Mozilla's Firefox blocks Adobe Flash until zero-days are fixed
Mozilla has announced that its web browser Firefox will block vulnerable versions of Adobe Flash until the zero-day flaws, as discovered from the fallout of the Hacking Team data breach, are fixed.
On Tuesday, the firm said on its support pages that Firefox will be blocking vulnerable versions of Adobe Flash by default until "Adobe releases an updated version to address known critical security issues".
The company added that attackers would use vulnerabilities in Flash to install malicious software on computers and steal data.
Trend Micro confirmed the discovery of a third Flash Player zero-day this week from the leaked Hacking Team data.
“After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited. It affects all versions of Adobe Flash in Windows, Mac, and Linux.”
This has led some security commentators to call for the end to Flash, with Facebook CSO Alex Stamos amongst this crowd.
"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," Stamos commented on social media. "Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."