Mozilla Blocks Flash In Firefox To Protect Users Against Recent Zero-Day Vulnerabilities (Update: Flash Updated, Ban Lifted)

News
By Lucian Armasu
published

Yesterday, Facebook's new Chief Security Officer (CSO), Alex Stamos, called on Adobe to kill Flash once and for all, to end the stream of critical vulnerabilities that have plagued the software over its entire lifetime. The message came after a couple of more zero-day vulnerabilities were found in the Hacking Team data leak.

Recognizing how serious these vulnerabilities are, Mozilla's Head of Firefox Support, Mark Schmidt, announced that "all versions of Flash are blocked by default in Firefox as of now."

He also made it clear that the block is only temporarily until Adobe patches the vulnerabilities over the next few days. The change shouldn't give most users problems, as many video sites on the Web right now are powered by HTML5 technology. This includes major ones such as YouTube and Facebook.

There are a few places, such as restaurant websites for example, where Flash might still be used, so the content there won't load. If you need to visit such sites you can still enable Flash manually in Firefox with a single click on the "Activate Adobe Flash" message, which will appear on the blocked content. Therefore, the inconvenience caused to users should be minimal, while the company is also ensuring the maximum security for its users over the next few days until Adobe pushes out the appropriate updates.

Although the block is temporary, we may finally see browser vendors begin a more aggressive campaign for killing Flash sooner rather than later. Google recently announced that the next version of Chrome will block auto-playing Flash ads by default, and that was before the latest Flash zero-days were found in the Hacking Team data leak.

After Steve Jobs' permanent ban of Flash on the iOS platform, and then Adobe's surrender in making Flash work well on the Android platform, everyone knew that Flash is going to eventually die. It was always just a matter of how quickly that will happen.

Many would have expected Flash to be gone from the Web by now, but it managed to survive longer because HTML5 couldn't fully replace it for many years. Now, HTML5 is much more mature, and the days of Windows XP and obsolete Internet Explorer versions are over, which makes it much easier for developers to begin completely replacing Flash with HTML5 as their web development tool of choice.

Update, 7/15/15, 2:30pm PT: Mozilla posted an update on Twitter lifting the ban on Flash, re-enabling it by default, noting that Flash has been updated and the current security risks abated.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
17 Comments Comment from the forums
  • tomc100
    Is there a single website that doesn't have flash ads playing in the background?
    Reply
  • nukemaster
    Truth be told, Once 3rd party plugins are gone, they will just target the browsers them selves.

    Steve wanted flash dead because of all the FREE games/apps it offered that would have taken a hit to the app store sales. No way around that.

    It is a cat and mouse game and hackers will ALWAYS want in, not matter what browser or OS you use.

    The more popular ones get hit first and more often so Windows/Internet explorer(its not like all users know about alternative browsers) will likely be a larger target, but with mobile devices soon(if not already. I know people that do not even use computers any more for the internet) to be the primary device for most users they will get just as much attention.
    Reply
  • Solandri
    Flash isn't going to die anytime soon. It may die as a generic browser scripting tool (I hope it does). But Flash was initially developed as an artist's tool - so you could create graphic animations without having to send as much data as a full-blown movie. It's still widely used among artists, with several TV shows and even movie production using it extensively. Its abuse as a generic scripting language for browsers came about because HTML lacked scripting capability.

    And Jobs may have claimed he blocked Flash from iOS because of vulnerabilities and excessive power use, but the real reason was control. At the time, Apple prohibited all compilers and emulators from the App store. The only way you could run a program in iOS was by developing it using Apple's tools, and submitting it to the App store for their approval. Flash bypassed this control over their ecosystem. If you could install Flash in iOS, you could write your program in Flash, put it on a website, and browse the site with your iOS device to run your program. That broke Apple's monopoly on iOS executables, so they banned it. And their spin control department came up with reasons for the ban which didn't sound so selfish and authoritarian.
    Reply
  • Xc311
    the problem is flash player deliver a better video quality than html5 native player.. you can witness this in HD videos or FHD in youtube for example. i don't think it will die soon, at least till html5 surpass it in that point
    Reply
  • Nintendork
    Mozilla: If you gonna block flash make sure your damn browser actually support html5 without problems. Youtube on mozilla is a painful experiencie, even worse when you use vp9/webm. Video stutters and if it's a 1080p 60fps, be sure that it will stutter too.

    Reply
  • capt_taco
    I never understood why there was this big sudden push to kill Flash. HTML5 is fine for playing videos, but for a lot of the artistic uses of Flash, it's no replacement at all, and there are no other good replacements either. My job involves building and managing websites, and it's painfully obvious that creativity has taken a step backwards in several areas because even if Flash is the only thing capable of doing a task, no one wants to use it.

    One site I built a while back used to have an interactive map created in Flash, and when it was time to redesign it, the so-called "experts" insisted that we could do it just as well using Google Maps ... I was skeptical but went along with it. Well guess what, the Google Maps version was nothing like it and it sucked. "This is crap," I said, "what are our other options?" "There are no other options, you can't use Flash because of Apple, so this is it," they said. I told them I didn't care about Apple users, who made up about 2.75% of our audience, enough to design the whole site around them, but was shouted down. Garbage.

    There was never anything wrong with Flash; it was as vulnerable and glitchy as any other widely used plugin, and the positives far outweighed any of that. As others have said, the campaign against it was all because of Steve Jobs (may he burn in hell) and his insistence on being a control freak. It's a shame so many people were dumb enough to fall for it.

    *no, I'm not wishing Steve Jobs to burn in hell over Flash; that would be silly. He was just a jerk with a horrible mentality.
    Reply
  • nukemaster
    16251444 said:
    I never understood why there was this big sudden push to kill Flash. HTML5 is fine for playing videos, but for a lot of the artistic uses of Flash, it's no replacement at all, and there are no other good replacements either. My job involves building and managing websites, and it's painfully obvious that creativity has taken a step backwards in several areas because even if Flash is the only thing capable of doing a task, no one wants to use it.

    One site I built a while back used to have an interactive map created in Flash, and when it was time to redesign it, the so-called "experts" insisted that we could do it just as well using Google Maps ... I was skeptical but went along with it. Well guess what, the Google Maps version was nothing like it and it sucked. "This is crap," I said, "what are our other options?" "There are no other options, you can't use Flash because of Apple, so this is it," they said. I told them I didn't care about Apple users, who made up about 2.75% of our audience, enough to design the whole site around them, but was shouted down. Garbage.

    There was never anything wrong with Flash; it was as vulnerable and glitchy as any other widely used plugin, and the positives far outweighed any of that. As others have said, the campaign against it was all because of Steve Jobs (may he burn in hell) and his insistence on being a control freak. It's a shame so many people were dumb enough to fall for it.

    *no, I'm not wishing Steve Jobs to burn in hell over Flash; that would be silly. He was just a jerk with a horrible mentality.
    While Apple only has a small margin of the market, All cell phones/tablets(The quickly becoming primary device for surfing the internet if not already) do not support flash either.

    I think some of the renewed GIF(something popular in the 90s due to the hardware most users had) craze is also to make mobile device playback more easy(strange since they all support at least basic mpeg4 video and that has better frame rates/colors and compression than GIF).

    Also hating flash is rather popular on the internet.
    Reply
  • capt_taco
    While Apple only has a small margin of the market, All cell phones/tablets(The quickly becoming primary device for surfing the internet if not already) do not support flash either.
    ...
    Also hating flash is rather popular on the internet.


    That was kind of my point. The Kill-Flash movement isn't because there's anything wrong with it. It's because the drumbeat got going, and hating it became the default reaction "because it's old" or "because it's clunky" or any of a hundred other soundbites. Most people who are against Flash probably couldn't even articulate very clearly why they hate it - they hate it because they heard it from their friend Josh, or they read it on a snarky tech site, or they hate it just because.

    In any case, now that Android compatibility has dried up, that turned it from cheerleading into a real problem, and now the reality is that it's being used less and less except for specialty purposes. It still puzzles me why that happened; the only explanation I can think of is that the Android developers all lemminged Apple, or listened to the cheerleading, and it became a self-fulfilling prophecy.
    Reply
  • kenjitamura
    I never understood why there was this big sudden push to kill Flash. HTML5 is fine for playing videos, but for a lot of the artistic uses of Flash, it's no replacement at all, and there are no other good replacements either. My job involves building and managing websites, and it's painfully obvious that creativity has taken a step backwards in several areas because even if Flash is the only thing capable of doing a task, no one wants to use it.

    One site I built a while back used to have an interactive map created in Flash, and when it was time to redesign it, the so-called "experts" insisted that we could do it just as well using Google Maps ... I was skeptical but went along with it. Well guess what, the Google Maps version was nothing like it and it sucked. "This is crap," I said, "what are our other options?" "There are no other options, you can't use Flash because of Apple, so this is it," they said. I told them I didn't care about Apple users, who made up about 2.75% of our audience, enough to design the whole site around them, but was shouted down. Garbage.

    There was never anything wrong with Flash; it was as vulnerable and glitchy as any other widely used plugin, and the positives far outweighed any of that. As others have said, the campaign against it was all because of Steve Jobs (may he burn in hell) and his insistence on being a control freak. It's a shame so many people were dumb enough to fall for it.

    *no, I'm not wishing Steve Jobs to burn in hell over Flash; that would be silly. He was just a jerk with a horrible mentality.

    Dissenters such as journalists were helped track down to be tortured and killed in such places as Sudan thanks to zero day exploits in Flash being used by Hacker Team, is that not enough reason to hate flash? It's an easily exploitable security nightmare and every device that uses it is substantially less safe because of it.
    Reply
  • Solandri
    16252485 said:
    That was kind of my point. The Kill-Flash movement isn't because there's anything wrong with it. It's because the drumbeat got going, and hating it became the default reaction "because it's old" or "because it's clunky" or any of a hundred other soundbites. Most people who are against Flash probably couldn't even articulate very clearly why they hate it - they hate it because they heard it from their friend Josh, or they read it on a snarky tech site, or they hate it just because.
    To be fair, Flash was widely hated from the onset because web developers used it to make their website consistent on all displays. That was contradictory to the design of the web - the whole point of HTML is to transmit the important info (words, pics) to the browser in form that the browser can decide how to best display. i.e. If I want to compress the display so it'll fit in 800x600, or expand it to fill 1920x1080, I can resize the browser and the browser handles reflowing the text and pictures. If I don't like the font, the browser can change it. If I don't like the colors, the browser can override ithem You can't do that with flash websites - the formatting is determined by the site designer, not your browser.

    I do agree with you about its artistic use. It is the best tool for that purpose I've seen.

    In any case, now that Android compatibility has dried up, that turned it from cheerleading into a real problem, and now the reality is that it's being used less and less except for specialty purposes. It still puzzles me why that happened; the only explanation I can think of is that the Android developers all lemminged Apple, or listened to the cheerleading, and it became a self-fulfilling prophecy.
    Flash on Android was killed by Adobe itself. They stopped releasing updates for it and pulled it from the Play store. I used to keep a copy of it around in my TitaniumBackup backups, but so much time has passed without security patches I don't think it's worth the risk of installing it again.

    The Dolphin browser supports flash. I don't normally use that browser, but I do keep a copy of it installed now for the occasional times I need to visit a flash website in Android.

    16253419 said:
    Dissenters such as journalists were helped track down to be tortured and killed in such places as Sudan thanks to zero day exploits in Flash being used by Hacker Team, is that not enough reason to hate flash? It's an easily exploitable security nightmare and every device that uses it is substantially less safe because of it.
    Every computer system out there has zero-day exploits. If you're going to hate everything which has zero-day exploits, you need to become a Luddite and give up using computers.

    Anyhow, Mozilla (and Google) blocked the vulnerable version of Flash from running on their browsers. Adobe has already released a new version which patches the vulnerability, and that version is allowed to run. This wasn't Mozilla taking some anti-flash stance like some in the press were trying to spin it. It was just the browser makers doing the prudent thing and preventing a vulnerable extension from running until it was fixed.
    Reply