Mozilla Firefox now blocks Adobe Flash, thanks to its horrible ongoing security problems. Not the least of which are the three plugin bugs exploited by Italy's now-notorious Hacking Team, which we covered yesterday.
The block will last until you're running a version with all known vulnerabilities patched. After the earlier revelations of three unpatched "zero-day" vulnerabilities in Flash, luminaries from Firefox and Facebook are saying, "Enough is enough!"
tl;dr: Nuke it from orbit. It's the only way to be sure.
In IT Blogwatch, bloggers secure their sensitive endpoints. Not to mention: Peter Hadfield is back, and he's ripping pseudo-scientists a new one...
Your humble blogwatcher curated these bloggy bits for your entertainment.
[Updated 6.12 am PDT with And Finally, and 7.05 am with more reactions]
Rich McCormick will prognosticate to accumulate:
After yesterday's news that Facebook's new chief security officer wants...to kill Flash once and for all, the latest...Firefox browser now blocks Adobe's vulnerability-riddled software as standard.
Mozilla...has previously blocked Flash, Java, and a range of other...software when they were found to have security holes.
Dislike for the software isn't new: Steve Jobs memorably explained his problems with Flash in an open letter published back in 2010. ... YouTube dropped Flash...in favor of HTML5 in January, and Chrome now intelligently pauses [it]. MORE
And Sean Hollister thinks it's time for a colorful metaphor:
Why such a hard-on for Flash? Why now? Well, it could be that the world just rediscovered just how prone Flash is to nasty, nasty vulnerabilities.
Mozilla’s Mark Schmidt [the head of Firefox support] says that once the “publicly known vulnerabilities” are fixed, Firefox will stop actively blocking Flash. [But] there’s finally enough popular support to stomp the battery draining, ad-spewing, vulnerability prone, practically irrelevant exploit-filled software. MORE
Yeah, but as Martin Roesler quips, "Old habits die hard":
Is it time to hop off the endless cycle of Flash vulnerabilities and updates?
Over the past 7 days, Flash was hit by three separate vulnerabilities. ... At this time, only [one] has been patched. Adobe has already promised to fix the two remaining issues sometime this week, but this does not guarantee the extinction of future vulnerabilities.
Flash has been something of a security house of horrors for some time. ... Previously we only had suspicions of how bad this problem was; now we have a more precise idea of the risk.
[But] using Flash is much like smoking: we know it’s bad for us, but we can’t quit. ... People will continue to use it because security by itself is not a solid-enough incentive. ... What we can do as end users and companies is to mitigate these issues. MORE
"It's time for Adobe Flash to die," Brad Reed warbles: [You're fired -Ed.]
Somewhere, Steve Jobs is smiling. ... Facebook chief security officer Alex Stamos has taken to Twitter to argue that Adobe needs to set a sunset date:..“Even if [it’s] 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”
While Flash won’t die overnight, its time is definitely coming and Stamos makes a compelling case. MORE
Meanwhile, Darren Pauli recalls this inconvenient truth:
Last year Adobe chief security officer Brad Arkin [said] its focus on increasing the cost of exploiting Flash and Reader rather than just patching individual vulnerabilities led to a big reduction in zero-day attacks. MORE
Update: Pauli's pal Chris Williams digs deeper:
Adobe insists it is taking the security of its Flash Player seriously. [But] Adobe is under fire because these security flaws keep cropping up time and time and time again. [It's] software from Hell and "the screen door through which the raw unfiltered sewage of the internet oozes into the homes of netizens." [And] we are not alone in our opinion.
Does Adobe care? ... Wiebke Lips, senior manager of Adobe's [PR, said]. "There are extensive efforts underway internally...to help keep our products and our users safe. ... Last year...Brad Arkin said he wanted to make life much harder for attackers...rather than spend all day finding and fixing bad code.
Adobe hopes to patch the critical CVE-2015-5122 and CVE-2015-5123 holes today. MORE
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.