Mozilla Boldly Blocks Browser Plug-Ins For Firefox

Security experts applaud new effort by browser vendor that helps protect users from silent, drive-by attacks

Firefox browser maker Mozilla turned heads this week by brazenly blocking plug-ins for its browser in a move that it says will improve both performance and security.
It will now be up to the user to enable plug-ins, such as Java, Adobe, and Silverlight, according to Mozilla director of security assurance Michael Coates, who announced the new functionality yesterday in a
blog post
. Mozillas Click to Play feature will be the tool for that: Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play, Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play, or the user has previously configured Click To Play to always run plugins on the particular website, he wrote.
Security experts were surprised by Mozillas aggressive change-up in its browser. For Mozilla to disable all plug-ins, thats a really bold move on their part. I welcome it, says Jeremiah Grossman, founder and CTO of WhiteHat Security. I would not have expected them to be so gutsy.
The only exception to the default moratorium on plug-ins for Firefox is Adobe Flash Player. Our plan is to enable Click to Play for all versions of all plug-ins except the current version of Flash, Coates says. Older versions of Flash will eventually be added to Click to Play, however, he says.
Mozilla already offers Click to Play for risky plug-ins, like Java, Adobe Reader, and Silverlight.
Mozillas move to make Java, Adobe PDF, and Silverlight plug-ins Click-to-Play -- thats a brave move. It should, however, help protect users of that browser against attacks silently exploiting current and future security vulnerabilities in [those] plug-ins, says Adam Gowdiak, founder and CEO of Security Exploration.
Gowdiak recently announced that he had discovered security holes that could allow an attacker to both escape Javas sandboxing protection and cheat the highest security settings in the application. His advice to users until theres a fix was to disable Java or use the click-to-play feature in Firefox, Chrome, and Opera browsers.
[High and Very High Java security settings wont stop attacks, researcher says. See
Java Security Feature FAIL: Researcher Bypasses Java Sandbox, Security Settings
.]
The barrage of attacks exploiting Java browser apps may well have been the tipping point for Firefox plug-ins, experts say.
Three primary motivations drove our decisions with Click to Play and plug-in handling: user control, performance and stability, and security. Over the past year, weve seen vulnerabilities and exploitation in a variety of plug-ins, including Java, and these incidents have reinforced the benefits of providing the Click to Play feature, Coates told
Dark Reading
in a statement.
Mozillas Coates says in his post that Click to Play will help protect users from drive-by exploits targeting plug-ins. Weve observed plug-in exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations, the website doesnt have any legitimate use of the plug-in other than exploiting the user’s vulnerable plug-in to install malware on their machine, Coates says. The Click to Play feature protects users in these scenarios since plug-ins are not automatically loaded simply by visiting a website.
Grossman, meanwhile, says Java should be uninstalled, not just disabled. While many enterprises cant give up Java altogether due to some applications, he says, for home users, I cannot imagine where they would need Java on websites.
He says other browser vendors could follow suit. I could see browser vendors wanting to push everyone to HTML5, and this is one step, killing off old [browser] extensions, Grossman says.
Grossman says while Mozilla and other major browser vendors have gradually made progress in securing users from drive-by attacks over the past few years, theres still another vector thats lacking: Inside-the-browser-walls attacks, he says, such as cross-site scripting, cross-site request forgery, and clickjacking.
Those remain unaddressed for the most part, Grossman says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Mozilla Boldly Blocks Browser Plug-Ins For Firefox