Mozilla blocks all Flash in Firefox after third zero-day
14 July 2015 | 0
Mozilla has began blocking all versions of Adobe Flash Player from running automatically in its Firefox browser, reacting to news of even more zero-day vulnerabilities unearthed in a massive document cache pilfered from the Italian Hacking Team surveillance firm.
Computerworld confirmed that the current production versions of Firefox – dubbed v. 39 – on both Windows and OS X now block Flash.
Mozilla engineers swung into action over the weekend after reports surfaced late Friday of another Flash zero-day – the term that describes a flaw for which there is yet no fix, or patch – discovered in the gigabytes of data and documents stolen from the Hacking Team. At the time, the bug was the second in Flash spotted in just five days.
Since then a third Flash zero-day has cropped up.
Neither the second or the third vulnerability had been patched by Adobe as of late Monday, although the company has promised to do so this week.
Mozilla added the current-as-of-Monday Flash Player 22.214.171.124 to Firefox’s block list early Monday, and by day’s end engineers had finished their work, tested the block and released it to Firefox users.
Until Adobe issues a patched version of Flash, Firefox will not automatically engage the player without warning users, even if they have updated Flash to v. 126.96.36.199 since Wednesday, 8 July when Adobe shipped the patch for the first of the zero-day troika.
Mozilla rationalised the unusual step in one of the messages posted to the pertinent Bugzilla thread. “Even sans non-vulnerable update, we should consider the risks of blocking the vulnerable Flash versions (ie all of them) vs. allowing millions of people to use actively exploited versions of Flash without so much as a warning,” wrote Mark Schmidt, senior Firefox support lead.
With the block in place, any attempt to play Flash content in Firefox displays a message at the top of the browser display window that reads, “Firefox has presented the unsafe plugin Adobe Flash from running on [target URL].”
Users can sidestep the block by clicking an “Allow” button at the far right of the message. Options to allow Flash to run just the once, or permanently, appear next.