Flash Blocked on Mozilla Firefox Web Browser
If you regularly use Mozilla’s popular Firefox Web browser you will have noticed recently that Flash is no longer set operate as default in the pages that you visit. Instead you will have noticed that ‘Click to Play’ mode is now being used. This looks like a blank, dark space where the Flash should have been accompanied by a security warning plus a link giving you the option to operate the Flash.
Some documents recently stolen from a security company called Hacking Team contained details of the bugs in Flash. The wide scale use of Flash and evidence of the use of these of the information in these stolen documents by cyber criminals to exploit the bugs was therefore the reported reason behind a decision by Mozilla to block Flash on the Firefox Browser.
What Kind of Security Risks?
According to the Mozilla the bugs / flaws in Flash could be used to load malicious software onto your computer, or even to take over the system using ‘exploit kits’.
In Place Until Security Updated by Adobe
The block on Flash in Firefox will stay in place until Adobe release an updated version that addresses these security issues. The Mozilla website is currently advising that for your trusted websites you can change the plugin settings on Firefox so that Flash runs only when you click to activate it. This can be achieved via the menu button, Add-ons Manager tab, Plugins panel, and then setting the Shockwave Flash on the list to ‘Ask to Activate’.
A Victim of Its Popularity?
The effectiveness of Flash in powering multimedia and interactive elements for web pages has been an important driver of its huge popularity. It is this wide scale use Flash however that is one of the main reasons why it is so attractive to cyber criminals who seek to compromise computers and steal saleable data.
It must also be a worrying fact for Flash’s owner Adobe to know that Flash and some of their other products are known to feature in the top 10 of the applications that cyber criminals like to use.
Adobe has of course taken the problem very seriously and is reported to have been making progress in developing patches and closing the vulnerabilities that were revealed in the documents that were stolen from the Hacking Team.
As some commentators have pointed out the fact that Flash (like Java) uses runtime environments that execute arbitrary code means that it looks as though it will therefore always be at risk of security problems.
A recent tweet by Facebook's new security chief Alex Stamos stated that "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day".
Mr Stamos also commented later that it would be helpful if Adobe could set a date to help everyone plan and prepare for the day that Flash no longer works. These comments, the vulnerabilities in Flash, the action taken by Adobe itself, plus all of the recent poor publicity look unlikely to help the case for keeping Flash on for the longer term.