Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Firefox Blocks Flash Content to Improve Security

Starting next month, the Firefox Web browser will block certain Flash content to improve the security of its users and to ensure faster page loads.

Starting next month, the Firefox Web browser will block certain Flash content to improve the security of its users and to ensure faster page loads.

The main reason for this change, Mozilla says, is that plugins, Adobe’s popular Flash Player included, often introduce stability, performance, and security issues for browsers. Starting next month, Flash content that is not essential to the user experience will be blocked in Firefox, although the browser will continue to support legacy Flash content, the company says.

The Flash Player plugin has been long considered as one of the most vulnerable pieces of software, and cybercriminals have been abusing it for drive-by-downloads and other types of compromise. This year alone, Adobe has patched multiple critical flaws in the plugin, including zero-das that were already being exploited in attacks, some abused by APT groups.

Mozilla expects a 10% reduction in the number of Flash-related crashes and hangs in Firefox after the browser starts blocking unnecessary Flash content. However, given that the change might result in website compatibility issues, the company plans on blocking only a short, curated list of Flash content in the beginning, and says that this content can be replaced with HTML.

The list will grow longer over time, the company says. “Later this year, we plan to expand this list to include the use of Flash to check content viewability, a common practice to measure advertising,” Benjamin Smedberg, Engineering Manager at Mozilla, explains in a blog post.

These upcoming improvements are expected to deliver not only faster page load times, but also better security, improved battery life, and increased browser responsiveness. Firefox is set to implement the equivalent HTML Intersection Observer API later this year, and content producers using Flash to measure viewability are advised to adopt the new API when it becomes available, Smedberg says.

Further changes will be implemented starting with the next year, when Firefox will require click-to-activate approval from users before the Flash plugin is activated on a website to display content. Thus, websites relying on Flash or Silverlight for video or games are advised to consider the adoption of HTML technologies as soon as possible. Encrypted video playback using Adobe Primetime and Google Widevine as alternatives to plugin video is already supported in Firefox.

“These changes are part of our ongoing efforts to make browsing safer and faster without sacrificing the Web experiences our users love. As we announced last year, Firefox plans to drop support for all NPAPI plugins, except Flash, in March 2017,” Smedberg continues.

Advertisement. Scroll to continue reading.

Google’s Chrome browser too will deprecate the Flash Player and block Flash content. The browser will switch to HTML5 and will ask users to accept Flash only when necessary. In February, Google announced that it would stop accepting Flash ads as of July 2016 and that it would stop displaying them in early 2017.

The move from Flash to HTML5 for the display of web-delivered advertising, however, will bring new threats and will have little effect on malvertising, a May report from GeoEdge has revealed.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.