Mozilla is disabling default support for Adobe’s Flash Player plugin in the latest upcoming version of its FireFox browser, marking the latest step in end-of-life for the infamous plugin.
The disabled default support means that Firefox users will now be required to manually enable Adobe Flash in Mozilla’s latest browser version, Firefox 69. More importantly, the change signals another step toward the end of Flash in general, as Mozilla and other popular browsers push the plugin off the radar.
“Per our Flash (plugin) deprecation roadmap, we’ll disable Flash by default in Nightly 69 and let that roll out,” said Jim Mathies, senior engineering manager at Mozilla in a Bugzilla update on Friday.
The news follows Adobe’s announcement in July 2017 that it plans to push Flash into an end-of-life state, meaning that it will no longer update or distribute Flash Player at the end of 2020. Thus, it will “encourage content creators to migrate any existing Flash content to these new open formats.”
Firefox 69 will be released later this year on Sept. 9.
Adobe End-of-Life
Adobe’s announcement of the end-of-life for Flash spurred tech giants across the industry – like Mozilla, Microsoft and Google – to develop their own roadmaps on how they would phase Flash out of their own browsers.
Both Mozilla and Google have said that they would be disabling Adobe Flash in their browsers by default in mid-2018 — but this step is only the beginning as more browsers start to support the transition away from Flash.
Microsoft for instance said it will disable Flash by default in Microsoft Edge and Internet Explorer in mid-to-late 2019, and would fully remove Flash from all Windows versions in 2020.
As for Google, the tech giant said it would continue phasing out Flash from its Chrome browser for the next few years, “first by asking for your permission to run Flash in more situations, and eventually disabling it by default.”
Flash will be completely removed from Chrome toward the end of 2020.
Mozilla, as mentioned, has announced plans to completely remove support for Flash from all consumer versions of Firefox — but the Firefox Extended Support Release (ESR) will continue supporting Flash through the end of 2020. In 2020, when Adobe stops shipping security updates for Flash, Firefox will simply refuse to load the plugin, Mozilla said.
“The internet is full of websites that go beyond static pages, such as video, sound and games,” said Mozilla on a support page. “NPAPI plugins, especially Flash, have helped enable these interactive pages. But they also make your browsing slower, less secure and more likely to crash.”
Flash’s approaching end-of-life is apparent as fewer and fewer websites use the plugin. According to a report by W3Techs, Flash is used by just 3.9 percent of all the websites today – down a staggering amount from its 28.5 percent market share recorded in 2011.
Allan Liska, senior solutions architect at Recorded Future told Threatpost that the moves will ultimately protect consumers browsing the internet.
“Steps, like this one taken by Mozilla, help to protect people on the internet,” he told us. “The real-world results of these actions mean that we continue to see the exploit kit market decline, and only one Adobe Flash vulnerability cracked the top 10 in 2018.”
In contrast, in 2017, three of the top 10 vulnerabilities that Recorded Future was tracking were targeted against Adobe Flash, said Liska.
Flash Issues
Many in the industry have applauded the end of Flash, which is known to be a favorite target for cyber-attacks, particularly for exploit kits, zero-day attacks or phishing schemes.
In 2018, Adobe patched against several malicious critical Adobe Flash bugs. Last year, the South Korean Computer Emergency Response Team issued a warning that an Adobe Flash Player zero-day was spotted in the wild as part of attacks focused on its citizens. In June, a zero-day Flash vulnerability was being exploited in the wild in targeted attacks against Windows users in the Middle East.
And as recently as December, an Adobe Flash Player zero-day exploit was spotted as part of another widespread campaign.
Chris Goettl, director of product management for Security at Ivanti, told Threatpost that seeing a product like Adobe Flash Player being phased out is a positive event.
“Threat actors are creatures of habit and opportunity,” he said. “If we take away the low hanging fruit they will inevitably change their tactics. Java was the primary target, then Flash Player took over. The real question is what will arise as the next lucrative target for attackers?”
Liska told Threatpost that in disabling Flash, Mozilla “is taking the next logical step in protecting their users from one of the most commonly exploited browser plugins.”
He added, “Cybercriminals have gotten so good at weaponizing Flash vulnerabilities that our researchers often see new exploits developed and deployed in exploit kits within 48 hours of a new vulnerability being announced.”