Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Firefox Makes Adobe Flash Click-to-Activate by Default

Starting with the release of Firefox 55 this week, the Adobe Flash plugin is no longer active by default in Mozilla’s web browser, and users of the new version will be required to activate it for each website they visit.

Starting with the release of Firefox 55 this week, the Adobe Flash plugin is no longer active by default in Mozilla’s web browser, and users of the new version will be required to activate it for each website they visit.

According to Mozilla, not only is the Adobe Flash plugin click-to-activate disabled by default with the new release, but it is also allowed only on http:// and https:// URL schemes. Users can now choose on which sites they want to activate the plugin, and can also opt in for Firefox to remember the settings. Some sites, however, won’t be allowed to run plugins, Mozilla says.

Mozilla plans on fully removing Flash from Firefox in early 2020, but will continue to support it in Firefox Extended Support Release (ESR) until the end of 2020. From then onward, the browser will refuse to load the plugin.

Google Chrome and Microsoft Edge started blocking Flash by default last year, and Adobe announced last month that it will stop supporting the plugin by the end of 2020: “we will stop updating and distributing the Flash Player,” the company said at the end of July 2017. In addition to Google, Microsoft, and Mozilla, Apple and Facebook too announced plans to remove Flash.

In addition to deactivating Flash, the new browser release resolves around 30 security vulnerabilities, 5 of which were rated Critical risk. These include an XUL injection in the style editor in devtools (CVE-2017-7798), Use-after-free in WebSockets during disconnection (CVE-2017-7800), Use-after-free with marquee during window resizing (CVE-2017-7801), and Memory safety bugs (CVE-2017-7779 and CVE-2017-7780).

Firefox 55 also resolves 11 High severity flaws, including 4 use-after-free bugs, 3 buffer overflows, out-of-bounds issue, same-origin policy bypass, domain hijacking, and memory protection bypass vulnerabilities.

The browser includes patches for 7 Medium severity issues: spoofing following page navigation with data, CSP information leak with frame-ancestors containing paths, WindowsDllDetourPatcher allocates memory without DEP protections, Elliptic curve point addition error when using mixed Jacobian-affine coordinates, Linux file truncation via sandbox broker, CSP containing ‘sandbox’ improperly applied, and Self-XSS XUL injection in about:webrtc.

6 Low risk vulnerabilities were addressed in this release: DOS attack through long username in URL, Sandboxed about:srcdoc iframes do not inherit CSP directives, Failure to enable HSTS when two STS headers are sent for a connection, Windows crash reporter reads extra memory for some non-null-terminated registry values, Windows updater can delete any file named update.log, and Response header name interning leaks across origins.

Firefox 55 also brings along various new features and improvements, such as Windows support for WebVR and a setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition. Now, Firefox for Windows 64-bit is installed by default on all 64-bit systems that have at least 2GB of RAM.

The updated browser release is available for Windows, Mac, Linux, and Android.

Related: Tech Giants Announce Plans for Removal of Flash

Related: Mozilla Conducts Security Audit of Firefox Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...