Mozilla suspends Adobe Flash support in Firefox
Mozilla announced on Monday that it has blocked all versions of the Adobe Flash plugin in Firefox, even the most recent version of the plugin, 18.0.0.203. Mozilla’s Mark Schmidt added via Twitter that the plugin will remain blocked until Adobe releases a version of Flash that’s not “actively exploited by publicly known vulnerabilities.”
The news arrives after several zero-day vulnerabilities in Flash Player were discovered last week. According to a report from FireEye Labs, several hacking groups were found using the first Flash vulnerability, CVE-2015-5119, in a large number of attacks. A second zero-day vulnerability was also discovered, CVE-2015-5122, in leaked data provided by Italian security company The HackingTeam.
“The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground,” FireEye said regarding CVE-2015-5122. “Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98).”
“Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100. This enables the object to change an adjacent Vector object’s length to 0x40000000,” the company added.
Once the exploit achieves this goal, it scans for Kernel32.dll in the machine’s memory to locate the ExportTable and drum up the VirtualProtect address. Once VirtualProtect marks the exploiter’s payload class as READ_WRITE_EXECUTE, the payload can be uploaded to the machine.
Alex Stamos, Facebook’s chief security officer, stated via Twitter on Sunday that it’s time to retire Adobe Flash. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” he said.
The call to end Flash has been around for years. The late Steve Jobs even wrote a long letter in 2010 regarding why Apple wouldn't allow Flash on its products.
“Flash was created during the PC era—for PCs and mice. Flash is a successful business for Adobe, and we can understand why they want to push it beyond PCs,” Jobs wrote at the time. “But the mobile era is about low-power devices, touch interfaces, and open web standards—all areas where Flash falls short.”
Internet giants like Facebook and YouTube are already working to move away from Adobe Flash and support video based on HTML5. Stamos pointed out on Twitter that “compatibility with all modern browsers needs work.” Most of the browsers we use now, including Microsoft's new Edge browser for Windows 10, support HTML5 video.
Hackers seemingly attack Flash vulnerabilities because Adobe’s platform is used on almost every website on the Internet. With HTML5 gaining momentum, Adobe may end up retiring the Flash platform in the near future after all. Is retirement overdue?
From maximumpc
from http://bit.ly/1IYr7Dj
