back to article Thunder-faced Mozilla lifts Flash Firefox block after 0-days plugged

Mozilla has lifted its blanket block on Flash in Firefox following the release of security updates by Adobe on Tuesday. Although the short-term block has been lifted, the whole flap appears to have re-energised efforts at Mozilla to work on Flash alternatives. The block – imposed on Monday – meant that all versions of Flash …

  1. Anonymous Coward
    Anonymous Coward

    Wouldn't it be great if...

    Adobe got hold of a copy of the Hacking Team's "liberated" material and got it's development *and* test teams, to not just do a "block/repair" of those and current exploits but to examine it's whole development ethos for Flash, so that it ceases to be the portal to insecurity it has become?

    1. Charles 9

      Re: Wouldn't it be great if...

      You have to realize that it's so old that there's simply so much cruft in it. Pardon the literature reference, but Flash is in many ways like Ankh-Morpork: stuff built on top of stuff built on top of even more stuff: to the point it's practically impossible to know what's underneath everything, yet it's such a critical nexus that you have no choice but to use it if you want to be something worth paying attention to.

  2. Charles 9

    Harking for an end to Flash is all well and good, but what about all the existing installations that require Flash to operate and, because they're high-level enterprise stuff, cannot be replaced without ticking off the bean counters...if not the board.

    1. Anonymous Coward
      Anonymous Coward

      Blame the morons who wrote it in flash in the first place. Flash's security vulnerabilities and concerns have been well documented for some time so it's out of sheer laziness and stupidity. Just ask the bean counters what the hacks cost Sony and TJX, make sure it's in writing to cover your own ass and you can have the greatest of pleasure telling them I told you so.

      1. Anonymous Coward
        Anonymous Coward

        Unless it would've cost them more in parts, labor, and downtime to replace the system. In which case the cure is worse than the disease and the best you can hope for is to pray. About the only way you'll get them to really pay attention is to show them an imminent and existential threat (meaning it WILL come unless it's addressed immediately AND failure to address will mean the company goes under, meaning the board will be out of work).

    2. VeganVegan
      Mushroom

      There are bespoke software being used all over the place

      They are free use what ever tools/language they want, including flash. Anything that goes wrong, it's their problem, no one else need to be affected.

      The current, unfortunate state of affairs is that flash is so widely distributed, affecting so many users.

      With concerted effort, flash can be made to recede into specialty applications, and not endanger the majority of folks.

      Nuke it.

      1. Anonymous Coward
        Anonymous Coward

        Re: There are bespoke software being used all over the place

        Not for commercial use, usually. Even if the software itself says Free for Commercial Use, consider the hardware needed to support it as well as the support structure that's considered a necessity to any business environment (given Murphy's Law).

  3. Anonymous Coward
    Megaphone

    Stop it, Mozilla

    The next time they do this, I'm going to download the source and compile their nannyness out. Or just stop using it.

    1. Charles 9

      Re: Stop it, Mozilla

      Would you rather be pwned by a drive-by Flash attack? And like I said earlier, some places require Flash to work and can't really be avoided. At least they said why they did it, and consider that we're not the types of users they're trying to "nanny". We may be caught in the crossfire, but we're also outnumbered.

      And if you leave Firefox, where will you go that has as many anti-nag features?

    2. Dan 55 Silver badge

      Re: Stop it, Mozilla

      It's one single about:config setting to disable the plugin blocklist, but don't let that get in the way of a good rant.

      1. Mark #255

        Re: Stop it, Mozilla

        Also, it was a soft block; that is, the user could click through on the banner to enable flash on a per-site basis.

        1. Pookietoo

          Re: soft block

          I have flash set as "Ask to Activate" so it made no difference to my surfing behaviour, just showing a "use with caution" notice that didn't need to be clicked through.

    3. BillG
      Devil

      Re: Stop it, Mozilla

      The block – imposed on Monday – meant that all versions of Flash were blocked within Firefox by default... Blocking every version of the plug-in seems highly unusual, perhaps even unprecedented.

      This doesn't look like Mozilla trying to protect users, as they blocked ALL versions of Flash. Instead it looks like Mozilla playing games with Adobe, with users as the unwitting pawns. Or maybe it's Mozilla getting sick and tired of Flash's pathetic security history and so sending them an in-your-face message that Adobe needs to clean their act up.

      In any case I am really, really curious as to what in bloody hell is going on at Adobe's Flash development team and if anyone from the team's management has been fired yet.

      I think Adobe's incompetence was made clear soon after they purchased Flash from Macromedia. They issued a Flash update that deliberately broke 3rd party Flash tools that competed with existing Adobe products. Almost put one of my businesses out of business. That lack of respect for users is still demonstrated by Adobe to this day.

  4. Robert Carnegie Silver badge

    Is this what they did?

    My impression is that Firefox was blocking Flash - by default which presumably you could alter - using the Flash plugin version number, including the latest version out when Firefox was released. In that case, a newer updated Flash plugin was immediately allowed to run. But I may have misunderstood and it may not matter.

  5. elDog

    Supporting vs Supporting - how about rewriting?

    From Adobe spokesman Wiebke (Read My) Lips:

    Blocking vulnerable software versions and directing users to install the latest, most secure version of Flash Player is one initiative we have been supporting for years. So this practice is definitely not out of the ordinary.

    I'd replace the "supporting for years" with "patching for years". At times it seems that every morning I wake up to another Flash update alert. Maybe ok on a desktop but not welcome in a multi-user environment such as Citrix.

  6. Nigel Steward
    Unhappy

    An alternative to Flash and/ or Shockwave ?

    "what about all the existing installations that require Flash to operate?"

    Precisely, it appears that in many cases there is no alternative to Flash and/or Shockwave; is there nothing which can emulate Flash without it vulnerabilities?

    1. Pookietoo

      Re: An alternative to Flash and/ or Shockwave ?

      There are alternatives, I've used Gnash in the past, but it didn't offer full functionality/compatibility. That was a while ago, so maybe worth trying it again.

  7. Anonymous Coward
    Anonymous Coward

    but only for windows, not linux

    There's to date still no update to the legacy 11.2.202.481 version on linux.

    https://helpx.adobe.com/security/products/flash-player/apsb15-18.html

    1. Adair Silver badge

      Re: but only for windows, not linux

      I think it came in last night on my Mint installation.

    2. Irony Deficient

      Re: but only for Windows (and OS X, and Linux for Chrome), not Linux (for Firefox)

      Anonymous Coward, Flash Player 11.2.202.491 for Firefox on Linux has been released.

    3. Pookietoo

      Re: but only for windows, not linux

      491 is in the Ubuntu repo now

  8. phil dude
    Linux

    firefox/chrome/chromium...

    All of these 3 browsers have mechanisms for isolation. The most useful is profiles - completely separate installations that can be even executed as another users (in Linux and Mac, I don't know about Windows).

    The point is, you can have browsers for banking, company, mail etc.. and then a toxic one for all those sites with whizzy dancing flash rubbish.

    As much as flash needs to die, the current situation is at least a practical workaround for those who need to use it for corporate websites (that includes me).

    Yes I know this may not be ideal for IT in large organisations, but it seems simple.

    P.

    1. Anonymous Coward
      Anonymous Coward

      Re: firefox/chrome/chromium...

      Haven't one or more Flash-based exploits gone outside the profile to the application layer if not the OS, meaning they can go cross-profile or go outside user context by things like privilege escalation?

  9. Irongut
  10. MrWibble

    If the BBC could purge flash from their news / sport desktop pages (since it works on Android, I presume they're using user-agents to decide what to deliver), I can finally be rid of it.

    But at the moment, I need flash to listen to TMS.

    1. Ken Hagan Gold badge

      Has anyone got any experience of feeding a dishonest user-agent string to the BBC site and getting a flash-free experience on a Windows box? That would probably be even more useful than advising everyone to enable the click-to-activate feature.

  11. John Tserkezis
    Thumb Down

    Place your bets ladies and gentlemen!

    How many days before this brand spanking new version collects some brand spanking new zero-day exploits?

    Place your bets!

    I give it a week.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like