Mozilla blocks all versions of Adobe Flash in Firefox

Mozilla blocks all versions of Adobe Flash in Firefox

Mozilla has added all versions of Adobe Flash up to the most recent version 18.0.0.203 to the Firefox blocklist.

Security researchers have discovered vulnerabilities in recent versions of Adobe Flash that have not been patched yet by Adobe but are exploited in the wild. In particular, several exploit kits are already making use of it to serve crypto-ransomware to systems running Adobe Flash.

In an effort to protect Firefox users from harm on the Internet, Mozilla has added the current version of Adobe Flash and all previous versions to the browser's blocklist.

The blocklist lists browser extensions, plugins and other components that are blocked automatically by Firefox either directly or sometimes in the case of plugins, by setting them to "ask to activate".

The Flash vulnerability affects all versions of Flash on Windows, Linux and Macintosh systems.

Firefox displays a warning message on its plugins management page that Flash is vulnerable. As you can see on the screenshot below, Shockwave Flash has been set to "ask to activate" and not blocked permanently.

The difference between "ask to activate" and "never activate" is that Flash is not blocked completely in the former state which means that Flash contents can still be accessed in the browser. While that requires an extra click, it ensures that code on websites cannot exploit the vulnerability automatically without user action.

Options to switch the state are not available due to Flash being on the browser's blocklist.

Firefox displays a warning in the browser whenever Flash contents are embedded on a web page:

Firefox has prevent the unsafe plugin "Adobe Flash" from running on [website url].

The prompt displays options to allow the plugin on the page. If selected, Flash contents will be loaded and can be used just like before.

The blocklist update may not have been deployed on all Firefox machines. You may request a manual update of the blocklist at any time using the method below:

1. Open the Web Console by tapping on Alt and selecting Tools > Web Developer > Web Console (or use Ctrl-Shift-k).
2. Click on the preferences icon.
3. Locate Advanced Settings and check "Enable browser chrome and add-on debugging toolboxes"
4. Open the Browser Console afterwards with a tap on Alt and selecting Tools > Web Developer > Browser Console (or use Ctrl-Shift-j)
5. Type Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

The blocklist should update if updates are available. If you have Flash installed in Firefox you should see the vulnerability warning now in the plugin manager of the browser.

Additional information about the blocking are available on Bugzilla@Mozilla.

Summary

Article Name

Mozilla blocks all versions of Adobe Flash in Firefox

Author

Martin Brinkmann

Description

Mozilla has added all versions of Adobe Flash up to and including 18.0.0.203 to the Firefox blocklist to protect Firefox users from exploits.

Related Articles

- Firefox 17: old Java and Flash versions are now automatically disabled
- Mozilla Checks Flash Version After Firefox Updates

- - - Mozilla: Java is insecure, default click to play for all plugins but Flash from Firefox 26 o

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook, Twitter or Google+

View all posts by Martin Brinkmann →

You are here: Home > Firefox > Mozilla blocks all versions of Adobe Flash in Firefox

How to improve KeePass security

Some versions of Opera promote SurfEasy VPN now

Responses to Mozilla blocks all versions of Adobe Flash in Firefox

- - 1. RossN July 14, 2015 at 7:11 am #
    2. Excellent proactive move by Mozilla!
      1. Reply
    3. ThePrudentNinja July 14, 2015 at 7:32 am #
    4. I was wondering what happened. Good move actually. Maybe Adobe will step up and push some fixes.

- - - 1. Reply
        ilev July 14, 2015 at 7:45 am #
        The only way Adobe can fix Flash is by removing it.
        Reply
        Anonymous July 14, 2015 at 3:26 pm #
        Truer words have never been said.

- - 1. Tom Hawack July 14, 2015 at 7:41 am #
    2. Discovering yesterday that latest Flash 18.0.0.203 was again vulnerable was the final straw here. Looks like I anticipated Mozilla's decision by completely removing Adobe Flash, not only for Firefox but for the Windows' platform globally : I'm over with Flash, finished. Removed all traces, files and Registry, leftovers after the official uninstall. First surprise was to notice that several sites I believed required Flash for their videos handled HTML5 once they notice Flash is unavailable on the user's machine. At this point it's a 80 to 20 relief/handicap. It's up to the domains still depending on Flash to make the move, and that move will be fast if/when they realize the number of users free of Flash.

- - - 1. Reply
        Josh Taylor July 14, 2015 at 8:03 am #
        Mozilla released Shumway which plays Flash animation to HTML5. You should try it.
        Reply
        Firefox Exhausted July 14, 2015 at 8:19 am #
        In your comment, the only thing I read is that Firefox wants people to use its in-house flash player, instead of taking the time to program its browser to work around the problem in Adobe's.
        
        Tom Hawack July 14, 2015 at 9:44 am #
        True. Ghacks articled Shumway and that's when I got to hear about it. Certainly promising but perhaps not yet sufficiently elaborated for me to try it. Later on I guess when it'll be more mature. Thanks for mentioning it.

- - 1. Snow July 14, 2015 at 8:37 am #
    2. The day Adobe will finaly kill their bogus flash technology, I'll get totally drank. That will be a giant festivity for all humankind.

- - - 1. Reply

- - 1. JIM ANDERSEN July 14, 2015 at 8:37 am #
    2. DOESN'T NORTON PROTECT MY COMPUTER? IS THIS A CHICKEN LITTLE "THE SKY IS FALLING" OVERREACH?

- - - 1. Reply
        Pants July 14, 2015 at 10:37 am #
        Security is a many-layered thing ... An antivirus would be one of your LAST lines of defense (if indeed it was able to detect zero-day exploits). If you're relying on AV to protect you from harmful actions on your computer, in other words, it's already on your system, then you've lost the battle. Better to be proactive and try to close the holes that let it in in the first place.
        Reply
        jfp July 14, 2015 at 12:51 pm #
        I'm assuming you're being facetious.
        Reply

- - 1. Mike Sanders July 14, 2015 at 8:58 am #
    2. Actually that move from Mozilla was the final straw, I'm totally done with this paranoid overlyprotective browser and moving to Google Chrome, permanently. When firefox failed to run some of html5 apps properly I could bear with it, when it crashed without restoring tabs I was like ok you're still fun to use, but now it refuses to play stuff I use daily, that's it Firefox I'm wiping every byte of you, every leftover, every trace.

- - - 1. Reply
        lolz July 14, 2015 at 3:32 pm #
        dont go google, try vivaldi instead - it looks promising
        Reply

- - 1. Vanessa July 14, 2015 at 11:05 am #
    2. I haven't enable or disabled Flash via the menu the notification provides but I'm still watching youtube videos. Am I vulnerable?

- - - 1. Reply
        not_black July 14, 2015 at 11:14 am #
        No.
        Reply
        br0adband July 14, 2015 at 11:33 am #
        If you have Flash Player installed (any version all the way up to 18.0.0.209 which was released just hours ago it seems) then yes, technically you're vulnerable to some of these new hacks. Because you're watching video(s) from YouTube the chances of anything going awry are fairly slim since YouTube creates their content from user supplied videos. I think it's safe to say that yes you'll be ok IF you just use Flash to watch YouTube videos, but I won't speak or even guess the risk for any other websites out there (and I can't guarantee that even YouTube is perfectly safe at this point, it's just a fair level of certainty).
        Flash is vulnerable, period - if you use it or have it enabled in your browser then you're potentially vulnerable and there's no getting around that fact.
        Reply
        Tom Hawack July 14, 2015 at 11:46 am #
        Youtube displays videos (most, all?) in HTML5 format now and no longer in Flash. If you right-click on a video you can see if it is Flash or HTML5 which is used.
        Reply
        Nathan July 14, 2015 at 3:59 pm #
        No, YouTube has been using HTML5 for some time now, so it's not even using flash.
        Reply

- - 1. Shiden July 14, 2015 at 11:17 am #
    2. Few years ago I've eliminated Adobe Reader from my computers due to the continously present security issues. There are a lot of PDF Readers to use beyond Adobe's.
    3. Now it's the time to eliminate Flash as well.

- - - 1. Reply
        TIm July 14, 2015 at 12:33 pm #
        Yeah, same here.
        Flash is a bigger problem than PDF readers though, because with PDF readers I can install a different PDF reader on say my parents machines and forget about it. With Flash, although I can disable Flash on my computer, and if need be re-enable it when needed, deciding what to do with my parents computers is more problematic. If I disable it, then when they visit the BBC it will tell them to download and install Flash. If I make it click-to-play, it will just be an annoyance and they'll just get into the habit of clicking 'yes' every time anyway. So, we really need all websites to ditch Flash, but at the moment we've still got sites like the BBC and education sites using it, which creates a problem.
        Reply

- - 1. Yuliya July 14, 2015 at 11:49 am #
    2. How much I hate flash lately, I've been getting these kind of errors: http://i.imgur.com/mWgXH4W.png Sometimes it works to dissmiss them some other times it doesn't so I have to force close the plugin conainer. I even reinstalled Windows a few days ago.
    3. I would completely uninstall it, but I sill find it to be required on some websites, and on some others it won't play videos in fullscreen without it.

- - - 1. Reply

- - 1. Racionality July 14, 2015 at 12:55 pm #
    2. Firefox must block the Internet! After all, practically every virus and security issue comes from there! Retarded idiots plotting to enforce their html crap corruptly down everyone's throats.
    3. Flash is pioneer and crucial in free games, not immorally "downloaded" (say STOLEN) games. Just go ahead and block the entire internet, since that's what's causing all the phishing and scams, corrupt bastards.

- - - 1. Reply
        Anonymous July 14, 2015 at 4:49 pm #
        The one guy in the world who wants flash still. Hello and welcome to 1996.
        Reply

- - 1. Nebulus July 14, 2015 at 1:56 pm #
    2. Good thing that I don't allow Firefox to update the blocklist. I am the one that decides what happens on my computer, not Mozilla.

- - - 1. Reply

- - 1. Bobby Phoenix July 14, 2015 at 2:46 pm #
    2. 18.0.0.209 is out now. Just installed it.

- - - 1. Reply
        Hy July 14, 2015 at 4:16 pm #
        Same here, but kept running into a script error that prevented the installation. Found this page from Adobe where one can download the full package (at the bottom) rather than the stub, which finally worked: https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html#main-pars_header
        Reply

- - 1. RottenScoundrel July 14, 2015 at 5:01 pm #
    2. Our household has been flash-free for over six months. If a website doesn't have HTML5 video, it doesn't get played here.
    3. I especially like sites that instantly demand I install flash as it is telling me to leave right now.
    4. About the only good thing I can say about firefox (use Pale Moon) is this is a great move and hopefully those flash--dependent sites will hurriedly convert to HTML5.
    5. As another poster noted above, I too began removing Adobe PDF reader (use SumatraPDF) , Adobe Air and the full Java-junk several years back. Having NoScript in Pale Moon adequately secures me from the javascript issues. Oh and on the subject of security, dd-wrt on all my routers.
    6. Nothing is perfect but I feel I am close to the pointy end of self-protection. :)

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Page updated

Google Sites

Report abuse