To patch two critical zero-day vulnerabilities, Adobe Systems issued an emergency update for its Flash media player. That’s in addition to a previously unknown vulnerability discovered over a week ago in a 400-gigabyte data dump published after hackers rooted the servers of Hacking Team. That bug allowed hackers to covertly install malware on end-user computers. Mozilla now blocks the hacker-susceptible Flash, and several industry leaders are calling for Adobe to pull the plug on the bug-infested media player.
According to Ars Technica, Windows, Mac OS X and Linux were infected with all three bugs. It reports that, “at least one of them was potent enough to pierce the vaunted Google Chrome security sandbox, most likely because it was combined with a separate privilege-escalation exploit for Windows.”
Hackers began exploiting the first bug only days after it was discovered. “As of now, no hackers seem to be similarly targeting the latest two bugs but, it’s a fair bet they are, or at least will be soon.”
The Verge reports that Mark Schmidt, head of Mozilla’s Firefox support team, tweeted that “all versions of Flash Player are blocked in the [Firefox] browser as of its latest update,” and then clarified that “Mozilla will enable support for Flash as default for its browser when Adobe releases a version that isn’t being actively exploited by known vulnerabilities.”
Mozilla isn’t alone in taking Adobe to task over Flash. YouTube switched from Flash to HTML5 as its default player, and Chrome now pauses instances of Flash video on its pages.
“The Web’s biggest companies have slowly withdrawn support from the software over the past few years,” explains The Verge. “Even Adobe stopped active development of Flash Player for mobile in 2011, recognizing it as inferior to HTML5.”
Fortune reports that new Facebook security chief Alex Stamos has publicly called for the death of Flash. “It is time for Adobe to announce the end-of-life date for Flash ,” he tweeted. “And to ask the browsers to [disable the software] on the same day.”