Flash Blocked In Firefox Over Security Risk

John Lister's picture

Mozilla has blocked Adobe Flash from running by default in the Firefox browser, citing security concerns. Meanwhile, Facebook's security chief has called for Adobe Flash to be killed off permanently.

Adobe Flash is widely used for both videos and animations, including ones which play automatically on a website. The technology has fallen from favor over the years, however, thanks to problems with both performance and security. It's a popular target for malware creators as it is so widely used by users, regardless of their operating system or browser.

A big part of the decline came when Apple decided its iPhone and iPad would not ship with Flash installed, making it difficult, if not nearly impossible to manually add it. That said, many websites are switching to the HTML 5 system that is built directly into modern browsers without the need for plugins, and without the need for Flash.

Hacking Leaks Raise Risks For Adobe Flash

Now Mozilla has taken action after two separate incidents where it became clear that Flash had vulnerabilities that were being exploited by hackers. In both cases, the details became clear thanks to leaked documents belonging to Hacking Team, a business which helps governments use spyware techniques for surveillance.

Mozilla was unsatisfied with the speed at which Adobe developed and released a fix and decided to simply block Flash by default. Users can still access Flash content but must actively click a link and then confirm they understand the risks of doing so. It's a mechanism similar to the way Google's Chrome blocks links to sites suspected of housing malware. (Source: techcrunch.com)

Facebook Wants To Set Execution Date

Frustration with Adobe Flash isn't confined to Mozilla. Alex Stamos, who recently took over as chief information security officer at Facebook, posted on Twitter this week that "it is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day. Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once." (Source: fortune.com)

In this context, a killbit would be an instruction in the code that runs the browser to completely block Flash from running after a specified date.

What's Your Opinion?

Do you have Flash enabled in your Internet browser? Is it a security concern for you? Would the inconvenience of not accessing Flash content outweigh any risks?

Rate this article: 
Average: 4.8 (6 votes)

Comments

Dennis Faas's picture

I applaud Mozilla for taking the stance to block Adobe Flash from running due to outstanding security risks. I received the security notification yesterday, and promptly updated it. In my opinion, the killbit technology should be employed beyond Flash and should be standard policy for all plugins (with grace given to software developers before killbit is to take place).

brifredav_4966's picture

How do we get on, now, with tablets using flash player on android. This will make it hard to view any videos and such like.
Brian

Dennis Faas's picture

Flash Player on Android is probably more secure than on Windows for the simple fact that Windows is less secure than Linux (which is what Android runs). Apple OS is similar to freeBSD which is also similar to Linux.

You can turn off Flash on Android by going to the Browser Settings (via the Menu button), then go to Advanced settings and modify the "Enable plug-ins" option from "Always on" to "On Demand", or "Off". If it's on demand, Flash will then prompt you each time it is required to run. This will also speed up your browsing quite a bit since Flash is a huge CPU hog. If it's Off then you will not be prompted at all (but you also won't see any videos).

guitardogg's picture

We should have switched to HTML 5 long ago! It was just easier (and I get it, cheaper) for developers to just keep using Flash, instead of switching to HTML 5. Thanks Mozilla, the time has come to end it.

dan_2160's picture

Both Adobe and Oracle issued new versions of Flash and Java, respectively on July 14 that fix the vulnerabilities. Adobe issued the patch about two hours after Mozilla very prudently disabled Adobe Flash by default.

When installing the Java update, be sure to uncheck the box that seeks to change your home page to Yahoo!

DaLincerGuy's picture

As a wandering website person, I do not get to change what a web site owner posts. How do I get more sites to use anything other than flash?

I have no trouble insisting on my own site to not use flash, how about the rest of the world to make the leap?

David

vickiec51's picture

I go on facebook and check everyone I know out and I only play one game on there ..which is candy crush...well, it started not loading all the way and I would get this adobe flash thing that says something about needing more space for....this site I guess ..I don't understand it..but it has this long number and letters startng with a 91s....cloudfront.net. I noticed this when on my computer when upgrades were happening to my computer or something telling me to update my adobe flash player....I don't get a lot of this stuff...so I ran my Norton internet security and it did take off two so called cookies...but that didn't remove it..well, I started digging like I do and checked something out about dealing with flash player from adobe and that same site was on there...the number and letter thing with cloudfront.net....I removed it again...I don't know how its staying on my computer...I looked to see what I had downloaded recently and it was nothing I could see...any suggestions please.... my email vickiec51@hotmail.com thanks oh my computer works...but I fear hacking of my private info...thanks...