
Mozilla Details How Firefox 17 Will Block Old, Vulnerable Versions Of Flash - Quekster
http://thenextweb.com/insider/2012/10/12/mozilla-details-how-old-adobe-reader-flash-and-silverlight-plugins-will-be-blocked-in-firefox-17
======
JoshTriplett
Why would it make sense to allow running a vulnerable version of a plugin with
just a click?

Perhaps with a hidden preference, for people who absolutely need an old
version (to run some internal business app that fails with new versions, for
instance), but by default?

~~~
asadotzler
There are a number of reasons that we're taking these steps.

First, click to play for vulnerable plug-ins will make driveby exploits less
likely to be successful.

Second, it gives users some protection while while they wait for a time to
upgrade a plug-in that's more convenient to them.

Third, we've learned that if you simply take the plug-in away, users don't
upgrade, they switch to one of the other browsers on their system which isn't
taking their (potentially similarly vulnerable) plug-in away.

This is not the only answer, though. It's a step in an ongoing process to
protect more users and one that I believe all browser vendors are converging
on.

~~~
JoshTriplett
> Third, we've learned that if you simply take the plug-in away, users don't
> upgrade, they switch to one of the other browsers on their system which
> isn't taking their (potentially similarly vulnerable) plug-in away.

That make sense, and that sounds like the real reason. The first two reasons
would work just as well with disabling the plugin entirely without the click
to bypass. However, if you think people will ignore the warnings and run
another browser entirely, that seems like a good argument for letting them use
the plugin with Firefox, as long as you have an appropriately severe warning
about what it means to let a site access a vulnerable plugin.

~~~
nnethercote
> However, if you think people will ignore the warnings and run another
> browser entirely, that seems like a good argument for letting them use the
> plugin with Firefox, as long as you have an appropriately severe warning
> about what it means to let a site access a vulnerable plugin.

An informed user can also make a judgment depending on how trustworthy they
think the site is.

------
ck2
How can flash have a serious vulnerability EVERY WEEK and it's over TWELVE
years old?

That kinda blows my mind. I mean it's not an entire OS, just flash.

~~~
shardling
Yeah, it's just a framework for writing almost arbitrary types of applications
in. What could _possibly_ be so hard about that?

~~~
evride
Virtual machine, not framework. Flex would be a framework though.

~~~
shardling
I was just using the word framework in its general sense, not in the narrower
technical definition.

------
aeontech
This is a great, flexible solution. Props to Firefox team for making an extra
effort to protect their users.

------
ashray
I believe Safari already did this in the 6.0 version. I hadn't upgraded my
Flash and I got a [Plugin Blocked] message wherever there should be some flash
content.

After upgrading Flash I started seeing ads there again :P Not sure if
upgrading was the right thing to do :D

