Mozilla on Monday began blocking all versions of Adobe Flash Player from running automatically in its Firefox browser, reacting to news of even more zero-day vulnerabilities unearthed in a massive document cache pilfered from the Italian Hacking Team surveillance firm.
Computerworld confirmed that the current production versions of Firefox -- dubbed v. 39 -- on both Windows and OS X now block Flash.
Mozilla engineers swung into action over the weekend after reports surfaced late Friday of another Flash zero-day -- the term that describes a flaw for which there is yet no fix, or patch -- discovered in the gigabytes of data and documents stolen from the Hacking Team. At the time, the bug was the second in Flash spotted in just five days.
Since then a third Flash zero-day has cropped up.
Neither the second or the third vulnerability had been patched by Adobe as of late Monday, although the company has promised to do so this week.
Mozilla added the current-as-of-Monday Flash Player 220.127.116.11 to Firefox's "block list" early Monday, and by day's end engineers had finished their work, tested the block and released it to Firefox users.
Until Adobe issues a patched version of Flash, Firefox will not automatically engage the player without warning users, even if they have updated Flash to v. 18.104.22.168 since Wednesday, July 8, when Adobe shipped the patch for the first of the zero-day troika.
Mozilla rationalized the unusual step in one of the messages posted to the pertinent Bugzilla thread. "Even sans non-vulnerable update, we should consider the risks of blocking the vulnerable Flash versions (i.e. all of them) vs. allowing millions of people to use actively exploited versions of Flash without so much as a warning," wrote Mark Schmidt, senior Firefox support lead.
With the block in place, any attempt to play Flash content in Firefox displays a message at the top of the browser display window that reads, "Firefox has presented the unsafe plugin 'Adobe Flash' from running on the target URL."
Users can sidestep the block by clicking an "Allow" button at the far right of the message. Options to allow Flash to run just the once, or permanently, appear next.