excellent plugin like NoScript for Firefox, i do use a couple of plugins such as Ghostery in Chromium to better plug information leaks etc. All my 'important' internet traffic goes through Palemoon (with a range of security plugins).

I know you can run a type of sandbox in linux, but it is a real shame it is not as easy as 'sandboxie' on the windows platform (although that seems to have recently shifted to a paid version, so not sure how long that will reamin the best 'free' option on windows).

I suppose in the same way Ubuntu shifed away from being the early 'best' ease of use Linux OS, as it sort of became more 'corporate' and business orientated (Fiesty Fawn was the last version i tired, and modern Ubuntu, a little like the changes Windows 8 made, is not really my type of OS), the same has been happening to Firefox for a little while now, so that was behind my shift to Palemoon to deal with those concerns.

Chrome i've never been a fan off simply because it is Google, and i didn't quite fall in love with the data gathering and metrics that Google is all about, so it has been interesting to try Chromium on the Mint platform and try to learn more about it. What would be perfect is if HTML5 completely takes over the role of Flash on the internet and that becomes the base of Chromium over flash, but i suspect that is quite a way in the future?

[xenopeek]

Chromium is used as the basis for many browsers: https://en.wikipedia.org/wiki/Chromium_ ... n_Chromium. Difference between Chrome and Chromium: https://chromium.googlesource.com/chrom ... _chrome.md. You'll note Chrome doesn't support NPAPI (unsecure plugins). Chromium supports both NPAPI (AdobeFlash) and PPAPI (PepperFlash) plugins. It's not that security advances are made in Chrome and flow back to Chromium; it's very much the other way around: https://www.chromium.org/Home/chromium-security. But yes, if you still have AdobeFlash on your system Chromium could use that and that is less secure. Another reason to remove it and only use PepperFlash.

when i use Pale Moon (more secure version of firefox) that has no Flash, quite a large portion of the internet becomes unusable, HTML5 still has a way to go.

You must be visiting different corners of the Internet. Of my 2500+ bookmarked websites, only 1 requires Flash (and I don't have an option to use another website for this). I might stumble across a website every now and then that requires Flash in which case I just go back to search results and click on the next link. If I really need Flash, like for that one website, I use Google Chrome. I have that installed for Netflix anyway.

Anyway, we're drifting away from the topic at hand so let's get back to that.

[ZakGordon]

You must be visiting different corners of the Internet. Of my 2500+ bookmarked websites, only 1 requires Flash

Possible. I tend to use fairly average places like the BBC news, car manufacturers (ford/renault etc), banks, metacritic, youtube etc. Any video or animations in those don't run in Palemoon (no flash) and give a message like 'your browser needs to be updated to view this content' or 'you need to instal Flash to view this content' etc. In Chromium (with just Pepperflash) they will run fine, but i prefer the security of Palemoon in general for internet browsing (NoScript is a god send!).

Back on topic:

so in Chromium if i type:

Chrome://plugins

it tells me i have a few things, one of which is:

Adobe Flash Player -version: 19.0.0.245

name: Shockwave Flash
description: Shockwave Flash 19.0 r0
version: 19.0.0.245
Location: /usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so
type: PPAPI (out-of-process)

So that is pepperflash right? and not normal Flash?

I ask because i remember that the process for getting rid of regular Adobe Flash and installing pepperflash-non free was not exactly straight forward or simple. So i just want to be sure i'm (bad) Flash free

My Plugins in Palemoon (access those under the 'Tools>Add-ons' menu) show no Flash of any kind, so that is all good.