Mozilla takes drastic step to automatically block virtually all plug-ins in Firefox
Cites security, stability reasons for move to turn on 'click-to-play' for all but the latest Flash
Computerworld - Mozilla yesterday announced it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player, citing security and stability reasons for the move.
The feature, called "click-to-play," has been part of Firefox since version 17, which launched last November, but Mozilla will restrict plug-ins even further going forward.
By default, click-to-play bars plug-in play, but users can override the block by clicking any grayed-out content area on a Web page. The technique has become popular as browser makers try to keep users safe from a rising tide of exploits that leverage bugs in plug-ins, particularly the Java browser plug-in.
Previously, Firefox's click-to-play only kicked in for those plug-ins that Mozilla determined were unsafe or seriously out of date. (The company posts a list of those plug-ins here.)
As of Tuesday, Firefox also blocked versions 10.2.x and older of Flash Player, the first step toward the goal of barring virtually all plug-ins.
The current version of Flash Player is 11.5.x on OS X Snow Leopard, Lion and Mountain Lion, and on all editions of Windows with the exception of Windows 8, where the most up-to-date is 11.3.x. OS X Tiger and Leopard's current Flash is version 10.3.x.
Although Mozilla did not define a timeline, it will soon block all plug-ins other than the latest version of Flash. The block will include up-to-date versions of popular plug-ins such as Adobe's Acrobat Reader, Microsoft's Silverlight and Oracle's Java.
Java has been especially iffy of late. Earlier this month, exploits of a critical vulnerability in the Java plug-in were found packaged in several crimeware toolkits, and while Oracle quickly patched the bug, researchers first warned that the fix was itself flawed, then claimed an important Java anti-exploit defense could be circumvented. The U.S. Computer Emergency Readiness Team (US-CERT) has recommended that browser users disable the Java plug-in until further notice.
Mozilla said the drastic step was needed to safeguard users from "drive-by" attacks, which trigger exploits as soon as a victim visits a malicious or compromised website.
The open-source developer also cited stability reasons for the move. "By only activating plug-ins that the user desires to load, we're helping eliminate pauses, crashes and other consequences of unwanted plug-ins," said Michael Coates, Mozilla's director of security assurance, in a Jan. 29 blog post.
Mozilla will be the first browser maker to disable the bulk of plug-ins by default. Chrome and Opera Software's Opera also include click-to-play, but both leave it turned off until the user enables the feature.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Internet in Computerworld's Internet Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts