As the zero days in Adobe Flash continue to pile up, Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox.
The move is a temporary one as Adobe prepares to patch two vulnerabilities in Flash that were discovered as a result of the HackingTeam document dump last week. Both vulnerabilities are use-after-free bugs that can be used to gain remote code execution. One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash.
Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there’s a module for it in the Metasploit Framework, as well. Those realities increase the danger to users, especially those who are prone to clicking on liks from strangers.
Adobe is expected to patch the Flash zero days this week, but in the interim Mozilla has automatically disabled all versions of the plugin in Firefox as a way to protect users.
“All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues,” Mozilla said on its support site.
These are the second and third Flash zero days discovered in the HackingTeam cache. On July 6 researchers discovered the first Flash bug being used by HackingTeam’s intrusion software, which Adobe patched quickly. That bug also was incorporated into exploit kits, including Angler, Neutrino, and Nuclear.
Security experts for years have been encouraging users to disable or remove Flash from their machines because of the constant stream of vulnerabilities. That parade of bugs has made Flash a highly attractive target for attackers, who know that it is the most widely deployed software on the Web, a fact that makes Flash bugs quite valuable. Recent events have renewed the security community’s calls for users to abandon Flash, and on Sunday, Facebook CSO Alex Stamos said Flash has outlived its usefulness.
“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Stamos said on Twitter.
“Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” Stamos said.