Adobe Patches ‘Critical’ Flash Flaws After Firefox Block

Adobe has patched two zero-day vulnerabilities in Flash discovered in documents uncovered in the cyber-attack on controversial surveillance tools developer Hacking Team.

The two ‘critical’ flaws (CVE-2015-5122 and CVE-2015-5123) were the 37^th and 38^th Flash vulnerabilities found in the month of July so far and had led to Mozilla block all versions of Flash in Firefox until an update was released, claiming it was too dangerous to run by default.

Flash patch

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux,” said the firm in an advisory. “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.”

Mozilla’s decision was the latest piece of negative publicity for after Facebook’s new chief security officer Alex Stamos called on Adobe to set an end of life date for the much-maligned plug-in due to the sheer number of security threats.

It is unclear when the Mozilla will lift the block on Flash, but Mark Schmidt, head of Firefox support at Mozilla, did say on Twitter this would happen once a patch had been released.

“To be clear, Flash is only blocked until Adobe releases a version which isn’t being actively exploited by publicly known vulnerabilities,” he said in a Tweet yesterday.

TechWeekEurope has asked Mozilla when Flash might be re-enabled but had not received a response at the time of publication.

Are you a security pro? Try our quiz!