Security Experts:

Firefox Blocks Flash Content to Improve Security

Starting next month, the Firefox Web browser will block certain Flash content to improve the security of its users and to ensure faster page loads.

The main reason for this change, Mozilla says, is that plugins, Adobe’s popular Flash Player included, often introduce stability, performance, and security issues for browsers. Starting next month, Flash content that is not essential to the user experience will be blocked in Firefox, although the browser will continue to support legacy Flash content, the company says.

The Flash Player plugin has been long considered as one of the most vulnerable pieces of software, and cybercriminals have been abusing it for drive-by-downloads and other types of compromise. This year alone, Adobe has patched multiple critical flaws in the plugin, including zero-das that were already being exploited in attacks, some abused by APT groups.

Mozilla expects a 10% reduction in the number of Flash-related crashes and hangs in Firefox after the browser starts blocking unnecessary Flash content. However, given that the change might result in website compatibility issues, the company plans on blocking only a short, curated list of Flash content in the beginning, and says that this content can be replaced with HTML.

The list will grow longer over time, the company says. “Later this year, we plan to expand this list to include the use of Flash to check content viewability, a common practice to measure advertising,” Benjamin Smedberg, Engineering Manager at Mozilla, explains in a blog post.

These upcoming improvements are expected to deliver not only faster page load times, but also better security, improved battery life, and increased browser responsiveness. Firefox is set to implement the equivalent HTML Intersection Observer API later this year, and content producers using Flash to measure viewability are advised to adopt the new API when it becomes available, Smedberg says.

Further changes will be implemented starting with the next year, when Firefox will require click-to-activate approval from users before the Flash plugin is activated on a website to display content. Thus, websites relying on Flash or Silverlight for video or games are advised to consider the adoption of HTML technologies as soon as possible. Encrypted video playback using Adobe Primetime and Google Widevine as alternatives to plugin video is already supported in Firefox.

“These changes are part of our ongoing efforts to make browsing safer and faster without sacrificing the Web experiences our users love. As we announced last year, Firefox plans to drop support for all NPAPI plugins, except Flash, in March 2017,” Smedberg continues.

Google’s Chrome browser too will deprecate the Flash Player and block Flash content. The browser will switch to HTML5 and will ask users to accept Flash only when necessary. In February, Google announced that it would stop accepting Flash ads as of July 2016 and that it would stop displaying them in early 2017.

The move from Flash to HTML5 for the display of web-delivered advertising, however, will bring new threats and will have little effect on malvertising, a May report from GeoEdge has revealed.

view counter