Tuesday, July 14, 2015

Firefox blacklists Flash player due to unpatched 0-day vulnerabilities

Firefox blacklists Flash player due to unpatched 0-day vulnerabilities

Also, Facebook calls for Flash end-of-life, so that we can "upgrade the whole ecosystem."

There's some drama going down in the Flash camp. Yesterday, because of two unpatched Hacking Team zero-day vulnerabilities, Mozilla blacklisted Adobe Flash Player 18.0.0.203, meaning Flash was disabled by default in Firefox. This morning, just a few moments ago, Adobe rushed out version 18.0.0.209, plugging the two vulnerabilities.
Meanwhile, over at Facebook, the company's new chief security officer called for Adobe to "announce an end-of-life date for Flash," so that we can finally "disentangle the dependencies and upgrade the whole ecosystem."
And if two Web giants weren't enough, Google recently announced that the next stable version of Chrome would "intelligently" block auto-playing Flash elements.
Adobe has been scrambling to fix a number of Flash vulnerabilities since they were first exposed by the massive leak of Hacking Team internal documents last week. One of the zero-days was patched quite quickly, but two further zero-days that were publicised on July 10 went unfixed for three days. With hundreds of millions of Firefox users vulnerable, Mozilla boldly decided to blacklist the current version of Flash.
If you're a Firefox user and Flash is still blocked, you'll need to manually update to 18.0.0.209 or newer from the Adobe website. Make sure you deselect the McAfee checkbox.
Adobe needs to be careful. Antipathy for Flash has reached the point where even some of the largest Web service providers wouldn't be too fazed if it faded ignominiously into the shadows. As HTML5 and other open Web technologies continue to mature, there's less and less reason to use Flash. How many more zero-day vulnerabilities can Adobe withstand?
This post originated on Ars Technica UK

No comments:

Post a Comment