[plugincheck] Mozilla points users to Flash update that may install either McAfee Security Scan or Google Chrome by default (random selection)

RESOLVED INVALID

Status

defect
RESOLVED INVALID
8 years ago
5 years ago

People

(Reporter: digital56k, Unassigned)

Tracking

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
Build ID: 20110830092941

Steps to reproduce:

Firefox just updated to version 6.0.1. When it started, it told me my Flash player was out of date and provided a link to download the latest version, which I followed.


Actual results:

The file I downloaded as a result of this was named "install_flashplayer10_chra_aih.exe". In addition to installing Flash, it also appears to attempt to install Chrome. On the Flash installer screen there were two progress bars:

* Adobe Flash Player 10.3 [================]

* Google Chrome [                ]
                ! Chrome is already installed on the machine at the user level mode.


Are you aware with every Firefox update you are encouraging end users to switch to Chrome? Is the Flash update download link pointing to the wrong .exe?


Expected results:

I did not expect the Flash update you're pointing to to try to install Chrome (that's what it looks like it would do, anyway). Since I already have Chrome installed I can't verify.
Point of clarification: Flash out of date notice was via Mozilla's launch webpage, not the flash updater utility.
I think that page only links to http://get.adobe.com/flashplayer/ (see also https://www.mozilla.org/en-US/plugincheck/). It is Adobe's business that on that page it offers to download Chrome (there is a checkbox for it). If you leave the checkbox ticked the resulting exe will try to install it.
Also it randomly offers "McAfee Security Scan Plus" instead of Chrome.

Have you seen anything else?
I just went to quickly update Flash on a WinXP install I don't use that much and all of a sudden the Flash installer says it's downloading Google Chrome to install. Yeah, it does say it before downloading, but there's problems with Adobe's implementation:
1) The correct and well established way to optionally install something in a bundle is to prompt in the installer itself.
2) The checkbox is checked by default and blends in with the rest.
3) It's random. If Adobe wants to push an A/V to help their users security that's one thing, but randomly changing it to an entire new browser is another matter.

From Mozilla's perspective, whatever is linked to from the update button on the plugin check page should quite simply be the stated update. Either Adobe should fix their installation process or provide a page that only offers a quick update to be used for this.

I'm going to confirm this even though it's clearly a problem on Adobe's end, but it's still apparently Mozilla's problem too. (not sure if TE or plugins.mozilla.org is the best place to put it) This is bad UX being at least implicitly endorsed via Mozilla's plugin check page. Flash is the #1 plugin people will be updating and Mozilla should have a "no surprises" policy for what it points to, and thus endorses.
Status: UNCONFIRMED → NEW
Component: General → plugins.mozilla.org
Ever confirmed: true
Product: Firefox → Websites
QA Contact: general → plugins-mozilla-org
Hardware: x86_64 → All
Summary: Flash update may try to install Chrome? → [plugincheck] Mozilla points users to Flash update that may install either McAfee Security Scan or Google Chrome by default (random selection)
Version: 6 Branch → Firefox 6
(In reply to Dave Garrett from comment #3)
> I'm going to confirm this even though it's clearly a problem on Adobe's end,
> but it's still apparently Mozilla's problem too. (not sure if TE or
> plugins.mozilla.org is the best place to put it) This is bad UX being at
> least implicitly endorsed via Mozilla's plugin check page. Flash is the #1
> plugin people will be updating and Mozilla should have a "no surprises"
> policy for what it points to, and thus endorses.

What on earth makes you think it's implicitly endorsed? We point users at the page that Adobe has required we point at. The alternative is not pointing at the source and letting users figure it out on their own, where they'll get the same offer. Options are being investigated, but how Adobe distributes their software is up to them, and if it's a choice of letting users know that they're using a potentially vulnerable or unstable version of software that is used by a very large portion of the web and showing them where to get an update vs. hoping they can figure it out, we'll continue to point at them.

It's not an implicit endorsement, it's playing by the rules we have been given. The alternative, in my mind, is much, much worse.

We're working on it, but at the end of the day it's beyond our control.
(In reply to Kev [:kev] Needham from comment #4)
> What on earth makes you think it's implicitly endorsed?

It's a page directly coming from the Firefox Addon Manager and otherwise promoted by Mozilla, that says "Click Update to update a plugin." with a big yellow update button. It's Mozilla's explicitly stated update instructions, thus I'm saying that anything pointed to through this is implicitly endorsed as the recommended update route. Also, from an end-user perspective, it just looks wrong.

> The alternative is not
> pointing at the source and letting users figure it out on their own, where
> they'll get the same offer. [...] if it's a choice of letting
> users know that they're using a potentially vulnerable or unstable version
> of software that is used by a very large portion of the web and showing them
> where to get an update vs. hoping they can figure it out, we'll continue to
> point at them.
> 
> The alternative, in my mind, is much, much worse.

I of course agree with this entirely. Of course this is better than not listing it at all. I'm just saying it's not ideal and not what Mozilla should be recommending. I'll take security fixes plus bundled software that shouldn't be there over security holes and thus the potential for malware installed that really shouldn't be there any day. ;)

> We're working on it, but at the end of the day it's beyond our control.

Glad to know you're on it. I simply confirmed this in response to the problem in the hopes that it can eventually be resolved. As I said, this sort of is a TE-like case.

All that would really be needed to avoid problems here would be to convince someone at Adobe to move both checkboxes to their stub installer. This would allow people to make their installation choice where it usually is and even let Adobe advertize multiple things in one place more easily if they really want to.

Of course the really ideal route would be to not even need the plugin check page and just update plugins like other addons, but that always seems to be a pipe dream. :/
I think it's better to link from the plugincheck page and the PFS to:
* Windows: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
* Mac: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_osx_intel.dmg
* Linux: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_10_linux.tar.gz (needs to be updated when Flash 11 is released)

There might be overload issues as I don't know how Adobe mirrors this server.
I haven't checked into this, but it strikes me that the Adobe Flash Update Utility runs every time I start my PC and there is an update available. It is obviously going to pull from a location Adobe has designed to handle a high volume of traffic. IIRC, when it runs it checks that you've closed all processes currently using Flash so it can update them.

Why not investigate triggering this already-installed system if available, which should not try to throw a new browser on the system?
(In reply to Scoobidiver from comment #6)
> I think it's better to link from the plugincheck page and the PFS to:
> * Windows:
> http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

+1

> There might be overload issues as I don't know how Adobe mirrors this server.

fpdownload.adobe.com has been served by the Akamai CDN network.
Version: Firefox 6 → unspecified
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 655266
whoops. wrong bug.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Status: REOPENED → NEW
I am on Nightly and had Flash installed, working correctly.

After the last Update Nightly claimed I did not have Flash, and re-downloaded/re-installed it from a pop-up. With the exception of a minor issue this idea of 'capturing a local copy' (initially) _seems_ to work much better (by a long stretch).

I suspect we will need to reevaluate many of the Flash BRs prior to yesterday to determine if they still apply. A "mass 'need more info.'" might close many Reports.
Status: NEW → RESOLVED
Closed: 8 years ago5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.