Firefox blocks Flash plugin by default until zero-days are fixed

For the last few years, many security experts have been urging users to evaluate whether they actually need to use Adobe Flash.

The platform, once practically unavoidable, now has effective alternatives, and this last revelation of three zero-day bugs used first by Hacking Team customers and now, in the wake of the leak, by cyber crooks and state-sponsored APT groups, has resulted in much dissatisfaction.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook CSO Alex Stamos commented. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”

His tweet set off many comments from users, and some of them pointed out the difficulties and roadblocks for such a move.

On Tuesday, Mozilla’s head of Firefox Support Mark Schmidt announced that the company’s Firefox browser will be blocking vulnerable versions of Adobe Flash by default:

That is, until Adobe releases a new version that fixes the recently unearthed issues.

Whether this will be the beginning of the end for Flash remains to be seen. But despite the widespread impression that Adobe is not doing enough to secure Flash, they are in fact working on it heavily.

“There are extensive efforts underway internally, in addition to our work with the security community and our counterparts in other organizations, to help keep our products and our users safe,” Wiebke Lips, a senior manager of Adobe’s corporate communications, told The Register.

“Aside from generally hardening the code, and finding and addressing vulnerabilities internally, a key focus area has been the development of mitigation techniques that prevent entire classes of vulnerabilities from being exploited. The introduction of some of these mitigation techniques has been on the roadmap but is moving forward more quickly as a result of recent developments.”