Firefox 55 makes Flash click-to-run, fixes security bugs

Készült: 2017. augusztus 11
Nyomtatás

The popular web browser released a major update on August 8, version 55, which — in addition to some nifty new features, like Virtual Reality support — includes a number of security fixes. Firefox 55 remediates three critical and 11 high-impact vulnerabilities, as well as seven moderate and six low-impact vulns.

Of the critical and high-impact vulnerabilities fixed, several of them would have allowed an attacker to crash the browser, execute arbitrary code, or even access sensitive information on a page the user was reading. A few days after the 55 release came its first minor update, 55.0.1, which includes a few additional bug fixes.

On August 8 also came the latest major update for Firefox Extended Support Release (ESR), version 52.3.0, which might be of interest to you if you manage and deploy Firefox in an organization. Firefox ESR 52.3.0 also mitigates the same security vulnerabilities as addressed in Firefox 55, all detailed in the MFSA 2017-18 security bulletin.

If you are running anything close to a recent version of Firefox, the browser should be set up to automatically update to the latest version as soon as the update is available — unless you’ve manually disabled this option, which we do not recommend!

As of the time of this writing, it doesn’t appear that the automatic updates for Firefox haven’t been pushed out quite yet (so you might still be running 54.0.1), but version 55.0.1 is available for standalone download if you don’t want to wait.  You can always check to see if you have the latest version by following the instructions on this help page from Mozilla.

Another step toward killing off Flash for good

One of the major changes in this release that’s not strictly a security update, but has big security implications, is a change in how Firefox runs the Adobe Flash plugin within the browser. Mozilla has a roadmap describing its phased plan for stopping plugins, including Flash, for good. Plugins, Mozilla writes, are an “obsolete technology”, and with the release of Firefox 46 last June (2016), all plugins aside from Adobe Flash became click-to-activate.

Since Flash is one of the most ubiquitous (and problematic) of plugins, Mozilla says it is working with other browser companies to help phase out support for Flash across the board.

With this release, Firefox now runs Flash click-to-activate and will only run on http or https URLs. Adobe Flash is and has been a major threat vector for years, and as you may have heard, is due to be killed off by Adobe in 2020; that said, in the intervening years, disabling the autoplay of Flash could certainly mitigate a number of attacks that use Flash to infiltrate a browser.

The Flash click-to-activate change is not universal and only is set to begin with release 55. According to the Firefox Plugins roadmap, this change will “be rolled out progressively during August and September 2017”. Once Adobe stops supporting Flash at the end of 2020, Firefox will as well — by that time, the browser will completely refuse to load the plugin no matter what.

And yes, we know that’s not a fox in the photo – it’s a red panda, which are also known as … firefoxes.


Source: Naked Security

Hozzászólások

Hacktivity 2014

Események

Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

Letartóztatások kommentek miatt

Az offenzív online kommentek miatti letartóztatások száma gyors emelkedést mutat az Egyesült Királyságban. Csak 2009-b

Vállalatok számítógépeit figyelnék Kínában

Külföldi, köztük amerikai cégeket, vegyes vállalatokat is köteleznének Kínában arra, hogy vásároljanak meg és helyezz

SE-2012-01

Az Adam Gowdiak nevével fémjelzett Security Explorations nyilvánosságra hozta az ún. SE-2012-01 projekt eredményeit.

Ipari irányítók

Az utóbbi napokban kisebb pánikot okozott bizonyos körökben, hogy egy eddig kevéssé ismert máltai cég, a ReVuln egy 0-da

Unalmas a Facebook alapszíne? Változtasd meg!

A Google Chrome Web Store-ban elhelyezett kártékony alkalmazás azt hirdeti magáról, hogy képes megváltoztatni a Faceboo

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ

Cron Job Starts