Firefox to restrict all plug-ins except latest Flash with Click to Play

Mozilla takes a stand against the rise of exploits targeting vulnerable plug-in software.

Mozilla is tackling drive-by download attacks by rolling out a tool to restrict, by default, all Firefox-browser plug-ins except the current version of Flash.

The "Click to Play" feature, recently included in Firefox, acts as a control gateway, determining which plug-ins can play when a website requests one to be loaded. Although plug-ins are legitimately used to display content that, for example, requires Flash, Silverlight, or Java, attackers frequently exploit flaws in un-patched versions of the products to compromise PCs.

Read this

Mozilla brings Firefox OS Simulator to 1.0 milestone, retools private browsing

Mozilla has released a Firefox OS 1.0 simulator in order to give developers a chance to start building apps for the platform ahead of its release on mobile devices next year; it has also changed the way its desktop browser deals with new private browsing windows or tabs.

Now, instead of automatically loading any plug-in requested by a website, Firefox users will need to deliberately click on a plug-in when a request is made; or configure Click to Play to run plug-ins on a particular website.

The control feature should help combat drive-by web attacks that exploit vulnerable versions of popular software like Adobe Flash and Java.

Mozilla's ultimate plan is to force all plug-ins except the current version of Flash through its Click to Play gateway.

"Click to Play has already been enabled for many plug-ins that pose significant security or stability risks to our users. This includes vulnerable and outdated versions of Silverlight, Adobe Reader, and Java," Mozilla's director of security assurance, Michael Coates, said in a blog post on Tuesday.

Initially, Mozilla will enable Click to Play for Flash versions older than 10.2.x and add more recent insecure versions from there.

Mozilla touted Click to Play early last month as a means for Firefox users to protect themselves against attacks that exploited a zero-day flaw in Java 7u10.

The feature should help address drive-by download threats, which have become the most popular method for compromising PCs and often exploit older versions of popular software, in particular Java and Flash.

Adobe has tackled drive-by attacks against Flash by adopting Chrome-like automatic-updates under its patching procedures; however, Oracle is yet to implement similar measures for Java.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All