In association with heise online

30 January 2013, 12:49

Mozilla pulling plug on auto-running nearly all plugins

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Firefox logo By default, Firefox will, in future, only automatically run the content of the most recent version of Flash – all other plugins will default to "Click to Play". The changes, announced on Mozilla's security blog as a way to put users back in control of plugins, will increase the security and stability of Firefox.

The Mozilla announcement comes after Oracle's recent troubles securing Java, which recently culminated in Oracle's Java defences falling to a security researcher. That researcher recommended "Click to Play" as a more appropriate defence against drive-by style attacks that exploited plugins such as Java. As plugins are one of the major sources of instability in the browser, the ability to only activate them on demand reduces the risks of rogue plugins as well. Mozilla had been working on a process-per-plugin model for Firefox, but abandoned that due to the complexity of re-architecting Firefox.

"Click to Play" was introduced in April 2012 to give users more control over when plugins such as Flash, Adobe Reader, Silverlight or Java ran in the browser. Users can elect to re-enable auto-running on a per-plugin or per-site basis. In October 2012, Mozilla added a block-list for plugins to activate "Click to Play" on unsafe plugins. This block-list already included blocks for older versions of plugins.

Now, the company is going yet another step further and setting all current versions of plugins, except for some unexplained reason the most recent version of Flash, as "Click to Play". The deployment is staged though, with more recent insecure Flash versions being blocked first, then, once a user interface is complete, "Click to Play" blocking for all current versions of Silverlight, Java and Acrobat Reader and all versions on any other plugins. No timetable has been given for when these changes will be made.

Mozilla Plugins, unlike Mozilla's Add-ons, have more direct access to the memory and process space of the browser, and flaws in plugins are generally far more exploitable. Add-ons, on the other hand, are written in JavaScript and HTML5 and are run by the browser, making it harder to exploit any flaws in them. Speaking of Add-ons, Mozilla has also recently announced an update to the Add-on SDK with a new context menu module.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit