Security Experts:

Firefox Makes Adobe Flash Click-to-Activate by Default

Starting with the release of Firefox 55 this week, the Adobe Flash plugin is no longer active by default in Mozilla’s web browser, and users of the new version will be required to activate it for each website they visit.

According to Mozilla, not only is the Adobe Flash plugin click-to-activate disabled by default with the new release, but it is also allowed only on http:// and https:// URL schemes. Users can now choose on which sites they want to activate the plugin, and can also opt in for Firefox to remember the settings. Some sites, however, won’t be allowed to run plugins, Mozilla says.

Mozilla plans on fully removing Flash from Firefox in early 2020, but will continue to support it in Firefox Extended Support Release (ESR) until the end of 2020. From then onward, the browser will refuse to load the plugin.

Google Chrome and Microsoft Edge started blocking Flash by default last year, and Adobe announced last month that it will stop supporting the plugin by the end of 2020: “we will stop updating and distributing the Flash Player,” the company said at the end of July 2017. In addition to Google, Microsoft, and Mozilla, Apple and Facebook too announced plans to remove Flash.

In addition to deactivating Flash, the new browser release resolves around 30 security vulnerabilities, 5 of which were rated Critical risk. These include an XUL injection in the style editor in devtools (CVE-2017-7798), Use-after-free in WebSockets during disconnection (CVE-2017-7800), Use-after-free with marquee during window resizing (CVE-2017-7801), and Memory safety bugs (CVE-2017-7779 and CVE-2017-7780).

Firefox 55 also resolves 11 High severity flaws, including 4 use-after-free bugs, 3 buffer overflows, out-of-bounds issue, same-origin policy bypass, domain hijacking, and memory protection bypass vulnerabilities.

The browser includes patches for 7 Medium severity issues: spoofing following page navigation with data, CSP information leak with frame-ancestors containing paths, WindowsDllDetourPatcher allocates memory without DEP protections, Elliptic curve point addition error when using mixed Jacobian-affine coordinates, Linux file truncation via sandbox broker, CSP containing 'sandbox' improperly applied, and Self-XSS XUL injection in about:webrtc.

6 Low risk vulnerabilities were addressed in this release: DOS attack through long username in URL, Sandboxed about:srcdoc iframes do not inherit CSP directives, Failure to enable HSTS when two STS headers are sent for a connection, Windows crash reporter reads extra memory for some non-null-terminated registry values, Windows updater can delete any file named update.log, and Response header name interning leaks across origins.

Firefox 55 also brings along various new features and improvements, such as Windows support for WebVR and a setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition. Now, Firefox for Windows 64-bit is installed by default on all 64-bit systems that have at least 2GB of RAM.

The updated browser release is available for Windows, Mac, Linux, and Android.

Related: Tech Giants Announce Plans for Removal of Flash

Related: Mozilla Conducts Security Audit of Firefox Accounts

view counter