Mozilla takes drastic step to automatically block virtually all plug-ins in Firefox

Cites security, stability reasons for move to turn on 'click-to-play' for all but the latest Flash

By , Computerworld |  Security, Firefox, firefox plugins

Mozilla yesterday announced it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player, citing security and stability reasons for the move.

The feature, called "click-to-play," has been part of Firefox since version 17, which launched last November, but Mozilla will restrict plug-ins even further going forward.

By default, click-to-play bars plug-in play, but users can override the block by clicking any grayed-out content area on a Web page. The technique has become popular as browser makers try to keep users safe from a rising tide of exploits that leverage bugs in plug-ins, particularly the Java browser plug-in.

Previously, Firefox's click-to-play only kicked in for those plug-ins that Mozilla determined were unsafe or seriously out of date. (The company posts a list of those plug-ins here.)

As of Tuesday, Firefox also blocked versions 10.2.x and older of Flash Player, the first step toward the goal of barring virtually all plug-ins.

The current version of Flash Player is 11.5.x on OS X Snow Leopard, Lion and Mountain Lion, and on all editions of Windows with the exception of Windows 8, where the most up-to-date is 11.3.x. OS X Tiger and Leopard's current Flash is version 10.3.x.

Although Mozilla did not define a timeline, it will soon block all plug-ins other than the latest version of Flash. The block will include up-to-date versions of popular plug-ins such as Adobe's Acrobat Reader, Microsoft's Silverlight and Oracle's Java.

Java has been especially iffy of late. Earlier this month, exploits of a critical vulnerability in the Java plug-in were found packaged in several crimeware toolkits, and while Oracle quickly patched the bug, researchers first warned that the fix was itself flawed, then claimed an important Java anti-exploit defense could be circumvented. The U.S. Computer Emergency Readiness Team (US-CERT) has recommended that browser users disable the Java plug-in until further notice.

Mozilla said the drastic step was needed to safeguard users from "drive-by" attacks, which trigger exploits as soon as a victim visits a malicious or compromised website.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness