Mozilla Blocks Flash In Firefox To Protect Users Against Recent Zero-Day Vulnerabilities (Update: Flash Updated, Ban Lifted)

Yesterday, Facebook's new Chief Security Officer (CSO), Alex Stamos, called on Adobe to kill Flash once and for all, to end the stream of critical vulnerabilities that have plagued the software over its entire lifetime. The message came after a couple of more zero-day vulnerabilities were found in the Hacking Team data leak.

Recognizing how serious these vulnerabilities are, Mozilla's Head of Firefox Support, Mark Schmidt, announced that "all versions of Flash are blocked by default in Firefox as of now."

He also made it clear that the block is only temporarily until Adobe patches the vulnerabilities over the next few days. The change shouldn't give most users problems, as many video sites on the Web right now are powered by HTML5 technology. This includes major ones such as YouTube and Facebook.

There are a few places, such as restaurant websites for example, where Flash might still be used, so the content there won't load. If you need to visit such sites you can still enable Flash manually in Firefox with a single click on the "Activate Adobe Flash" message, which will appear on the blocked content. Therefore, the inconvenience caused to users should be minimal, while the company is also ensuring the maximum security for its users over the next few days until Adobe pushes out the appropriate updates.

Although the block is temporary, we may finally see browser vendors begin a more aggressive campaign for killing Flash sooner rather than later. Google recently announced that the next version of Chrome will block auto-playing Flash ads by default, and that was before the latest Flash zero-days were found in the Hacking Team data leak.

After Steve Jobs' permanent ban of Flash on the iOS platform, and then Adobe's surrender in making Flash work well on the Android platform, everyone knew that Flash is going to eventually die. It was always just a matter of how quickly that will happen.

Many would have expected Flash to be gone from the Web by now, but it managed to survive longer because HTML5 couldn't fully replace it for many years. Now, HTML5 is much more mature, and the days of Windows XP and obsolete Internet Explorer versions are over, which makes it much easier for developers to begin completely replacing Flash with HTML5 as their web development tool of choice.

Update, 7/15/15, 2:30pm PT: Mozilla posted an update on Twitter lifting the ban on Flash, re-enabling it by default, noting that Flash has been updated and the current security risks abated.

Follow us @tomshardware, on Facebook and on Google+.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
17 comments
Comment from the forums
    Your comment
    Top Comments
  • Solandri
    Flash isn't going to die anytime soon. It may die as a generic browser scripting tool (I hope it does). But Flash was initially developed as an artist's tool - so you could create graphic animations without having to send as much data as a full-blown movie. It's still widely used among artists, with several TV shows and even movie production using it extensively. Its abuse as a generic scripting language for browsers came about because HTML lacked scripting capability.

    And Jobs may have claimed he blocked Flash from iOS because of vulnerabilities and excessive power use, but the real reason was control. At the time, Apple prohibited all compilers and emulators from the App store. The only way you could run a program in iOS was by developing it using Apple's tools, and submitting it to the App store for their approval. Flash bypassed this control over their ecosystem. If you could install Flash in iOS, you could write your program in Flash, put it on a website, and browse the site with your iOS device to run your program. That broke Apple's monopoly on iOS executables, so they banned it. And their spin control department came up with reasons for the ban which didn't sound so selfish and authoritarian.
  • Other Comments
  • tomc100
    Is there a single website that doesn't have flash ads playing in the background?
  • nukemaster
    Truth be told, Once 3rd party plugins are gone, they will just target the browsers them selves.

    Steve wanted flash dead because of all the FREE games/apps it offered that would have taken a hit to the app store sales. No way around that.

    It is a cat and mouse game and hackers will ALWAYS want in, not matter what browser or OS you use.

    The more popular ones get hit first and more often so Windows/Internet explorer(its not like all users know about alternative browsers) will likely be a larger target, but with mobile devices soon(if not already. I know people that do not even use computers any more for the internet) to be the primary device for most users they will get just as much attention.
  • Solandri
    Flash isn't going to die anytime soon. It may die as a generic browser scripting tool (I hope it does). But Flash was initially developed as an artist's tool - so you could create graphic animations without having to send as much data as a full-blown movie. It's still widely used among artists, with several TV shows and even movie production using it extensively. Its abuse as a generic scripting language for browsers came about because HTML lacked scripting capability.

    And Jobs may have claimed he blocked Flash from iOS because of vulnerabilities and excessive power use, but the real reason was control. At the time, Apple prohibited all compilers and emulators from the App store. The only way you could run a program in iOS was by developing it using Apple's tools, and submitting it to the App store for their approval. Flash bypassed this control over their ecosystem. If you could install Flash in iOS, you could write your program in Flash, put it on a website, and browse the site with your iOS device to run your program. That broke Apple's monopoly on iOS executables, so they banned it. And their spin control department came up with reasons for the ban which didn't sound so selfish and authoritarian.