Flash and Firefox

As I wrote about last week there is a critical vulnerability in Flash that needs to be patched. For the past couple of years, I’ve been updating the Flash IE plugin and ignoring the Flash plugin for other browsers. In our environment IE7 is currently supported. My feeling is if you know enough to install non-sanctioned browsers, you know enough to maintain them. (When the vulnerability scanner finds out of date software like that which we didn’t supply we notify the user to patch it).
This time around, I was thinking of patching the Flash for Mozilla/Opera/Netscape as well. The last Flash update I pushed disabled the Flash update checker through a mms.cfg file. If an IT department is managing the Flash install, as we are for the Flash plugin for IE, than we dont want users updating on their own. I’ve also found that update message causes calls to the helpdesk. Its easier if users only get update messages from us. The problem with this plan is I suspect the mms.cfg I dropped on the client is preventing the user from receiving flash update messages for the Mozilla/Opera plugin. Because of this concern I decided to take a look at installing the Flash plugin for Mozilla/Opera browsers.
As you have probably gathered from this post, Adobe Flash has one install for IE and other for “plugin based browsers” (Mozilla/Opera). As all companies should, we use Adobe’s free license for distributing internally. This provides us with access to MSI builds that aren’t’ funkified with nasty added toolbars.
The best practice for installing Flash is to close all programs that use Flash prior to installation. In addition to web browsers this includes IM programs like AIM that use Flash in the advertisements. In my experience, with the IE Flash install you can get away without doing this. You can run the install silently. Flash will automatically update whenever the browser is closed.
When updating Flash for Firefox, I tried this same technique. Unfortunately this is not working. After installing Flash in Mozilla with no errors, I went to http://www.adobe.com/go/tn_15507 to test what version I’m running. It says I’m running 9.0.47.0 instead of 9.0.115.0. I closed Firefox and reopened it, no change. I rebooted it. No change.
Add Remove programs indicates “Adobe Flash Player 9 Plugin” is at version 9.0.115.0. Every copy of NPSWF32_FlashUtil.exe on the system is at 9.0.115.0. NPSWF32.dll in %windir%\system32\macromed\flash is at 9.0.115.0. its only NPSWF32.dll in c:\program files\mozilla firefox\plugins that isn’t with the program. This is a serious problem because if you didn’t go to the version test website, you would believe you are patched, and most vulnerability scanners will believe you are patched.
Even if you later figure out what has happened you are in a pickle. Once you have installed Flash 9 Plugin and gotten into this situation, you can’t run the patch again. Its already installed. A repair didn’t seem to work for me either. You really should have closed Firefox before performing the Flash update to avoid this issue.
If you find yourself in this situation, you’ll need to follow the instructions at http://www.adobe.com/go/tn_14157 (make sure you close everything that uses flash). Then run the flash test using the appropriate browser to verify that its really gone. Then reinstall (make sure you close Firefox this time)
If I’m going to package this for an enterprise, I’m going to need to check for Firefox being open and either prompt the user to close it or kill the process prior to installing this update. Another possibility mentioned by my brother is to deploy the msi package via AD so it installs at boot.
It looks like I’m not the only one who has problems with Flash and Firefox. Michael Horowitz in his Cnet blog “Defensive Computing” wrote about it here.
He also comments about all the old versions of Flash. Frequent readers may recall that I’ve been wondering about those myself. I found this Adobe FAQ that indicates it is not necessary to remove the older versions of the IE ActiveX plugin. But this fails to answer the question about the the Mozilla type plugins. I’m fine leaving the old versions.
What a pain.