Firefox to restrict all plug-ins except latest Flash with Click to Play

Summary:Mozilla takes a stand against the rise of exploits targeting vulnerable plug-in software.

Mozilla is tackling drive-by download attacks by rolling out a tool to restrict, by default, all Firefox-browser plug-ins except the current version of Flash.

The "Click to Play" feature, recently included in Firefox, acts as a control gateway, determining which plug-ins can play when a website requests one to be loaded. Although plug-ins are legitimately used to display content that, for example, requires Flash, Silverlight, or Java, attackers frequently exploit flaws in un-patched versions of the products to compromise PCs.

Now, instead of automatically loading any plug-in requested by a website, Firefox users will need to deliberately click on a plug-in when a request is made; or configure Click to Play to run plug-ins on a particular website.

The control feature should help combat drive-by web attacks that exploit vulnerable versions of popular software like Adobe Flash and Java.

Mozilla's ultimate plan is to force all plug-ins except the current version of Flash through its Click to Play gateway.

"Click to Play has already been enabled for many plug-ins that pose significant security or stability risks to our users. This includes vulnerable and outdated versions of Silverlight, Adobe Reader, and Java," Mozilla's director of security assurance, Michael Coates, said in a blog post on Tuesday.

Initially, Mozilla will enable Click to Play for Flash versions older than 10.2.x and add more recent insecure versions from there.

Mozilla touted Click to Play early last month as a means for Firefox users to protect themselves against attacks that exploited a zero-day flaw in Java 7u10.

The feature should help address drive-by download threats, which have become the most popular method for compromising PCs and often exploit older versions of popular software, in particular Java and Flash.

Adobe has tackled drive-by attacks against Flash by adopting Chrome-like automatic-updates under its patching procedures; however, Oracle is yet to implement similar measures for Java.

Topics: Security, Enterprise Software


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.