​Firefox now blocks all versions of Flash Player by default

In the wake of two new zero-day flaws in Flash Player, Mozilla has disabled the plugin for all versions of its Firefox browser.
Written by Liam Tung, Contributing Writer

Mozilla's support team has made the decision to block all versions of Flash Player from Firefox until Adobe releases a patch.

The block, announced by head of Firefox support Mark Schmidt, comes in response to the recent discovery of two critical zero-day flaws in Flash Player.

"BIG NEWS!! All versions of Flash are blocked by default in Firefox as of now," Schmidt tweeted. He added a link to Firefox's add-ons page which details that the Flash Player Plugin (the most current and vulnerable version) has been blocked for users' protection.

The tweet was a little overly dramatic given that the move is only a stop-gap measure until Adobe releases a fix for the bugs. Apple has similarly blocked vulnerable versions of Flash Player in the past too -- a move that Adobe welcomed when Apple began the practice in 2012.

To clarify the matter, Schmidt later added: "Flash is only blocked until Adobe releases a version which isn't being actively exploited by publicly known vulnerabilities."

Adobe has promised patches for the two flaws, but the patches are yet to arrive. Security experts fear that hackers are already working to integrate attacks for the bug into exploit kits, which has already happened for one of the two new flaws.

The two Flash Player bugs (CVE-2015-5122 and CVE-2015-5123) were discovered by security researchers sifting through the 400GB of data from Italian surveillance software vendor Hacking Team which was leaked online last week.

Update: Adobe releasedpatches on 14 July that addressed the two security issues.

Adobe has already published a patch for an earlier Flash bug, discovered last week in the Hacking Team's files, which formed part of its law enforcement product Remote Control System or 'Galileo'. That flaw was integrated into several exploit kits within hours of its discovery.

Due to the new Flash flaws, Facebook's chief security officer Alex Stamos this week called on Adobe to kill off Flash, which remains one of the most popular targets for hackers thanks its ubiquity on desktops.

Trend Micro, one of the firms that discovered one of the latest bugs, cautioned users to disable Flash until Adobe releases a patch. Trend Micro noted earlier this week that, unlike the first of the three Flash flaws from Hacking Team's files, the two most recent bugs have not been seen in active attacks and have not been integrated into exploit kits. However, that status changed after security researcher Kafeine discovered several exploits kits had bundled attacks for CVE-2015-5122 into their kits.

Read more

Editorial standards