Thunder-faced Mozilla lifts Flash Firefox block after 0-days plugged

Browser maker backs search for 'safer and more stable' alternative – like its own

Mozilla has lifted its blanket block on Flash in Firefox following the release of security updates by Adobe on Tuesday.

Although the short-term block has been lifted, the whole flap appears to have re-energised efforts at Mozilla to work on Flash alternatives.

The block – imposed on Monday – meant that all versions of Flash were blocked within Firefox by default.

This embargo was lifted once Adobe released cross-platform updates that defended against two new zero-day vulnerabilities, which were only discovered as part of the mega-breach against controversial surveillance software firm Hacking Team.

Chad Weiner, director of product management at Mozilla, told El Reg: "We blocked the version of Flash known to be vulnerable and when Adobe issued its update, it got deployed automatically, unblocking Flash."

Mozilla's tighter controls were more than justified by events. Hackers had been hammering away at these vulnerabilities – and earlier, patched flaws – over recent days.

F-Secure reported a "clear increase in Flash exploits" since the Hacking Team zero-days became public last week. One of the most recently fixed Flash flaws – CVE-2015-5122 – was incorporated into at least two exploit kits, a big factor in the recent surge of attacks.

Firefox has incorporated technology to block or warn users about insecure browser plug-ins in one form or another since 2010. Blocking every version of the plug-in seems highly unusual, perhaps even unprecedented.

We asked Mozilla whether it had ever blocked every version of a particular technology – as it did for Flash this week – but are yet to hear back on this point.

Adobe is putting a brave face on the situation, telling El Reg that blocking vulnerable versions of Flash Player would encourage users to upgrade.

Chief spokesman Wiebke Lips was keen to portray the Firefox block as nothing out of the ordinary, in a comment offered after our initial story on the Firefox default block.

As part of the many security initiatives we engage in to help keep our products and our users safe, we work closely with our counterparts in other organisations (including the browser vendors) on finding ways to encourage users to stay up-to-date on the latest security updates.

Blocking vulnerable software versions and directing users to install the latest, most secure version of Flash Player is one initiative we have been supporting for years. So this practice is definitely not out of the ordinary.

Next page: Patching the web

Biting the hand that feeds IT © 1998–2017