"Shockwave Flash is known to be vulnerable" warning

Good evening!

Today, I turned off my computer without any problems and went out. When I came back and tried to surf the net, I saw that my firefox started giving me this problem:

"Shockwave Flash is known to be vulnerable"

I did a research about it and uninstalled and installed back the adobe flash player plugin but it didn't work. Also my flash player is up to date. (Version: 11.02.202.481). And I use Lubuntu by the way.

Thank you for your support!


Mozilla, which develops Firefox, imposed the block because recently unearthed bugs in Flash were being actively used by cyber-thieves.

The bugs were detailed in a cache of documents stolen from security firm Hacking Team that was hit by attackers last week.

Adobe said it took Flash's security "seriously" and was planning bug fixes.

Source

There is now no way to make it always active without some prompting, but you should be able to allow Flash for individual content by pressing the Activate Adobe Flash:

enter image description here

Or you can enable it for the site, and even choose to remember that you want it active for that site:

enter image description here


The accepted way to get Flash in Ubuntu and Linux, and a recent version, is with Google Chrome, as it's the only browser shipping a Flash version.

Adobe stopped supporting Flash for Linux (even in Firefox) around version 11. They no longer produce any 'new' Flash releases for Linux and the way Firefox handles plugins. Due to the really really old version number (18 is the latest Flash overall, and 11 is the last supported Firefox plugin version available for Linux), and other security concerns, Firefox automatically disables these 'old' versions. This applies to all Operating Systems, not just Ubuntu and *nix. (While @ParanoidPanda is correct they now enforce that for a few extra versions across all platforms, this isn't the primary reason for this warning in Ubuntu/Firefox).


However, even though Adobe pulled native support for Firefox's plugin API formats for Linux and such, Adobe and Google have an agreement. This agreement lets Google ship updated Flash that uses the Pepper API framework, and it is included in Google.

There are wrapper programs that can be installed into Firefox that leverage the use of the Pepper Flash in Chrome, provided you install Chrome. However, most users just switch to Chrome when this is the case.

I would suggest that you install Chrome and use that for browsing and using Flash sites (provided you keep it up to date).


Note however that there is no way to bypass this change in Firefox's policy. There is a page in the Security Team's knowledge base that details this issue a little more, or at least, provides a timeline for all the events related to this.


Trying to answer the obvious question:

What to do?

  • Make sure that the computer is connected to the Internet and update your installation with:
    • update-manager from the dash
    • or sudo apt-get update and sudo apt-get dist-upgrade from the terminal (check if the first command returns errors, a reason why I don't recommend chaining both with && here)
    • or what ever package manager or front end for it your distribution/flavor uses.
  • Check that the Flash version number in the corresponding plugin page in the settings of your browser exactly matches the version number published on Adobes site for Flash.
    • If it doesn't try sudo apt-get install --reinstall flashplugin-installer for the NPAPI plugin (Firefox and others) or replace it with pepperflashplugin-nonfree if you use Chromium.
  • If your browser still reports that this plugin is vulnerable and no newer version is currently available, make a choice:
    • Use alternatives such as HTML5 whenever they are available.
    • Choose another browser. (Chrome has already earned the doubtful reputation of being a modern day equivalent to Flash Player.)
    • Wait for an updated version of the plugin for your browser. This can range from days to months or years.
    • Choose that it is not worth the risk to run Flash.
      • Provide useful(!) feedback to whoever is responsible that this content is only distributed through Flash.
      • If it's only video or audio and in the absence of an HTML5 implementation, try downloading the video/audio stream or file using popular tools for this task or manually digging through the source of the site. (This may be considered a crime in some cases.)
    • Run Flash anyway. (Check the options in your browser.)
      • Pro: The vulnerability existed before and nothing happened [to you].
      • Con: A severe vulnerability is now known to all ransomware developers for free. Ransomware is a fast and "serious" business.