Mozilla has added all versions of Adobe Flash up to the most recent version 18.104.22.168 to the Firefox blocklist.
Security researchers have discovered vulnerabilities in recent versions of Adobe Flash that have not been patched yet by Adobe but are exploited in the wild. In particular, several exploit kits are already making use of it to serve crypto-ransomware to systems running Adobe Flash.
The blocklist lists browser extensions, plugins and other components that are blocked automatically by Firefox either directly or sometimes in the case of plugins, by setting them to "ask to activate".
The Flash vulnerability affects all versions of Flash on Windows, Linux and Macintosh systems.
Firefox displays a warning message on its plugins management page that Flash is vulnerable. As you can see on the screenshot below, Shockwave Flash has been set to "ask to activate" and not blocked permanently.
The difference between "ask to activate" and "never activate" is that Flash is not blocked completely in the former state which means that Flash contents can still be accessed in the browser. While that requires an extra click, it ensures that code on websites cannot exploit the vulnerability automatically without user action.
Options to switch the state are not available due to Flash being on the browser's blocklist.
Firefox displays a warning in the browser whenever Flash contents are embedded on a web page:
Firefox has prevent the unsafe plugin "Adobe Flash" from running on [website url].
The prompt displays options to allow the plugin on the page. If selected, Flash contents will be loaded and can be used just like before.
The blocklist update may not have been deployed on all Firefox machines. You may request a manual update of the blocklist at any time using the method below:
- Open the Web Console by tapping on Alt and selecting Tools > Web Developer > Web Console (or use Ctrl-Shift-k).
- Click on the preferences icon.
- Locate Advanced Settings and check "Enable browser chrome and add-on debugging toolboxes"
- Open the Browser Console afterwards with a tap on Alt and selecting Tools > Web Developer > Browser Console (or use Ctrl-Shift-j)
- Type Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);
The blocklist should update if updates are available. If you have Flash installed in Firefox you should see the vulnerability warning now in the plugin manager of the browser.
Additional information about the blocking are available on Bugzilla@Mozilla.