Mozilla isn’t taking any chances after the discovery that Hacking Team, the recently breached surveillance software maker, had three working exploits for Adobe Flash. The open source organization decided to block all versions of the Flash Player plugin up to version 220.127.116.11 on Windows. Mozilla said Flash would remain on the Firefox blocklist until Adobe fixes all known vulnerabilities.
Since that decision was made, however, Adobe appears to have updated its Flash player to version .209, which is not blocked. Adobe had previously said it would fix all known vulnerabilities later this week; It’s not clear if version .209 fulfills that goal.
“Our blocklisting policy doesn’t call for us to block [version 18.104.22.168], provided it is sufficiently patched,” Mozilla’s head of Firefox support Mark Schmidt told PCWorld via Twitter.
This is not the first time Adobe Flash has had critical vulnerabilities that needed to be fixed. What made Mozilla block Flash this time around was that at least three potential exploits are now publicly known—only one of which Abobe has acknowledged as fixed.
Earlier in July, hackers breached the systems of Italy-based Hacking Team and published 400GB worth of the company’s data online. Among that data were the Flash exploits as well as other previously unknown exploits in Windows and the Linux, according to reports.
Why this matters: Once the de facto standard for web video and animations, Adobe Flash is slowly losing favor to HTML5-based video capability built-in to modern browsers. Nevertheless, Flash is still very present on the web and not having this functionality may degrade the web browsing experience for some Firefox users.
The fact that Mozilla chose user security over a more polished experience is significant and sets it apart from competing third-party browsers. Google’s Chrome, for example, has not disabled its integrated Flash plugin that remained at version 22.214.171.124 at this writing. However, Google does limit Flash’s interaction with the rest of the browser via a security sandbox.
Call for the end
For some in the tech industry, this latest Flash security flub is the last straw. “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook’s newly installed chief security officer Alex Stamos said on his personal Twitter account Sunday. Prior to joining Facebook, Stamos was Yahoo’s security chief.
“We’re all happy to see the conversation that this has opened regarding the demise of Flash,” Mozilla’s Schmidt told PCWorld. “I think a formal EOL [end of life] date would be great.”
It seems unlikely Adobe will kill Flash anytime soon as it is still used widely on the web. Nevertheless, Flash’s life as a web-based product may come to a natural end due to the rise of HTML5-based video. How long that might take is anyone’s guess.
In the meantime, if you are tired of Flash’s continuing security issues check out our tutorial on how to disable and/or remove Flash on your system.
Firefox users that want to re-enable Flash can do so by clicking on the “hamburger” menu icon in the upper right corner and going to Add-ons > Plugins > Shockwave Flash. It is also advisable to enable Firefox’s “Flash protected mode” by clicking on the Options button in the Shockwave Flash plugin section.