Is Mozilla's Firefox 'click-to-play' feature a sound response to drive-by malware attacks?

Is Mozilla's Firefox 'click-to-play' feature a sound response to drive-by malware attacks?

Summary: In an attempt to slow down drive-by malware attacks, Mozilla plans to introduce 'click-to-play' feature in upcoming versions of its flagship Firefox browser.


According to a blog post by Mozilla's software engineer Jared Wein, Mozilla plans to introduce 'click-to-play'  feature in upcoming versions of their flagship Firefox browser.

The feature -- available to NoScript users for years -- aims to prevent the systematic exploitation of browser plugin based client-side exploitation campaigns, by allowing end users to choose whether they would want to active content to load in the first place.

A logical question emerges - is this a sound response to preventing the currently ubiquitous exploitation of client-side vulnerabilities on end and corporate PCs, especially in times when the average user is running a number of remotely exploitable third-party applications and browser plugins?

Not necessarily. How come? Pretty simple.

Basically, what Mozilla's 'click-to-play' feature really does, is slowing down the systematic exploitation of client-side vulnerabilities, not preventing it. On the majority of occasions, drive-by malware attacks are launched with a social engineering element in an attempt to increase the probability for a successful infection.

Cybercriminals entice end users and provoke end user interaction by promising something in return for clicking on the malicious link found found in spamvertised emails. If the end user originally clicked on a link promising him a video clip, access to personal data, notification, or verification email, Firefox's 'click-to-play' feature will only slow down the exploitation process, as the end user will eventually enable the showing of active content in an attempt to access the promised content.

Moreover, as we've seen in the past, cybercriminals are masters of visual social engineering, successfully impersonating well known brands, consumer products, and product features, such as for instance Firefox's security alert, and SafeBrowsing initiative's warning page. It would take long before they start mimicking Mozilla's 'click-to-play' feature, offering additional advice to users for enabling it in order to view the promised content.

What do you think? Is Mozilla's 'click-to-play' feature a sound response to preventing drive-by malware attacks? Or are social engineering elements embedded in these campaigns undermining the usability of Mozilla's feature?


Topics: Malware, Browser, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yes, please Firefox!

    Still very helpful, especially restoring after Firefox crashes, but also very useful as in not wanting online videos etc to play until asked by the user! Nice One Firefox! Keep up the good work!

    As for stopping attacks, yes it can help as you often aren''t sure what page will actually be displayed until it loads, and this way you can assess the risk, if any, first!
  • Should have been sooner

    This feature is in Opera and Chrome/Chromium for ages.
    In addition to added security you will get faster browsing, lower resource usage especially visible on older hardware.
  • Is Mozilla's Firefox 'click-to-play' feature a sound response to drive-by m

    This could also work as an adblock for some of those advertisements that play videos automatically.
    Loverock Davidson-
  • f/f

    A step in the right direction when i use f/f in use no script
    kind of inconvenient at times but it helps
    preferred user
    • intelligent users

      Both Internet Explorer and Outlook Express were for many years configured in such a way that the user could NOT control script execution. I abandoned both many years ago for that reason. In the end it is in the hands of the user unless you want an overbearing "babysitter" like Norton or MacAfee. I personally have used NoScript since it first came out, but there always has been the ability to prevent things from auto executing in Firefox and Thunderbird.
    • @preferred user .. small price to pay with NoScript

      [i]" ... A step in the right direction when i use f/f in use no script
      kind of inconvenient at times but it helps "[/i]

      Sure, it may be a tad inconvenient but it's really a small price to pay for what i will go on record as saying, makes the safest browsing environment of any current browser version.

      But this move by Mozilla is long overdue. I'm surprised the major browser vendors haven't implemented similar secure, counter-measures into their browsers to date.

      At any rate, i've used NoScript for over 4 years ... so the sight of click-to-play, NoScript placeholders is long past second nature to me.

      Keep up the great work Mozilla with the continuing drive toward ever secure-conscious, browser conceptualization and design.
  • Ultimately how effective

    So this Firefox update will keep cybercriminals from being able to...oh, look! A celebrity nipple slip! *CLICK*
    • Haha!

      that was right on the button.

      .. PICNIC anyone?
      • What is PICNIC

        thx-1138, please explain what you mean by PICNIC.
      • PICNIC explained

        Since I can't reply to DAS01 directly (dont' know why), I'll respond here.
        PICNIC - Problem in chair, not in computer.
  • I think it would help those 'Oops' moments

    We've all had them. We see something that looks legit, but as soon as we clicked we say "How stupid of me." It would help in those moments as well as those times when you just accidentally clicked on the wrong link. It would also slow people down and a few might have second thoughts when reminded that this could be a bad idea. It's not a silver bullet, but a road bump. And road bumps may be annoying, but they do slow down traffic and prevent accidents. Of course, it does nothing to prevent stupid people from wrecking the suspension on their cars trying to jump them. Nothing will eliminate the problem but it could reduce it.
  • Possibly, Not Iron Clad

  • Who taught you guys grammar?

    "Basically, what Mozilla???s ???click-to-play??? feature really does, is slowing down the systematic exploitation of client-side vulnerabilities, not preventing it."

    Should be "slow down," and "not prevent it." Does nobody edit content anymore?
    • RE: Does nobody edit content anymore?

      in a word: [b]NO![/b]

      Someone high up in an ivory tower, probably determining a novel way to [i]increase shareholder value[/i], decided that proofreaders and editors were an unnecessary cost; and thus sent them packing.

      Remember, ZDNet is part of CBS these days. Need I say anything else?
      • I will take that even further

        I think the powers that be have automated software in place to replace editors and proofreaders, and they make more mistakes than they fix. (I have a hard time believing that this many professional writers are writing this badly.) An Anti-Editor! Yes, folks, its Anti-Editor! That's right! Anti-Editing software. Brought to you at no extra charge by those jackholes in the ivory tower here at ZDNet!

        (Patent pending)
  • Since we all live in a perfect world....

    obviously there is no need for this .. oh wait.. it's an imperfect world so this step is better than nothing. It's not going to hurt and it could help.

    I see two things which might help. One is treating cyber hacking and the like to be treason against humanity, punishable by summary execution.

    The other is beyond the scope of this forum, and recognises the similarity between the hackers and the current ruling/monied classes.
    • RE:... treason against humanity, punishable by summary execution.

      After viewing those photos of the [i]Hindenberg[/i], I believe I have the `proper` method of execution.
  • In limited circumstances

    When I originally read about this, I was against it, because blocking "good" web content in the name of security by default is a bad idea. I even posted about it on the blog of the Mozilla developer that introduced the feature (msujaws). However, I then read more carefully in the Mozilla wiki and realized that Firefox is only planning to implement this by default in cases where Mozilla has identified a particular plugin as being highly exploited. So, if an outdated version of Flash Player is being used in malware campaigns, Mozilla can flip a switch, and anyone with that version will have Flash objects blocked by default. Anyone with a current version of Flash will be able to use sites without interference.

    To me, this seems like a well thought out balance between security and usability, and I applaud Mozilla for putting the user first.

    [i]Disclosure: Mozilla is one of several companies that funds the nonprofit organization I work for.[/i]
  • You can't stop a dumb user, but...

    It will slow down the exploit and [i]maybe[/i] make a lot of people think twice about what they were clicking on.
  • "Click to Play" not sufficient by itself...

    The "click to play" feature in Firefox is good, but alone it is not sufficient. I highly recommend the following Firefox add-ons: NoScript, FlashBlock, Netcraft's anti-phishing toolbar, Request Policy (controls which cross-site requests are allowed), Better Privacy (allows deletion of so-called "supercookies") and especially WOT Web of Trust, which will often identify and initially block access to a rogue website (IF it is not completely new and is known to be bad). Also a block list for the local HOSTS can be helpful if kept up to date. All these will help the user to be informed about a website and its known reputation. However, nothing will cure flat out stupid, and the 'net user still needs to practice reasonable caution. No browser or add-on feature can give you that.
    Clif Westbrook