Mozilla blocks all Flash in Firefox after third zero-day
Mozilla on Monday began blocking all versions of Adobe Flash Player from running automatically in its Firefox browser, reacting to news of even more zero-day vulnerabilities unearthed in a massive document cache pilfered from the Italian Hacking Team surveillance firm.
Computerworld confirmed that the current production versions of Firefox -- dubbed v. 39 -- on both Windows and OS X now block Flash.
Mozilla engineers swung into action over the weekend after reports surfaced late Friday of another Flash zero-day -- the term that describes a flaw for which there is yet no fix, or patch -- discovered in the gigabytes of data and documents stolen from the Hacking Team. At the time, the bug was the second in Flash spotted in just five days.
After reading the block warning, Firefox users can still run Flash content by authorizing the plug-in's operation.
Neither the second or the third vulnerability had been patched by Adobe as of late Monday, although the company has promised to do so this week.
Mozilla added the current-as-of-Monday Flash Player 18.0.0.203 to Firefox's "block list" early Monday, and by day's end engineers had finished their work, tested the block and released it to Firefox users.
Until Adobe issues a patched version of Flash, Firefox will not automatically engage the player without warning users, even if they have updated Flash to v. 18.0.0.203 since Wednesday, July 8, when Adobe shipped the patch for the first of the zero-day troika.
Mozilla rationalized the unusual step in one of the messages posted to the pertinent Bugzilla thread. "Even sans non-vulnerable update, we should consider the risks of blocking the vulnerable Flash versions (i.e. all of them) vs. allowing millions of people to use actively exploited versions of Flash without so much as a warning," wrote Mark Schmidt, senior Firefox support lead.
Mozilla blocks all Flash in Firefox after third zero-day | Computerworld