Mozilla pulling plug on auto-running nearly all plugins
By default, Firefox will, in future, only automatically run the content of the most recent version of Flash – all other plugins will default to "Click to Play". The changes, announced on Mozilla's security blog as a way to put users back in control of plugins, will increase the security and stability of Firefox.
The Mozilla announcement comes after Oracle's recent troubles securing Java, which recently culminated in Oracle's Java defences falling to a security researcher. That researcher recommended "Click to Play" as a more appropriate defence against drive-by style attacks that exploited plugins such as Java. As plugins are one of the major sources of instability in the browser, the ability to only activate them on demand reduces the risks of rogue plugins as well. Mozilla had been working on a process-per-plugin model for Firefox, but abandoned that due to the complexity of re-architecting Firefox.
"Click to Play" was introduced in April 2012 to give users more control over when plugins such as Flash, Adobe Reader, Silverlight or Java ran in the browser. Users can elect to re-enable auto-running on a per-plugin or per-site basis. In October 2012, Mozilla added a block-list for plugins to activate "Click to Play" on unsafe plugins. This block-list already included blocks for older versions of plugins.
Now, the company is going yet another step further and setting all current versions of plugins, except for some unexplained reason the most recent version of Flash, as "Click to Play". The deployment is staged though, with more recent insecure Flash versions being blocked first, then, once a user interface is complete, "Click to Play" blocking for all current versions of Silverlight, Java and Acrobat Reader and all versions on any other plugins. No timetable has been given for when these changes will be made.