Adobe Flash hit by three zero-day vulnerabilities

July 14, 2015 | 11:35

Tags: #alex-stamos #firefox #flash #flash-player #flash-plugin #hacking-team #insecurity #security #vulnerability #zero-day

Companies: #adobe #mozilla #mozilla-foundation

Adobe's Flash software has been castigated and blocked by security professionals, following the release of three zero-day vulnerabilities in the space of two weeks.

Adobe's Flash is a popular means of putting rich-media content into web pages, but its power and flexibility come at a price: it's leakier than a sieve. Adobe is frequently patching the software to address yet another zero-day security vulnerability, but the company has had a particularly hard time of late following the release of a multi-gigabyte archive of material stolen from notorious grey-hat group Hacking Team which included at least three previously unknown security vulnerabilities in the software - vulnerabilities that the company had used to obtain data and back-door access for its various clients.

As a result of the three latest vulnerabilities, Mozilla has officially added the Flash Player Plugin to its blacklist - preventing it from running within the Firefox browser unless the user manually overrides the block. In an explanatory message to its users, the company explained that 'old versions of the Flash Player plugin have known vulnerabilities' and advised that 'all users are strongly recommended to check for updates on our plugin check page, while admitting that 'no updates were available at the time of this posting.'

The block comes as Facebook's chief security officer Alex Stamos took to Twitter to call for an end to Flash. 'It is time for Adobe to announce the end-of-life date for Flash,' Stamos claimed, 'and to ask the browsers to set killbits on the same day.'

This morning Adobe released Flash Plugin 18.0.0.203, which is claimed to resolve the security vulnerabilities revealed from the Hacking Team archive, installation of which should allow Firefox to play Flash content without intervention once again but which will do little to repair the software's already sketchy reputation in security circles.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04