noscript and adobe flash critical vulnerability

[Guest]

Hi, I hope it's okay to ask this question here. I know adobe would not answer such and I don't want to log in on tech sites to see if there is an answer.

Adobe flash has a critical vulnerability. I have noscript and so to be safe I'm using temp allow sparingly. I would like to be able to at least view youtubes and wondering if vulnerable when in youtubes.

I did read of a version adobe said can use to mitigate until the patch comes out, but that says is under development and I dont' want to take a risk with that.

Just wondering if youtubes are safe to watch directly on their site.

I apologize in advance if I shouldn't have asked about this here on this forum.

Thank you!

[Alan Baxter]

I would expect that viewing Flash on youtube.com is safe. I have NoScript set up to block Flash even on trusted sites by checking NoScript Options > Embeddings > Apply these restrictions to whitelisted sites too. I only click the placeholder for Flash videos that I want to see. You shouldn't have any problem.

That said, I've installed the Flash release candidate that doesn't have the vulnerability. I recommend you do so too.
http://labs.adobe.com/downloads/flashplayer10.html

[Guest]

Dear Alan,

Thank you so much for your reply!

I wasn't sure if it was safe to use the pre-release version 10 as it is in testing phase or beta and due to that, I felt it was more geared to people who have technical expertise, which I don't have. It sounds like from what you wrote that I should use it and so thank you for encouraging me to do so.

On the other part you wrote:

I have NoScript set up to block Flash even on trusted sites by checking NoScript Options > Embeddings > Apply these restrictions to whitelisted sites too. I only click the placeholder for Flash videos that I want to see. You shouldn't have any problem.

I have always had only the defaults checked that noscript comes with and so just to double check that I understand correctly what you wrote above...

Are you saying if I tick 'apply these to whitelisted sites too' that when I want to view a video, I would just need to temp allow it, such as temp allow youtube, ytming for youtube?

Thank you so much for helping me!

[Guest]

Too bad NoScript doesn't include some guidance as to on what sites it is extra important to check with NoScript's middle click feature, such as sites currently being investigated by Google, etc, but not yet blocked by Firefox-Google-Badware.

Most users are not going to check 10,000 or more sites because 1 is likely bad that middle click would warn against that isn't already blocked by Firefox-Google-Badware.

[Alan Baxter]

Are you saying if I tick 'apply these to whitelisted sites too' that when I want to view a video, I would just need to temp allow it, such as temp allow youtube, ytming for youtube?

Yes. You temporarily allow it by clicking on the Flash object's placeholder.

[Guest]

Dear Alan,

Hi, I started to write that I couldn't get it working but while writing back to you I tried it again and saw that it's just a different setting that I have to temp allow for youtube. Actually called an object and says allow flash..which is neat, as now I know which is the only one I need to temp allow.

I imagine this will be the same for other sites. Sometimes, on other sites, I have temp allowed tons to try to get a video to play, where it might be now that I will be able to just find and temp allow one that actually says flash.

Thank you so much for your help and also for your recommendation to go to the ver10 prerelease of Adobe flash. I've always thought such things were only for developers and people who know what they are doing, but I sure feel much better having that installed!

[Guest]

Thank you so much for your help and also for your recommendation to go to the ver10 prerelease of Adobe flash. I've always thought such things were only for developers and people who know what they are doing, but I sure feel much better having that installed!

If you know how to roll back to the "stable" version in case you run into problems with the pre-release one you should be fine.

[Guest]

Thank you for writing that as I would not normally think about adobe first or possibly at all, if there were any problems, so I appreciate that you wrote that to me.

Take care

[Alan Baxter]

Thank you so much for your help and also for your recommendation to go to the ver10 prerelease of Adobe flash. I've always thought such things were only for developers and people who know what they are doing, but I sure feel much better having that installed!

Me too! I usually don't install betas or release candidates either -- that is, unless they fix a problem I'm having. In this case I installed it only because the release candidate fixes a critical vulnerability that's being actively exploited. Also, release candidates are usually pretty stable. In fact this release candidate for Flash 10.1 may turn out to be identical to the final version scheduled to be released June 10, if I recall correctly.

[Guest]

Me too! I usually don't install betas or release candidates either -- that is, unless they fix a problem I'm having. In this case I installed it only because the release candidate fixes a critical vulnerability that's being actively exploited. Also, release candidates are usually pretty stable. In fact this release candidate for Flash 10.1 may turn out to be identical to the final version scheduled to be released June 10, if I recall correctly.

It's good to know that release candidates are usually pretty stable and that the reason you installed it was because the other version was being actively exploited. All this is good to know!

I am also glad to have been around here reading things and learning more about noscript. I have had it a long time but only looked up things here and there, so it's been good to look more into the capabilities. As well, I never knew how much protection it is. Not that I understand it, but I am very thankful to Giorgio be able to have it.

Talk to you again.. take care!

[dhouwn]

RC 7 (10.1.53.64) became the release version. You were right, Alan.

[therube]

http://get.adobe.com/flashplayer/

MD5 hash:

v10.1.53.64, install_flash_player.exe 6e23eadba1e84f43e5d28053a8ba27a9

That way you can know that it is the same (& not just the same version number).
(But then you can only know what I posted, cause I didn't see where Adobe posted a hash value?)

(Someone we know has been known to bump versions without bumping the version number. Someone else we know doesn't like that .)

[Guest]

Hi, I had the prerelease 1.01.53.64 and am wondering now after the last post, do I need to uninstall and install the official one released today?

Thanks!

[Alan Baxter]

You were right, Alan.

Finally First time this week.

@therube:

Hi, I had the prerelease 1.01.53.64 and am wondering now after the last post, do I need to uninstall and install the official one released today?

I'm not going to bother. They should be identical.

[Guest]

Thanks Alan! It's me again..lol

I'll just leave it then!

Take care!