Mozilla has blocked every version of Adobe Flash Player running in its Firefox web browser and will continue to do so until Adobe has patched certain publicly known security vulnerabilities. Firefox users who seek to view videos, adverts, and other Flash-based content will now be required to dismiss a warning that reads, "Flash is known to be vulnerable. Use with caution." Mozilla's decision follows on the heels of the disclosure of three zero-day security vulnerabilities in Flash as part of last week's Hacking Team leaks, not to mention reports that threat actors are all ready exploiting these flaws.
"Even sans non-vulnerable update, we should consider the risks of blocking the vulnerable Flash versions (i.e. all of them) vs. allowing millions of people to use actively exploited versions of Flash without so much as a warning," wrote Mark Schmidt, senior Firefox support lead.
Source: The Guardian Over the weekend, Facebook's newly appointed security chief Alex Stamos also expressed dissatisfaction with Flash's persistent security problems, tweeting that Adobe should announce an end-of-life data for the software. Stamos went on to explain how Adobe setting a date would help sysadmins and security professionals adequately prepare for the retirement of Flash Player. It is uncertain whether Adobe will heed Stamos' call, but according to Wiebke Lips, senior manager of Adobe's corporate communications, changes are nevertheless underway for the software company.
"There are extensive efforts underway internally, in addition to our work with the security community and our counterparts in other organizations, to help keep our products and our users safe," Lips told The Register. "Aside from generally hardening the code, and finding and addressing vulnerabilities internally, a key focus area has been the development of mitigation techniques that prevent entire classes of vulnerabilities from being exploited. The introduction of some of these mitigation techniques has been on the roadmap but is moving forward more quickly as a result of recent developments."
Adobe has released a patch for one of Flash's security vulnerabilities discovered in the Hacking Team leaks last week. It is currently developing fixes for the other two and expects these to be ready by later this week.
