Mozilla has temporarily blocked Flash in Firefox while waiting for Adobe to release patches to fix yet more serious security holes in the Swiss-cheese-like plugin. These holes can be exploited by criminals to hijack PCs and infect them with malware; details of the bugs emerged from leaked Hacking Team files.
Firefox began preventing Flash from running by default on Monday. All versions of Adobe's software, including the most recent release, have been added to the browser's blacklist. Users can choose to disregard this warning and enable Flash, but this will now require a conscious decision to accept a heightened security risk.
Previously, users were asked to give their permission to use Flash, a less restrictive control. The lockdown come in the wake of increasing concerns about the frequency of new, high impact exploits against Flash spawned by the Hacking Team breach.
Leaked files from the hacked surveillance firm last week revealed that the controversial Italian company made use of Flash exploits to spy on its targets. Adobe fixed one of these vulnerabilities last week but another two zero-days remain unaddressed. Both CVE-2015-5122 and CVE-2015-5123 present a critical code injection risk on Windows, Macintosh and Linux systems.
Patches are promised later this week (possibly as early as Tuesday) but Mozilla has decided to act proactively ahead of their release.
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues," Mozilla explains on a support page.
Mark Schmidt, head of the Firefox support team at Mozilla, heralded the Flash lockdown on Twitter before other Mozilla sources clarified that the move is likely to be a temporary restriction pending patching rather than a permanent sanction against the frequently abused Flash technology.
Facebook’s new chief security officer Alex Stamos went further this week by saying he wants to "set a date to kill Flash" in response to more general security concerns about the technology. Earlier this year, YouTube dropped support for Flash, which was famously criticised as insecure by the late Steve Jobs back in 2010.
Flash is used in many browsers and by many websites for video playback but the technology is perennially targeted by criminal-motivated hackers, chiefly through exploit kits and drive-by download attacks, as well as cyberspies. Security experts are increasingly advising surfers to uninstall both Flash and Java browser plug-ins on systems that don’t require them.
El Reg has previously described Flash as "the screen door through which the raw unfiltered sewage of the internet oozes into the homes of netizens".
Adobe is trying to address widespread criticism - and frankly, something approaching widespread exasperation from infosec types - by saying that it is redoubling its efforts to secure its plugins, as previously reported by the Register. ®