January 30, 2013 report
Firefox has Click-to-Play cure for plugin plague
(Phys.org)—Mozilla this week took an important step to strengthening and in some cases restoring confidence in Firefox as a class-act browser. The community issued an announcement by Mozilla's Michael Coates, director of security assurance, about Mozilla's latest move to avert plugin plagues. "Mozilla has decided that it's time to take things to the next level by disabling as many automatic plug-in activations as possible," he said, in a January 29 post.
From now on, Firefox users need to manually enable plugins on each Web page. In the manner of Click-to-Play, Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play.
The feature "Click-to-Play" will allow users to be in the driver's seat to choose what they want to run and what they want to avoid. On the other side of the extreme of users who never want to run plug-ins are those who may always want to allow plug-ins to run software or handle different formats; they may see plugins less of a risk and more of ease of use for powering their videos, animation and games of choice. Mozilla said over and above, it's the user's choice, and Click-to-Play can be configured to over-ride Mozilla's defaults.
Nonetheless, Mozilla is changing the way Firefox loads third-party plugins because of those instances where third-party plugins present security headaches and offset Mozilla's attempts to provide the most secure browsing environment possible.
Plugins don't always update automatically, which is the problem. Before the move, Firefox was automatically landing plug-ins requested by a website. As Coates pointed out, "One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins." He added that users with outdated or vulnerable plugins are open to malware if they browse to a site equipped with a plugin exploit kit.
Third party plugins presenting risks of pauses and crashes in Firefox have now been addressed by the latest moves. "By only activating plugins that the user desires to load, we're helping eliminate pauses, crashes and other consequences of unwanted plugins."
In addition to playing it safe with Click—to-Play, Mozilla has recommended that users try to make sure that their plugins are up to date. Although Mozilla is giving Flash from Adobe Systems the go-ahead by default, the user must be running the latest version, which is the only version of Flash that is allowed to run by default. If the user's version is not up to date, then Firefox will relegate it to Click-to-Play. Mozilla offers users a website to see if their plugins are current.
blog.mozilla.org/security/2013 … -control-of-plugins/
© 2013 Phys.org