Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Firefox Mozilla Your Rights Online IT

New Default: Mozilla Temporarily Disables Flash In Firefox 199

Trailrunner7 writes with news that "Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox." Two flaws that came to light from the recent document dump from Hacking Team could be used by an attacker to gain remote code execution. From Threatpost's article: One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash. Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there's a module for it in the Metasploit Framework, as well. Reader Mickeycaskill adds a link to TechWeek Europe's article, which says these are the 37th and 38th flaws found in Flash so far this month, and that the development "is a blow for Flash after Alex Stamos, Facebook's new chief security officer, urged Adobe to set an 'end of life' date for the much-maligned software."
This discussion has been archived. No new comments can be posted.

New Default: Mozilla Temporarily Disables Flash In Firefox

Comments Filter:
  • by sinij ( 911942 ) on Tuesday July 14, 2015 @09:23AM (#50107661)
    We need Flash because it is easy to block. You can remove a huge chunk of Web obnoxiousness by simply disabling/uninstalling Flash while not breaking the rest of the website. With HTML5, this won't be as straight-forward process.
    • by gstoddart ( 321705 ) on Tuesday July 14, 2015 @09:27AM (#50107733) Homepage

      You got modded funny, but I tend to agree.

      If the crap that Flash does is part of the HTML 5 spec, I really do worry we won't be able to block it quite so readily.

      In which case the browsers become even less secure. That will be a bad thing.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I disagree. There will still be third-party plugins to do this, plus now you get the option to easily roll your own. For example, on slashdot I have a plugin that runs :

        $('video').empty().remove();

        plus several other scripts to re-display content in a manner of my choosing.

    • Amusing but true, there's already a lot of HTML5 nonsense that goes on in many sites, even on browsers I specifically disallow Flash on.

      I think what we need to advance user tech is "click to remove HTML5 element" with memory of what element you removed, that would automatically be scotched the next time you visited the same site. That way you could even allow "tame" ads if you liked, and just stop obnoxious floating elements that blocked content...

    • by fermion ( 181285 )
      I have used flashblock to control the flash player. Note the only reason I installed it was to stop autoplay flash. I can't really focus on anything else when a video is playing. With the implementation of flash blocking on Firefox, which stated, what, a couple months ago, flash no longer works at all. Flash has been on the decline since the smart phone did not have the power to run it and everyone is blocking it. Which, as mentioned, is a moot point as HTML5 provides autorun ads that have no control.
  • Chrome (Score:4, Insightful)

    by Anonymous Coward on Tuesday July 14, 2015 @09:28AM (#50107741)

    Won't this just cause frustrated users to switch to Chrome or another browser, further further hurting Mozilla's market share? Recently I went to a flash web site, it didn't work, so I booted up Chrome.

  • by R.Mo_Robert ( 737913 ) on Tuesday July 14, 2015 @09:29AM (#50107757)

    Mozilla did block the then-latest version of Flash Player, 18.0.0.203, last night. Adobe released version 18.0.0.209 early today, which fixes this vulnerability and which Mozilla is not blocking. They didn't really block "all versions," they just blocked versions less than or equal to known vulnerable versions, which at that time happened to also include the then-latest version. Let's stop using misleading phrasing that will make people think they blocked any past, current, or hypothetical future version of the plugin.

    • by tepples ( 727027 )

      Unless Title Guy edited the title in the past ten minutes, I don't see how "Mozilla Temporarily Disables Flash" is "misleading phrasing that will make people think they blocked any past, current, or hypothetical future version".

      • Unless Title Guy edited the title in the past ten minutes, I don't see how "Mozilla Temporarily Disables Flash" is "misleading phrasing that will make people think they blocked any past, current, or hypothetical future version".

        Slashdot edited the headline--thanks for giving me the benefit of the doubt. :) The old one was something like "Mozilla disables all versions of Flash in Firefox."

        • Unless Title Guy edited the title in the past ten minutes, I don't see how "Mozilla Temporarily Disables Flash" is "misleading phrasing that will make people think they blocked any past, current, or hypothetical future version".

          Slashdot edited the headline--thanks for giving me the benefit of the doubt. :) The old one was something like "Mozilla disables all versions of Flash in Firefox."

          Wait, or maybe they didn't edit the headline, IDK (though I think they did)--but the story still implies the same (perhaps that's what I remember), that they're disabling "all versions," which is no longer true in any case.

        • by tepples ( 727027 )

          Slashdot edited the headline--thanks for giving me the benefit of the doubt. :)

          I guess it comes from my experience reading Cracked.com, which is notorious among its commenters for posting an article with an unfitting title and then changing its title [google.com].

    • Re: (Score:2, Funny)

      by Anonymous Coward

      You know slashdot is slow, when even adobe have enough time to fix the flash before news actually hit the front page

    • by colfer ( 619105 )

      Mozilla was blocking all Flash until the second update came out. The page https://www.mozilla.org/en-US/... [mozilla.org] clearly showed that. You could change it to from "disabled" to "ask to activate" if you chose to.

      Chrome also updated today, but the bundled Flash player in Chrome is click-to-play by default. IE should do that with its bundled player. And Microsoft should use Windows Update to block the plugin player for old version of IE. And old Java in any browser, with an override available.

    • Let's stop using misleading phrasing that will make people think they blocked any past, current, or hypothetical future version of the plugin.

      Hey, there are a lot of linux users here - we're used to it. Mozilla has been blocking the current version [mozilla.org] of Flash on Linux for three years now. The people who know that codebase can't seem to figure out how to put in an if statement (I jest - they just don't give a fuck about it working).

      • Mozilla has been blocking the current version of Flash on Linux for three years now.

        You cite a Bugzilla bug as evidence. But as of right now, Bugzilla is giving a "Service Unavailable" error, and Wayback Machine gives "Page cannot be crawled or displayed due to robots.txt." Is that the bug about implementing the entire PPAPI to use Google Native Client plug-ins? Or is it some other bug?

    • by MrL0G1C ( 867445 )

      And their plugin check page still doesn't work for me.

      And the page doesn't show a link to get flash.

    • But, Adobe did not update the Linux Firefox NPAPI version. It's still 11.2.202.481, which was listed as vulnerable.

      The NPAPI version is an "extended support" release because Google came up with a new "universal" interface for all OSes, and, decidedly refused to map it on top of NPAPI [in order to kill Firefox in favor of Chrome]. Adobe adopted this and stopped active development on the NPAPI version. And, Firefox refused to support the new interface, saying that NPAPI was just fine.

      Meanwhile, I'm still w

      • Google wasn't trying to kill Firefox with pepper, they made everything Firefox needs to implement pepper available as open source and encouraged Firefox to add support. It's Firefox's choice not to implement it because they consider it "non-standard".

  • by Anonymous Coward

    Chrome can block popups, that Firefox lets through. This is because Flash is doing the popup, and Firefox does not catch the CreateWindow, but Chrome does. Firefox only intercepts the normal web window creates.

    So at least for the moment, this fixes Firefox's crappy non-functioning popup blocker.

    Likewise Chrome now runs Flash in a separate process, because Adobe are so inept they cannot be trusted not to leave lots of security bugs in their products. So Google wrapped it in a process wrapper, the same way pe

  • by Virtucon ( 127420 ) on Tuesday July 14, 2015 @09:36AM (#50107843)

    Whack-a-mole with Flash continues this week with yet another zero day vulnerability with Flash being fixed. This is unsustainable. Time for Flash to really die.

    • Unsustainable? You even mention that Adobe has been doing this for years. It is about as unchanging as anything in computing.

      • For the past couple of months it seems like it's been a weekly cycle instead of once a month. Frequency and urgency of the patches brings more focus as to "why do we have this again?" There are a lot of companies out there that have Flash in their content distribution systems for Intranets and this zero day fire drill is getting old fast for quite a few of them. In the long run killing Flash is a good thing, killing Adobe would probably be better. Call it penance.

  • While I appreciate that Adobe endlessly updates Flash, the fact that they can't manage to write a functional updater for OS X makes me wary of the value of the updated code. When you have to completely uninstall Flash every time and reinstall it, I decided to stop after the uninstall.
  • by Zanadou ( 1043400 ) on Tuesday July 14, 2015 @10:32AM (#50108439)

    If you're (forced to!) run the outdated version of Flash in Firefox on Linux, now might be a good time to go to the tools menu > addons > plugins and set Shockwave Flash to "Ask to Activate". Then the plugin will stay disabled per default, but can be activated on a per-site basis.

    Adobe: "You're on your own."

    • It sucks as you can't set a whitelist (for soundcloud.com at least, and perhaps youtube for some convenience)

      Have to add a random extension or two, but who knows how long the extension will work. I used flashblock for about a decade but somewhat recently, it imploded (I suppose it depended on one person that can't do the maintaining job anymore)

      I got lazy and simply block the ads now. For a decade I had the web with ads and all flash blocked, now I have no ads (including the flash based ones) but there are

  • I have been using long this flash disable plugin [mozilla.org]. It is easy to use; it is simple : it just triggers internal configurations that Firefox has always had. It adds a button to enable flash on those few sites were Flash is used for content and cannot be replaced. I recommend ticking 'Disable at startup' and 'Ask to activate' in the preferences. "Simple & easy" always provides better security.
    Enough said.
  • I run Nightly, and have the latest Flash installed (just updated it to make sure). Flash content seems to load fine, I get no blocking message.

Avoid strange women and temporary variables.

Working...