Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Default: Mozilla Temporarily Disables Flash In Firefox

Posted by timothy on from the just-sort-of-a-dull-glow dept.

Trailrunner7 writes with news that "Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox." Two flaws that came to light from the recent document dump from Hacking Team could be used by an attacker to gain remote code execution. From Threatpost's article: One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash. Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there's a module for it in the Metasploit Framework, as well. Reader Mickeycaskill adds a link to TechWeek Europe's article, which says these are the 37th and 38th flaws found in Flash so far this month, and that the development "is a blow for Flash after Alex Stamos, Facebook's new chief security officer, urged Adobe to set an 'end of life' date for the much-maligned software."

7 of 199 comments (clear)

  1. We need Flash, because it is easy to block by sinij · · Score: 5, Insightful

    We need Flash because it is easy to block. You can remove a huge chunk of Web obnoxiousness by simply disabling/uninstalling Flash while not breaking the rest of the website. With HTML5, this won't be as straight-forward process.

    1. Re:We need Flash, because it is easy to block by gstoddart · · Score: 4, Interesting

      You got modded funny, but I tend to agree.

      If the crap that Flash does is part of the HTML 5 spec, I really do worry we won't be able to block it quite so readily.

      In which case the browsers become even less secure. That will be a bad thing.

      --
      Lost at C:>. Found at C.
  2. Re:Isn't Flash extinct? by pack27 · · Score: 5, Informative

    ESPN, Bleacher report, Faebook, Hulu, steam trailers, pretty much every single news website, etc.

    --
    Arch Linux master race!
  3. Re:Isn't Flash extinct? by Jamu · · Score: 4, Funny

    It's mostly on Facebook that I notice I've not got Flash installed. I especially like the way it tells me my technology is out of date.

    --
    Who ordered that?
  4. Chrome by Anonymous Coward · · Score: 4, Insightful

    Won't this just cause frustrated users to switch to Chrome or another browser, further further hurting Mozilla's market share? Recently I went to a flash web site, it didn't work, so I booted up Chrome.

  5. Not really true (anymore) by R.Mo_Robert · · Score: 5, Informative

    Mozilla did block the then-latest version of Flash Player, 18.0.0.203, last night. Adobe released version 18.0.0.209 early today, which fixes this vulnerability and which Mozilla is not blocking. They didn't really block "all versions," they just blocked versions less than or equal to known vulnerable versions, which at that time happened to also include the then-latest version. Let's stop using misleading phrasing that will make people think they blocked any past, current, or hypothetical future version of the plugin.

    --
    R.Mo
  6. Re:Can they fix Firefox popup blocked? by tepples · · Score: 4, Informative

    Chrome now runs Flash in a separate process, because Adobe are so inept they cannot be trusted not to leave lots of security bugs in their products. So Google wrapped it in a process wrapper [...] Firefox should do the same!

    Firefox has been running Flash Player in plugin-container.exe for years.