Mozilla takes drastic step to automatically block virtually all plug-ins in Firefox

Cites security, stability reasons for move to turn on 'click-to-play' for all but the latest Flash

Mozilla yesterday announced it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player, citing security and stability reasons for the move.

The feature, called "click-to-play," has been part of Firefox since version 17, which launched last November, but Mozilla will restrict plug-ins even further going forward.

By default, click-to-play bars plug-in play, but users can override the block by clicking any grayed-out content area on a Web page. The technique has become popular as browser makers try to keep users safe from a rising tide of exploits that leverage bugs in plug-ins, particularly the Java browser plug-in.

Previously, Firefox's click-to-play only kicked in for those plug-ins that Mozilla determined were unsafe or seriously out of date. (The company posts a list of those plug-ins here.)

As of Tuesday, Firefox also blocked versions 10.2.x and older of Flash Player, the first step toward the goal of barring virtually all plug-ins.

The current version of Flash Player is 11.5.x on OS X Snow Leopard, Lion and Mountain Lion, and on all editions of Windows with the exception of Windows 8, where the most up-to-date is 11.3.x. OS X Tiger and Leopard's current Flash is version 10.3.x.

Although Mozilla did not define a timeline, it will soon block all plug-ins other than the latest version of Flash. The block will include up-to-date versions of popular plug-ins such as Adobe's Acrobat Reader, Microsoft's Silverlight and Oracle's Java.

Java has been especially iffy of late. Earlier this month, exploits of a critical vulnerability in the Java plug-in were found packaged in several crimeware toolkits, and while Oracle quickly patched the bug, researchers first warned that the fix was itself flawed, then claimed an important Java anti-exploit defense could be circumvented. The U.S. Computer Emergency Readiness Team (US-CERT) has recommended that browser users disable the Java plug-in until further notice.

Mozilla said the drastic step was needed to safeguard users from "drive-by" attacks, which trigger exploits as soon as a victim visits a malicious or compromised website.

The open-source developer also cited stability reasons for the move. "By only activating plug-ins that the user desires to load, we're helping eliminate pauses, crashes and other consequences of unwanted plug-ins," said Michael Coates, Mozilla's director of security assurance, in a Jan. 29 blog post.

Mozilla will be the first browser maker to disable the bulk of plug-ins by default. Chrome and Opera Software's Opera also include click-to-play, but both leave it turned off until the user enables the feature.

Firefox plug in alert
Firefox will soon automatically block all plug-ins -- except for the newest version of Adobe's Flash Player -- to improve browser security and stability. (Image: Mozilla.)

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies