Firefox 69 will require users to manually install Adobe Flash as the plugin’s end-of-life approaches.
Mozilla is disabling default support for Adobe’s Flash Player plugin in the upcoming version of its Firefox web browser, marking the latest phase in the plugin’s end-of-life.
Mozilla’s latest browser version, Firefox 69, will require users to manually enable Adobe Flash due to the disabled default support. Importantly, the change represents an additional step toward Flash’s eventual demise, as Mozilla and other popular browsers push the plugin off the radar.
“As per our Flash (plugin) deprecation roadmap, we will disable Flash by default in Nightly 69,” said Jim Mathies, senior engineering manager at Mozilla, in a Friday Bugzilla update.
The news follows Adobe’s announcement in July 2017 that it intends to end support for Flash by the end of 2020, meaning it will no longer distribute or update Flash Player. It will, therefore “encourage content creators to migrate existing Flash content to these new open formats.”
On September 9, Firefox 69 will be released later this year.
Adobe Termination of Life
Adobe’s declaration of Flash’s end-of-life prompted Mozilla, Microsoft, and Google to develop their roadmaps for phasing Flash out of their respective browsers.
Both Mozilla and Google have announced that they will disable Adobe Flash by default in their browsers by the middle of 2018; however, this is just the beginning as more browsers support the transition away from Flash.
Microsoft, for example, has stated that Flash will be disabled by default in Microsoft Edge and Internet Explorer by the middle to end of 2019, and will be completely removed from all Windows versions by 2020.
Google has stated that it will continue to phase out Flash from its Chrome browser over the next few years, “first by requesting permission to run Flash in more situations, and eventually by disabling it by default.”
Flash will be eliminated from Chrome by the end of 2020
As previously stated, Mozilla intends to completely remove Flash support from all consumer versions of Firefox; however, the Firefox Extended Support Release (ESR) will continue to support Flash until the end of 2020. Mozilla stated that when Adobe stops providing security updates for Flash in 2020, Firefox will simply refuse to load the plugin.
“The internet is full of websites that go beyond static pages, such as video, sound, and games,” said Mozilla on a support page. “NPAPI plugins, particularly Flash, have helped make these pages interactive. However, they also reduce your browsing speed, security, and stability.
Flash’s impending demise is evident as fewer and fewer websites employ the plugin. According to a report by W3Techs, Flash is used by just 3.9 percent of all websites today – down a staggering amount from its 28.5 percent market share recorded in 2011.
Allan Liska, senior solutions architect at Recorded Future told Threatpost that the moves will ultimately protect consumers browsing the internet.
“Mozilla’s actions, such as this one, help to protect Internet users,” he told us. “As a consequence of these actions, the market for exploit kits continues to decline, and only one Adobe Flash vulnerability cracked the top 10 in 2018,”
In contrast, in 2017, three of the top 10 vulnerabilities that Recorded Future was tracking were targeted against Adobe Flash, said, Liska.
Flash Issues
Many in the industry have applauded the end of Flash, which is known to be a favorite target for cyber-attacks, particularly for exploit kits, zero-day attacks, or phishing schemes.
In 2018, Adobe patched several malicious, critical Flash vulnerabilities. Last year, the South Korean Computer Emergency Response Team issued a warning that a zero-day exploit for Adobe Flash Player was discovered in the wild as part of attacks aimed at its citizens. In June, targeted attacks against Windows users in the Middle East exploited a zero-day Flash vulnerability.
And as recently as December, a zero-day exploit for Adobe Flash Player was discovered as part of another widespread campaign.
Director of product management for Security at Ivanti, Chris Goettl, told Threatpost that the discontinuation of a product like Adobe Flash Player is a positive development.
“Threat actors are creatures of habit and opportunity,” he said. If we remove the low-hanging fruit, their strategy will inevitably change.” Java was the primary target, followed by Flash Player. The actual question is, “What will be the next profitable target for attackers?”
Mozilla is taking the next logical step in protecting its users from one of the most commonly exploited browser plugins by disabling Flash, according to Liska.
He added, “Cybercriminals have become so adept at weaponizing Flash vulnerabilities that our researchers frequently observe new exploits being developed and deployed in exploit kits within 48 hours of a newly disclosed vulnerability.”
