Slashdot Mirror
New Default: Mozilla Temporarily Disables Flash In Firefox
Trailrunner7 writes with news that "Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox." Two flaws that came to light from the recent document dump from Hacking Team could be used by an attacker to gain remote code execution. From Threatpost's article:
One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash. Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there's a module for it in the Metasploit Framework, as well.
Reader Mickeycaskill adds a link to TechWeek Europe's article, which says these are the 37th and 38th flaws found in Flash so far this month, and that the development "is a blow for Flash after Alex Stamos, Facebook's new chief security officer, urged Adobe to set an 'end of life' date for the much-maligned software."
ESPN, Bleacher report, Faebook, Hulu, steam trailers, pretty much every single news website, etc.
Arch Linux master race!
Depends on your definition of "useful".
A lot of people seem to complain about how tragic it would be if people could no longer access games.
Me, I'm of the opinion Flash has been a terrible security/privacy nightmare as long as it has existed and don't install it on my machines.
Flash is long overdue to be killed off.
Being the source of at least one security exploit every month for the last 15 years tells me it's a Steaming Heap of Innovative Technology, and always has been.
Lost at C:>. Found at C.
Mozilla did block the then-latest version of Flash Player, 18.0.0.203, last night. Adobe released version 18.0.0.209 early today, which fixes this vulnerability and which Mozilla is not blocking. They didn't really block "all versions," they just blocked versions less than or equal to known vulnerable versions, which at that time happened to also include the then-latest version. Let's stop using misleading phrasing that will make people think they blocked any past, current, or hypothetical future version of the plugin.
R.Mo
Chrome can block popups, that Firefox lets through. This is because Flash is doing the popup, and Firefox does not catch the CreateWindow, but Chrome does. Firefox only intercepts the normal web window creates.
So at least for the moment, this fixes Firefox's crappy non-functioning popup blocker.
Likewise Chrome now runs Flash in a separate process, because Adobe are so inept they cannot be trusted not to leave lots of security bugs in their products. So Google wrapped it in a process wrapper, the same way people pick up dog poop in plastic bags because they don't want to get their hands dirty in that pile of shit.
Firefox should do the same!
Now if only Firefox could also fix their tendency to add unwanted 'cloud' features, we'd be fine!
Not seeing any hits on google for that one. Pale Moon?
https://www.palemoon.org/
Palaces, barricades, threats, meet promises
They give a reasoning in the FAQ:
"Yle Areenan videot toimivat edelleen Flash-soittimen avulla. Flash-soitinta käytämme siksi, että HTML5 standardi ei medioiden jakelussa tarjoa vielä sellaista suojausta, jota tekijänoikeuksien haltijat Yleltä vaativat. Vaatimukset tulevat sekä ohjelmantoimittajilta, että musiikin tekijänoikeusjärjestöiltä. Käyttöliittymätekniikkana HTML5 on käytössä, kuitenkin niin että palvelu on saavutettavissa myös vanhemmilla selaimilla."
Translation: "Yle Areena videos still utilize Flash player. Flash is used because the HTML5 standard does not provide sufficient content protection that the copyright holders expect from Yle when distributing media. These requirements come from both programme distributors and music copyright organizations. HTML5 is being used in the user interface, but in a fashion that older browsers are also supported."
Of course that information is now a bit obsolete, as these days HTML5 supports DRM as well.