Skip to content
Naked Security Naked Security

Firefox 55 makes Flash click-to-run, fixes security bugs

The long march towards the death of Flash takes another step in Firefox's latest version

The popular web browser released a major update on August 8, version 55, which — in addition to some nifty new features, like Virtual Reality support — includes a number of security fixes. Firefox 55 remediates three critical and 11 high-impact vulnerabilities, as well as seven moderate and six low-impact vulns.

Of the critical and high-impact vulnerabilities fixed, several of them would have allowed an attacker to crash the browser, execute arbitrary code, or even access sensitive information on a page the user was reading. A few days after the 55 release came its first minor update, 55.0.1, which includes a few additional bug fixes.

On August 8 also came the latest major update for Firefox Extended Support Release (ESR), version 52.3.0, which might be of interest to you if you manage and deploy Firefox in an organization. Firefox ESR 52.3.0 also mitigates the same security vulnerabilities as addressed in Firefox 55, all detailed in the MFSA 2017-18 security bulletin.

If you are running anything close to a recent version of Firefox, the browser should be set up to automatically update to the latest version as soon as the update is available — unless you’ve manually disabled this option, which we do not recommend!

As of the time of this writing, it appears that the automatic updates for Firefox haven’t been pushed out quite yet (so you might still be running 54.0.1), but version 55.0.1 is available for standalone download if you don’t want to wait.  You can always check to see if you have the latest version by following the instructions on this help page from Mozilla.

Another step toward killing off Flash for good

One of the major changes in this release that’s not strictly a security update, but has big security implications, is a change in how Firefox runs the Adobe Flash plugin within the browser. Mozilla has a roadmap describing its phased plan for stopping plugins, including Flash, for good. Plugins, Mozilla writes, are an “obsolete technology”, and with the release of Firefox 46 last June (2016), all plugins aside from Adobe Flash became click-to-activate.

Since Flash is one of the most ubiquitous (and problematic) of plugins, Mozilla says it is working with other browser companies to help phase out support for Flash across the board.

With this release, Firefox now runs Flash click-to-activate and will only run on http or https URLs. Adobe Flash is and has been a major threat vector for years, and as you may have heard, is due to be killed off by Adobe in 2020; that said, in the intervening years, disabling the autoplay of Flash could certainly mitigate a number of attacks that use Flash to infiltrate a browser.

The Flash click-to-activate change is not universal and only is set to begin with release 55. According to the Firefox Plugins roadmap, this change will “be rolled out progressively during August and September 2017”. Once Adobe stops supporting Flash at the end of 2020, Firefox will as well — by that time, the browser will completely refuse to load the plugin no matter what.

And yes, we know that’s not a fox in the photo – it’s a red panda, which are also known as … firefoxes.


5 Comments

I just don’t quite understand why it takes forever for group to kill Adobe Flash for good. Obviously, it is not doing any good to the browser users.

Reply

Ulysses, lots of people who don’t design their own web pages have hired a Flash-using designer in the past. They are not looking forward to paying more money to get the same pages implemented in different technology, especially since they know their own pages aren’t malicious.

I don’t happen to fall into that class but I understand their thinking.

Reply

Laurence has a good point. But there also end point applications that are Flash based. My backup software, our SAN manager application and more. It is not always easy for Admins to avoid this stuff. I end up running an admin station with old versions of flash and Java and delay other updates to make sure my admin software keeps working. Then I have to isolate the admin station and not browse the internet. Now I have to remove my Sophos Central from my admin station because it is stopping me from running old software. There is no ideal solution.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!