Slashdot Mirror
New Default: Mozilla Temporarily Disables Flash In Firefox
Trailrunner7 writes with news that "Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox." Two flaws that came to light from the recent document dump from Hacking Team could be used by an attacker to gain remote code execution. From Threatpost's article:
One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash. Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there's a module for it in the Metasploit Framework, as well.
Reader Mickeycaskill adds a link to TechWeek Europe's article, which says these are the 37th and 38th flaws found in Flash so far this month, and that the development "is a blow for Flash after Alex Stamos, Facebook's new chief security officer, urged Adobe to set an 'end of life' date for the much-maligned software."
Are there any sites that still use Flash to serve useful web content?
We need Flash because it is easy to block. You can remove a huge chunk of Web obnoxiousness by simply disabling/uninstalling Flash while not breaking the rest of the website. With HTML5, this won't be as straight-forward process.
I guess now, more than ever, is the time to dump it. I'm not gonna bother looking at the trending for bugs, but it certainly sounds like it certainly isn't getting any more secure as a product overall.
So, on to HTML5 I guess? Other than vlc-plugin browser integration, I guess video in the browser is gonna be minimal moving forward. Half of what I pull up in Youtube doesn't load in HTML5, or vlc for some reason. I'm guessing most of the mainstream media sites will be useless without flash, so not much lost there...
Certainly not going to miss the flash ads....
Won't this just cause frustrated users to switch to Chrome or another browser, further further hurting Mozilla's market share? Recently I went to a flash web site, it didn't work, so I booted up Chrome.
Mozilla did block the then-latest version of Flash Player, 18.0.0.203, last night. Adobe released version 18.0.0.209 early today, which fixes this vulnerability and which Mozilla is not blocking. They didn't really block "all versions," they just blocked versions less than or equal to known vulnerable versions, which at that time happened to also include the then-latest version. Let's stop using misleading phrasing that will make people think they blocked any past, current, or hypothetical future version of the plugin.
R.Mo
Chrome can block popups, that Firefox lets through. This is because Flash is doing the popup, and Firefox does not catch the CreateWindow, but Chrome does. Firefox only intercepts the normal web window creates.
So at least for the moment, this fixes Firefox's crappy non-functioning popup blocker.
Likewise Chrome now runs Flash in a separate process, because Adobe are so inept they cannot be trusted not to leave lots of security bugs in their products. So Google wrapped it in a process wrapper, the same way people pick up dog poop in plastic bags because they don't want to get their hands dirty in that pile of shit.
Firefox should do the same!
Now if only Firefox could also fix their tendency to add unwanted 'cloud' features, we'd be fine!
Whack-a-mole with Flash continues this week with yet another zero day vulnerability with Flash being fixed. This is unsustainable. Time for Flash to really die.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Can these exploits escape firefox's plugin sandbox on [Windows|Mac|Linux]?
I wonder how this affects companies whose flagship products are predominantly Flash based. I suppose as long as Chrome and IE continue to support flash, not much.
Who still installs flash? Especially now there's HTML5 video (DRM encumbered shit aside, just talking YooToob) there's really no reason.
As for non-multimedia, any webpage with flash on it is, well, obscene.
First its Chrome disabling Java for you now its Firefox disabling Flash.
Some people need browsers that don't disable functionality like this so they can get their jobs done.
Whats the best browser for this? (windows or Linux)
It would have to support both Java and Flash and not just disable them from time to time without asking first.
In the free world the media isn't government run; the government is media run.
You really need to do what I want, even if I want to run bug-ridden Flash.
You may warn me, once, but then leave me be.
All this nannying is driving a normal person crazy.
Blue Moon, baby, Blue Moon.
Installed it yesterday, won't be bothering with Mozilla again.
The Future of Human Evolution: Autonomy
Hopefully VMware will wake the fuck up and realize putting shitty flash in their web based app is the way to go.
I believe that is Microsoft Exploder.
Totally... Now I don't like or use java or flash anymore(disable/uninstall when possible), but any/all applications/OS's that can go into a system and change stuff at the direction of anyone other than the system admin/human, is something I try to avoid... Talk about security risks, anyone could the use that 'update/exploit' prevention backdoor to snoop/do anything to customers computer...
I'm still running Windows XP SP2, disabled Windows Updates, no anti-virus or self-updating programs on 9 out of 10 PC's; Once a year or when system seems slow I'll install latest anti-viruses etc etc.. and always come up clear...Security by obscurity works better than any of the modern 'browser' techs they are pushing now days..
tubemate, keepvid.com, to view/keep youtube videos if necessary..
I think you'll find Plugin Container is not a proper VM it's just a process that lets them kill it when it hangs! i.e. for better threading and process crash control rather than security.
If it was aVM then they could block the calls to createwindow and make the popup blocker work.
Whereas Chrome's is 'Pepper' I recall, a VM wrapper for Adobe Flash.
I have problems like this with multiple websites, particularly financial accounts. They have all gone "full stupid", trashing perfectly functional web interfaces in favor of the gimmicky, form-over-function tablet style. How can I "freeze" a web page so that I can properly copy and paste numbers into my spreadsheet, or prevent the auto-logout from kicking me off after 2 minutes on my own home computer? This is getting to the point of absurdity, as if the look and feel of their website is more important than me getting actual work done.
If you're on Windows, essentially you keep IE around to run the shit you wouldn't enable in any other context but you need for work.
For me, IE is the browser of last resort, or the one I exclusively use for work stuff.
AFAIK, IE is happy to keep letting every insecure piece of crap keep running.
I've essentially got four browsers configured for different purposes.
Lost at C:>. Found at C.
Flash has historically been used for vector-based multimedia. If, say, Strong Bad emails or French Erotic Film were converted to MP4 or WebM, they'd be ten times bigger (source: my tests) and thus count ten times more against your ISP's monthly cap. Sure, Adobe's newer tools can export .fla to HTML5, but those tools are available only for rental, and anything needing the .fla works only if the original author is still contactable.
I just discovered this awesome little plug-in last night looking for a solution for two sites I use (actually a dozen indirectly). It works really really well for 95% of sites. The only one I'm missing support for is the bbc (just the news video clips, as apparently the plug-in has support for some other bbc video service I don't use).
https://addons.mozilla.org/en-us/firefox/addon/watch-with-mpv/
Let's stop using misleading phrasing that will make people think they blocked any past, current, or hypothetical future version of the plugin.
Hey, there are a lot of linux users here - we're used to it. Mozilla has been blocking the current version of Flash on Linux for three years now. The people who know that codebase can't seem to figure out how to put in an if statement (I jest - they just don't give a fuck about it working).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's not that Firefox disables flash behind your back: it displays a security warning in place of flash boxes, having a button to enable the plugin again. Also, it will only do it for versions of flash which are known to be vulnerable. This is quite a good thing IMHO: remaining within the nanny terminology, it's not a matter of how much grown up you are, if you have a vulnerable plugin, and you visit a compromised site, your machine will be owned.
I've been thinking lately about setting up a GPO in our environment to disable all flash and java plugins on login. If a user wants flash or web java for a session, they can enable it. The only problem is the users would revolt.
Except the OPs other example, Chrome, offers no workaround. Chrome removed all support for NPAPI, and therefore Java, from the Linux codebase. There is no command line flag or back-end setting to bring it back This makes it IMPOSSIBLE to use Chrome for work purposes by a huge number of people, and forced us all to Firefox.
The only way to get it back is to build it from source yourself, since no one has created a fork yet.
While I appreciate that Adobe endlessly updates Flash, the fact that they can't manage to write a functional updater for OS X makes me wary of the value of the updated code. When you have to completely uninstall Flash every time and reinstall it, I decided to stop after the uninstall.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
If you're (forced to!) run the outdated version of Flash in Firefox on Linux, now might be a good time to go to the tools menu > addons > plugins and set Shockwave Flash to "Ask to Activate". Then the plugin will stay disabled per default, but can be activated on a per-site basis.
Adobe: "You're on your own."
In about:plugins, I see a security warning for the Java plugin. I don't see one for Flash even though I have the vulnerable 203 version installed. ghacks says there is a warning for Flash.
And why can't Firefox autoupdate the Flash plugin, like it does with other addons?
We can hope.
Always read at -1, don't let others decide what you should and should not read.
If you're on Windows, essentially you keep IE around to run the shit you wouldn't enable in any other context but you need for work.
For me, IE is the browser of last resort, or the one I exclusively use for work stuff.
AFAIK, IE is happy to keep letting every insecure piece of crap keep running.
I've essentially got four browsers configured for different purposes.
I did try IE but its been so slow and crashes on so many sites...
In the free world the media isn't government run; the government is media run.
After all the platform with the largest rich soft underbelly of easily exploitable code is Microsoft Windows. So do not hold your breath waiting for Flash to disappear. Like Windows there is way too much code built on top of it for it simply die a quick death and disappear.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
How do you malign a program which for years has had more holes in it than a colander? Does anybody recall the pwn-to-own winner who commented that the quickest and best step you can take to secure your browser is to disable flash?
Flash LSOs are only one persistence means used by the evercookie library. It also uses HTML5 localStorage, IndexedDB, pixel values in cached images, and other methods.
It's time for you to find a new place to do your banking.
That's not practical for everyone, especially if you happen to live in a place that has only one bank's ATMs. When I went to college from 1999 through 2003, only Terre Haute First Financial Bank had ATMs in Terre Haute, Indiana.
Mozilla has been blocking the current version of Flash on Linux for three years now.
You cite a Bugzilla bug as evidence. But as of right now, Bugzilla is giving a "Service Unavailable" error, and Wayback Machine gives "Page cannot be crawled or displayed due to robots.txt." Is that the bug about implementing the entire PPAPI to use Google Native Client plug-ins? Or is it some other bug?
I'm okay with the warning/enable system in FF, but I really wish they'd add a global button of "yeah yeah, fuck off and enable it because I said so and I'll take the risk" for when I really need to get stuff done and I'm tired of having to click on the flash box on every damned site.
https://bugzilla.mozilla.org now returns:
Service Unavailable
The service is temporarily unavailable. Please try again later.
They're becoming like a nasty commercial corporation that doesn't share information. Mozilla hates their users, and not allowing us to file or even see bugs shows how much disdain they have for us.
I have been using long this flash disable plugin. It is easy to use; it is simple : it just triggers internal configurations that Firefox has always had. It adds a button to enable flash on those few sites were Flash is used for content and cannot be replaced. I recommend ticking 'Disable at startup' and 'Ask to activate' in the preferences. "Simple & easy" always provides better security.
Enough said.
You don't suppose that the reason IE is slow and crashes on so many sites is precisely *because* it's so promiscuous regarding third-party components that are poorly written, do you? Of course you don't, because that would require admitting that what Google and Mozilla do -- blocking shit that ruins your experience -- is actually the only sane way to be good stewards of Chrome and Firefox. And you've already assumed that they're just doing that to piss you off.
I like this. A lot. ... flash is dead. ... it's a real power trip.
For a long time, things went like this. I visit a website, I get bombarded with ads, unwanted content, redirected willy-nilly, autoplaying videos.(I open a tab for each news item I want to read, 20 at a time, it can be REALLY irritating).
These days, I have an adblocker installed. And now
Visiting a website, and seeing it beg for me to disactivate the adblocker and asking to enable Flash
I run Nightly, and have the latest Flash installed (just updated it to make sure). Flash content seems to load fine, I get no blocking message.
FC Closer
I remember having fun in the flash-based myspace chat rooms using some creative AS chicanery. Good times. I'm too old for this crap now.
Wait, what?
So, you want a browser which doesn't disable crapware when it become so broken as to be dangerous. But you also want a browser which doesn't suck?
You're joking, right?
Lost at C:>. Found at C.
about:config
extensions.blocklist.enabled = false
Wait, what?
So, you want a browser which doesn't disable crapware when it become so broken as to be dangerous. But you also want a browser which doesn't suck?
You're joking, right?
People actually, believe it or not, have jobs that involve using flash and/or java in their browsers.
In the free world the media isn't government run; the government is media run.
You don't suppose that the reason IE is slow and crashes on so many sites is precisely *because* it's so promiscuous regarding third-party components that are poorly written, do you? Of course you don't, because that would require admitting that what Google and Mozilla do -- blocking shit that ruins your experience -- is actually the only sane way to be good stewards of Chrome and Firefox. And you've already assumed that they're just doing that to piss you off.
This isn't for $randomsite
This is for work related stuff, very limited selection of 'sites' mostly actually hardware that has user interfaces in the browser. Some people use this stuff in their work, you know?
In the free world the media isn't government run; the government is media run.
I'm okay with the warning/enable system in FF, but I really wish they'd add a global button of "yeah yeah, fuck off and enable it because I said so and I'll take the risk" for when I really need to get stuff done and I'm tired of having to click on the flash box on every damned site.
exactly!
I want a "I know what I'm doing and only using this browser on known sites just get out of my way and let me do my fucking job" browser.
In the free world the media isn't government run; the government is media run.
In other news: Mozilla is stuffing their browser with a load of crap apps noone asked for.
I'm running Iceweasel (a Firefox fork) on Debian Linux. Flash is blocked now. However, I don't really understand how they actually "blocked" it. I don't remember having installed any Iceweasel updates today. Does Mozilla have any sort of "remote control" over Firefox clients so that it can disable plugins? Because that would sound scarier than Adobe Flash vulnerabilities...
Which in no way changes that both the Flash and Java plugins are horrible, flaky, insecure, and deprecated.
As I said, you pretty much have to keep one browser for all the shit you shouldn't trust, and one for the rest.
But don't be surprised when the horrible, flaky, insecure and deprecated plugins demonstrate why they're all those things.
When your company sticks you with garbage, you're stuck with garbage. It sucks, but the solution isn't for everybody else to try to make Flash and Java suck less when used on web pages.
Mozilla are protecting most of their users. Your IT department can protect you.
If Flash is going to be on it's 38th exploit of the month, I applaud Mozilla disabling it. Because it really always has been a pile of shit, and has always been insecure beyond belief.
Lost at C:>. Found at C.
Which in no way changes that both the Flash and Java plugins are horrible, flaky, insecure, and deprecated.
As I said, you pretty much have to keep one browser for all the shit you shouldn't trust, and one for the rest.
But don't be surprised when the horrible, flaky, insecure and deprecated plugins demonstrate why they're all those things.
When your company sticks you with garbage, you're stuck with garbage. It sucks, but the solution isn't for everybody else to try to make Flash and Java suck less when used on web pages.
Mozilla are protecting most of their users. Your IT department can protect you.
If Flash is going to be on it's 38th exploit of the month, I applaud Mozilla disabling it. Because it really always has been a pile of shit, and has always been insecure beyond belief.
Yes its true, companies make you use unsecure, crappy browser plugins to manage their hardware. Companies like Supermicro, Dell, Cisco, the list just goes on and on.
In the free world the media isn't government run; the government is media run.
Imagine if HTML5 was as good as Flash in terms of performance, compactness & platform consistency?
If it was, I would move over to it for product development.
The problem is, it's not, and not looking like it's going to be any time soon.
And so, Flash remains. If Adobe had half a brain, they would open source it, re-brand it and take advantage of the lead they still have.
At least in the case of Flash, there is a single major vendor working hard to address vulnerabilities as quickly as they are found.
One of the reasons why the are so many vulnerabilities being addressed is because of the breadth of functionality that Flash covers. If you put together even a single package of HTML5 compliant components that supported the same scope, I'd love to see how many vulnerabilities arose out of that. When you consider the number of combinations of components that could be mixed to achieve the same scope in the HTML5 domain, how on earth as a consumer could you track any known status for security compliance/resilience?
I'm surprised any serious enterprise lets cloud based HTML5 apps be used at all.
Are people here really paying attention what the CSO of facebook says?
Really?
And then there's Mozilla, an organisation I previously held with some regard.
When are OS vendors going to release a 'Mozilla blocking' feature, every time there is a major vulnerability discovered in Mozilla?
Adobe should be considering taking Mozilla to court over this.
You probably have bigger issues if you use your mobile data plan as your main ISP at home.
Not everybody lives within the service area of unmetered Internet access. Some people have cellular, satellite, and/or harshly metered DSL as their only options. (See, for example, the story "An Iowa ISP's Metered Pricing: What Will the Market Bear?" from a year and a half ago.) Or are you recommending that people in this situation move?