With two currently unpatched zero-day vulnerabilities in Adobe’s Flash Player, Mozilla has decided that enough is enough and it’s blocking Flash usage in the Firefox Web browser.
“All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues,” Mozilla states in a support note.
The latest two zero-days in Flash were discovered by security vendors FireEye and Trend Micro by going through materials obtained via the breach of Italian security vendor Hacking Team. Adobe says it plans on patching the flaws identified as CVE-2015-5122 and CVE-2015-5123 this week. The two new zero-days are on top of 36 other identified vulnerabilities that Adobe has already patched this month.
Flash has been identified by multiple security vendors this year as being a leading path to exploitation, with Intel Security’s McAfee Labs reporting a 317 percent increase in the volume of Adobe Flash malware samples detected, while Trustwave has found that Adobe Flash is now the most exploited application. Both the Intel Security and Trustwave reports came out before the latest round of Flash exploits, which would seem to indicate that there is no end in sight to Flash’s troubles.
Mozilla is the first vendor to actually block Flash after this latest round of zero-days, and it’s not clear if others can or will follow Mozilla’s lead. Alex Stamos, the new chief security officer at Facebook, has publicly called for an end to Flash usage in a Twitter message.
“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Stamos wrote.
Blocking Flash in browsers other than Firefox is a task that is easier said than done. Microsoft’s Internet Explorer 11 and Google’s Chrome both directly integrate Flash with the browser. The benefit of the integration is that users only need a single update to get an updated browser/Flash combination. The risk is that when Flash is found to be vulnerable like it is now, IE and Chrome users are exposed to the risk by default.
Certainly both IE and Chrome users can choose to disable Flash. For Chrome users, Google has a helpful page that describes the process. Microsoft provides information on how to disable add-ons in general (including Flash) inside of IE 11 on its own support page as well.
Given that the two new Flash zero-days were found in the Hacking Team data breach, there should be no doubt whatsoever that the exploits are not theoretical and represent a real and present danger to Flash users today. As such, Mozilla’s decision to block Flash is the right thing to do to protect users.
Certainly anti-malware and Web Application Firewall (WAF) technologies can also help limit the risk of Flash zero-day exploits, but Mozilla’s move to block Flash altogether for now is likely the best protection for users.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.