Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Default: Mozilla Temporarily Disables Flash In Firefox

Posted by timothy on from the just-sort-of-a-dull-glow dept.

Trailrunner7 writes with news that "Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox." Two flaws that came to light from the recent document dump from Hacking Team could be used by an attacker to gain remote code execution. From Threatpost's article: One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash. Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there's a module for it in the Metasploit Framework, as well. Reader Mickeycaskill adds a link to TechWeek Europe's article, which says these are the 37th and 38th flaws found in Flash so far this month, and that the development "is a blow for Flash after Alex Stamos, Facebook's new chief security officer, urged Adobe to set an 'end of life' date for the much-maligned software."

38 of 199 comments (clear)

  1. We need Flash, because it is easy to block by sinij · · Score: 5, Insightful

    We need Flash because it is easy to block. You can remove a huge chunk of Web obnoxiousness by simply disabling/uninstalling Flash while not breaking the rest of the website. With HTML5, this won't be as straight-forward process.

    1. Re:We need Flash, because it is easy to block by gstoddart · · Score: 4, Interesting

      You got modded funny, but I tend to agree.

      If the crap that Flash does is part of the HTML 5 spec, I really do worry we won't be able to block it quite so readily.

      In which case the browsers become even less secure. That will be a bad thing.

      --
      Lost at C:>. Found at C.
    2. Re:We need Flash, because it is easy to block by SuperKendall · · Score: 2

      Amusing but true, there's already a lot of HTML5 nonsense that goes on in many sites, even on browsers I specifically disallow Flash on.

      I think what we need to advance user tech is "click to remove HTML5 element" with memory of what element you removed, that would automatically be scotched the next time you visited the same site. That way you could even allow "tame" ads if you liked, and just stop obnoxious floating elements that blocked content...

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    3. Re:We need Flash, because it is easy to block by fermion · · Score: 2

      I have used flashblock to control the flash player. Note the only reason I installed it was to stop autoplay flash. I can't really focus on anything else when a video is playing. With the implementation of flash blocking on Firefox, which stated, what, a couple months ago, flash no longer works at all. Flash has been on the decline since the smart phone did not have the power to run it and everyone is blocking it. Which, as mentioned, is a moot point as HTML5 provides autorun ads that have no control. The sad thing is that Flash actually is a very good tool for doing some very useful things. Unfortunately, the only profitable thing it was ever good for was packaging ads.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    4. Re:We need Flash, because it is easy to block by Anonymous Coward · · Score: 2, Insightful

      I disagree. There will still be third-party plugins to do this, plus now you get the option to easily roll your own. For example, on slashdot I have a plugin that runs :

      $('video').empty().remove();

      plus several other scripts to re-display content in a manner of my choosing.

  2. Re:Isn't Flash extinct? by pack27 · · Score: 5, Informative

    ESPN, Bleacher report, Faebook, Hulu, steam trailers, pretty much every single news website, etc.

    --
    Arch Linux master race!
  3. Re:Isn't Flash extinct? by gstoddart · · Score: 2, Informative

    Depends on your definition of "useful".

    A lot of people seem to complain about how tragic it would be if people could no longer access games.

    Me, I'm of the opinion Flash has been a terrible security/privacy nightmare as long as it has existed and don't install it on my machines.

    Flash is long overdue to be killed off.

    Being the source of at least one security exploit every month for the last 15 years tells me it's a Steaming Heap of Innovative Technology, and always has been.

    --
    Lost at C:>. Found at C.
  4. Re:Isn't Flash extinct? by jones_supa · · Score: 2

    For Finnish people, YLE Areena is kind of important. That's the national public-broadcasting company's programme streaming website.

  5. Re:Isn't Flash extinct? by Jamu · · Score: 4, Funny

    It's mostly on Facebook that I notice I've not got Flash installed. I especially like the way it tells me my technology is out of date.

    --
    Who ordered that?
  6. Chrome by Anonymous Coward · · Score: 4, Insightful

    Won't this just cause frustrated users to switch to Chrome or another browser, further further hurting Mozilla's market share? Recently I went to a flash web site, it didn't work, so I booted up Chrome.

    1. Re:Chrome by Zontar+The+Mindless · · Score: 2

      Opera.

      The latest version of Chromium appears to be good for little other than crashing my desktop on startup.

      --
      Il n'y a pas de Planet B.
    2. Re:Chrome by myowntrueself · · Score: 3, Insightful

      Won't this just cause frustrated users to switch to Chrome or another browser, further further hurting Mozilla's market share? Recently I went to a flash web site, it didn't work, so I booted up Chrome.

      Yes, now you need 2 browsers; chrome and firefox.

      Chrome for flash and Firefox for java.

      --
      In the free world the media isn't government run; the government is media run.
    3. Re:Chrome by prefec2 · · Score: 2

      Google is also thinking to remove support for flash from Chrome.

  7. Not really true (anymore) by R.Mo_Robert · · Score: 5, Informative

    Mozilla did block the then-latest version of Flash Player, 18.0.0.203, last night. Adobe released version 18.0.0.209 early today, which fixes this vulnerability and which Mozilla is not blocking. They didn't really block "all versions," they just blocked versions less than or equal to known vulnerable versions, which at that time happened to also include the then-latest version. Let's stop using misleading phrasing that will make people think they blocked any past, current, or hypothetical future version of the plugin.

    --
    R.Mo
    1. Re:Not really true (anymore) by Anonymous Coward · · Score: 2, Funny

      You know slashdot is slow, when even adobe have enough time to fix the flash before news actually hit the front page

    2. Re:Not really true (anymore) by colfer · · Score: 2

      Mozilla was blocking all Flash until the second update came out. The page https://www.mozilla.org/en-US/... clearly showed that. You could change it to from "disabled" to "ask to activate" if you chose to.

      Chrome also updated today, but the bundled Flash player in Chrome is click-to-play by default. IE should do that with its bundled player. And Microsoft should use Windows Update to block the plugin player for old version of IE. And old Java in any browser, with an override available.

  8. Can they fix Firefox popup blocked? by Anonymous Coward · · Score: 2, Informative

    Chrome can block popups, that Firefox lets through. This is because Flash is doing the popup, and Firefox does not catch the CreateWindow, but Chrome does. Firefox only intercepts the normal web window creates.

    So at least for the moment, this fixes Firefox's crappy non-functioning popup blocker.

    Likewise Chrome now runs Flash in a separate process, because Adobe are so inept they cannot be trusted not to leave lots of security bugs in their products. So Google wrapped it in a process wrapper, the same way people pick up dog poop in plastic bags because they don't want to get their hands dirty in that pile of shit.

    Firefox should do the same!

    Now if only Firefox could also fix their tendency to add unwanted 'cloud' features, we'd be fine!

    1. Re:Can they fix Firefox popup blocked? by tepples · · Score: 4, Informative

      Chrome now runs Flash in a separate process, because Adobe are so inept they cannot be trusted not to leave lots of security bugs in their products. So Google wrapped it in a process wrapper [...] Firefox should do the same!

      Firefox has been running Flash Player in plugin-container.exe for years.

  9. Here we go again by Virtucon · · Score: 2

    Whack-a-mole with Flash continues this week with yet another zero day vulnerability with Flash being fixed. This is unsustainable. Time for Flash to really die.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  10. Re:Isn't Flash extinct? by gstoddart · · Score: 3, Interesting

    It's one of the 3 browsers I keep open all the time.

    I don't give a damn about any of their new features. But it's the one which is set to not run any javascript ever or accept cookies and has the most locked down settings.

    It's my "I don't trust you" browser.

    --
    Lost at C:>. Found at C.
  11. Re:Isn't Flash extinct? by Grishnakh · · Score: 2

    People who want to use the best browser, that's who.

    IE is trash of course, and Chrome, while it was a good option a while ago because FF was so buggy and Chrome was leaner and faster, today Chrome is a slow memory hog and FF has fixed most of its problems and runs much faster and with far less memory.

  12. Re:Isn't Flash extinct? by Feanturi · · Score: 2

    Some can, some can't. Flash is not installed on my machine, and I can see various videos without it, but some throw the "missing plugin" tile.

  13. Vector animation by tepples · · Score: 2

    Flash has historically been used for vector-based multimedia. If, say, Strong Bad emails or French Erotic Film were converted to MP4 or WebM, they'd be ten times bigger (source: my tests) and thus count ten times more against your ISP's monthly cap. Sure, Adobe's newer tools can export .fla to HTML5, but those tools are available only for rental, and anything needing the .fla works only if the original author is still contactable.

  14. Re:Is there a browser that doesn't try to be a nan by peppepz · · Score: 2

    It's not that Firefox disables flash behind your back: it displays a security warning in place of flash boxes, having a button to enable the plugin again. Also, it will only do it for versions of flash which are known to be vulnerable. This is quite a good thing IMHO: remaining within the nanny terminology, it's not a matter of how much grown up you are, if you have a vulnerable plugin, and you visit a compromised site, your machine will be owned.

  15. Re:Blue Moon by Kargan · · Score: 3, Informative

    Not seeing any hits on google for that one. Pale Moon?

    https://www.palemoon.org/

    --
    Palaces, barricades, threats, meet promises
  16. Re:Is there a browser that doesn't try to be a nan by brunes69 · · Score: 2

    Except the OPs other example, Chrome, offers no workaround. Chrome removed all support for NPAPI, and therefore Java, from the Linux codebase. There is no command line flag or back-end setting to bring it back This makes it IMPOSSIBLE to use Chrome for work purposes by a huge number of people, and forced us all to Firefox.

    The only way to get it back is to build it from source yourself, since no one has created a fork yet.

  17. Flash in Firefox/Linux by Zanadou · · Score: 2

    If you're (forced to!) run the outdated version of Flash in Firefox on Linux, now might be a good time to go to the tools menu > addons > plugins and set Shockwave Flash to "Ask to Activate". Then the plugin will stay disabled per default, but can be activated on a per-site basis.

    Adobe: "You're on your own."

  18. Re:Isn't Flash extinct? by jones_supa · · Score: 3, Informative

    They give a reasoning in the FAQ:

    "Yle Areenan videot toimivat edelleen Flash-soittimen avulla. Flash-soitinta käytämme siksi, että HTML5 standardi ei medioiden jakelussa tarjoa vielä sellaista suojausta, jota tekijänoikeuksien haltijat Yleltä vaativat. Vaatimukset tulevat sekä ohjelmantoimittajilta, että musiikin tekijänoikeusjärjestöiltä. Käyttöliittymätekniikkana HTML5 on käytössä, kuitenkin niin että palvelu on saavutettavissa myös vanhemmilla selaimilla."

    Translation: "Yle Areena videos still utilize Flash player. Flash is used because the HTML5 standard does not provide sufficient content protection that the copyright holders expect from Yle when distributing media. These requirements come from both programme distributors and music copyright organizations. HTML5 is being used in the user interface, but in a fashion that older browsers are also supported."

    Of course that information is now a bit obsolete, as these days HTML5 supports DRM as well.

  19. Re:Isn't Flash extinct? by Gizan · · Score: 2

    MY forced HTML5 Youtube is still asking to activate flash for every video...

  20. Re:Isn't Flash extinct? by paul_metcalfe · · Score: 2

    This may prove an excellent incentive for those websites to stop using such dangerous technologies.

    I've had flash on "ask to activate" by default for a while now, and it wants to activate on almost every fucking website I visit. I don't see any flash elements on those pages. It's probably used solely for advertising by most sites.

    But yeah, youtube don't need it anymore. You can still watch your cat vids.

    --
    Always read at -1, don't let others decide what you should and should not read.
  21. Re:Isn't Flash extinct? by paul_metcalfe · · Score: 2

    My national broadcasters used Silverlight. This angered many people because of obvious reasons.

    Max schadenfreude of course when MS pulled the plug on Silverlight

    --
    Always read at -1, don't let others decide what you should and should not read.
  22. Re:Isn't Flash extinct? by LocalH · · Score: 3, Interesting

    When Jobs made the decision to disallow Flash on the iPhone, there were no third-party apps. Period. There wasn't even a jailbreak, since he made the decision prior to the release of the original iPhone. So, his decision had nothing to do with the App Store, since it didn't exist.

    --
    FC Closer
  23. Re:Isn't Flash extinct? by bigpat · · Score: 2

    Adobe should provide/sell tools that will enable people to convert their Flash content into the equivalent standards based browser supported formats. If they make it easy they will have created an essential web development tool in the process. If they stick with Flash they are just milking the dead horse.

  24. Re:Isn't Flash extinct? by Stewie241 · · Score: 3, Insightful

    Yes, that was the narrative at the time - 'they are taking away our freedom'. In hindsight, even though I probably would have heavily criticized Apple for the move, and would have pointed to it as a reason to choose Android, the reality of the situation was, at least in my experience, that Flash on Android was a rather shitty experience that never really worked that well. And while it seemed arrogant and annoying that Steve Jobs tried to use his sway to annihilate Flash as a platform, I now believe that it was for the best. Flash has a heavy impact on battery life, is generally a lot slower, and is generally less secure than native alternatives.

    So, yes, Apple made a seemingly arrogant move and exiled Flash from the iOS platform, but in the long run this drove development toward alternatives and pushed web developers to use technologies that were more mobile friendly (like using HTML for your content instead of some flash application) and I think the overall net effect for the web community has been positive.

  25. Re:Isn't Flash extinct? by BitterOak · · Score: 2

    Ooops. Sorry to answer my own question, but after a bit of research (which I should have done before posing the question, I guess) I found the answer. It's at www.youtube.com/html5 I guess it just isn't the default yet.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  26. Re:Isn't Flash extinct? by msobkow · · Score: 2

    What Apple wanted was lock-in to their tool chain, so all interpreters were blocked from release for iOS. It's not about "forward looking" -- it's about being able to sell an Apple Mac to every single developer out there that wants to run their tool chain. Money, money, money. And more money.

    --
    I do not fail; I succeed at finding out what does not work.
  27. Re:Isn't Flash extinct? by Anonymous Coward · · Score: 3, Insightful

    I care about none of those things.

    Oh well we dont need it then.

    I seriously can't believe how self-involved and ignorant some people on here are. People like you are why the stereotype of anti-social, geek basement dwellers is proliferated, you define it.

  28. Re:Isn't Flash extinct? by Citizen+of+Earth · · Score: 2

    ESPN, Bleacher report, Faebook, Hulu, steam trailers, pretty much every single news website, etc.

    Those don't even matter. PORN sites use Flash. QED.