Mozilla disables Flash by default in Firefox after Hacking Team documents reveal the 37th and 38th flaws in plug-in this month
Firefox now blocks Adobe Flash by default following the discovery of yet more zero-day vulnerabilities in the browser plug-in.
Two ‘critical’ flaws (CVE-2015-5122 and CVE-2015-5123) have been uncovered in files retrieved during the attack on controversial surveillance tools developer Hacking Team and have yet to be patched by Adobe, which expects to make updates available later this week.
Mark Schmidt, head of Firefox support at Mozilla, announced on Twitter that all versions of Flash were now blocked by the browser until a fix is made available.
Firefox Flash block
“BIG NEWS!! All versions of Flash are blocked by default in Firefox as of now,” he said in a Tweet accompanied by an ‘occupy Flash’ image (left). “To be clear, Flash is only blocked until Adobe releases a version which isn’t being actively exploited by publicly known vulnerabilities.”
Mozilla says it routinely blocks add-ons, plugins, or other third-party software that “seriously compromises Firefox security, stability, or performance” when it becomes aware of them. Its block relates specifically to CVE-2015-5122.
Security firm TrendMicro says that at present the vulnerability is just a ‘proof of concept’ and has yet to see it exploited in the wild. If exploited, an attacker could engineer a crash and take control of the affected system.
Adobe’s promised fixes will be the 37th and 38th for the month of July so far, with an update last week fixing 36 flaws, including another vulnerability (CVE-2015-5119) discovered in 400GB worth of internal Hacking Team documents.
Are you a security pro? Try our quiz!