Firefox 26 bumps up security by letting users screen plug-ins

Firefox 26 bumps up security by letting users screen plug-ins

Summary: The latest release of the Firefox web browser boosts browser security and stability by blocking Java software component plug-ins from loading by default.

SHARE:

The latest version of the Firefox web browser is available, introducing new features that improve security and performance.

Firefox 26 will be available to download from the Firefox web page later today and is already available via Mozilla's FTP server.

Security

In an attempt to improve both security and stability, Java plug-in software components will not load by default. 

Sections of a site that require a Java plug-in will need user approval before loading. Approval is given by clicking the part of the page where the plug-in is embedded or an icon in the browser address bar.

By blocking Java plug-ins, Mozilla hopes to reduce the risk of users being attacked via exploits of vulnerabilities in plug-in code or of plug-in software causing instabilities in the browser. Mozilla will continue to use the Beta version of Firefox to test a Click to Play feature that would block a wider range of software plug-ins by default.

Users can disable or enable plug-ins via a menu available by typing "about:addons" in the address bar. 

The Mozilla Maintenance Service will also now be able to update Firefox when the user does not have system administrator rights, specifically permission to write to the directory Firefox is installed in.

In another boost to security, Firefox Password Manager now supports script-generated password fields.

Mozilla has also improved support for web page Content Security Policy, which limits which third parties can run scripts, apply CSS styles and load other content on that page. The browser now supports multiple policies.

Features and performance

Firefox 26 allows H.264 encoded video to be played on a Linux system if the appropriate GStreamer plug-ins are installed and adds support for MP3 audio decoding on Windows XP.

Page loading times should be improved by the browser no longer decoding images that aren't visible and standalone JPEG images will use EXIF information to display their correct orientation.

Developer changes

The release continues to implement support for EcmaScript 6, introducing compliant syntax for Generators (yield) and a new mathematical method, Math.fround(), which returns the nearest single precision float representation of a number.

The release also makes changes to various CSS and HTML properties and additional features and fixes to the browser's APIs.

Firefox Inspector is also now remotely accessible over a network.

A full list of developer changes can be found here.

Further reading

Topics: Enterprise Software, Web development

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Stupid proof browsers?

    Do we have to make stupid proof browsers these days? I guess we do, because the end user can't tell a rouge plugin from a real one. I guess if you need that so be it.
    JohnnyES-25227553276394558534412264934521
    • Yes.

      As long as there are stupid people using these browsers, there will be the need to stupid-proof the browsers they use.

      And that means stupid-proofing all of them, because the stupid people never think of themselves as stupid people, and will want to use the unlocked smart-people's browsers! ;)
      D. W. Bierbaum
    • Agreed

      There are plenty of stupid people who insist on using IE
      Alan Smithie
    • Why is this field required?

      Moreover, is this going to be like the old IE6 days, where we're going to be prompted to allow some plugin on every damn site we visit? (Remember the old Active X popup dialog, pre XP SP2?)
      worknman
    • So enlighten the dumb masses

      how would you explain a rogue plugin to your mother or grandfather? How do you explain to them that Firefox may have "rogue plugins" after you told them to move from iE to Firefox? Enlighten us, oh small one.
      Charles_B
  • The pop-ups and update notices are there for a reason.

    Firefox or Java have new security updates? Why bother? Just hit "ignore". It would just take up some of my social network bandwidth. Windows might nag me to reboot. I might have to close the browser and re-open all of my tabs.
    I'm one of the people that hear those arguments quite often, usually while explaining to people why their computer crashes or slows to a crawl, and they get 150 spam-mails a day.
    People might whine when a browser requires the user to approve an action, but how many of those people's boxes have been saved by causing the user to question what a website might want to run.
    purevw@...
    • And the answers to these question you provide

      ARE?
      Charles_B
  • ...and the crapware and slowdownware?

    Many domestic users may be much more bothered by polluting software, including for example various toolbars that are designed to be very hard to uninstall. Many of us rely on free software downloaded from the web, and the generous providers are increasingly being hijacked by criminal sites. These sites are a major economic drain on users because of the time they waste. They have at least the tacit approval of the World's communications spying agencies; otherwise they would have been obliterated years ago.
    Daddy Tadpole
  • Flash by default?!

    That's the *one* plugin everyone wishes would *not* be loaded by default! The advertising money has bought this verdict, it seems.
    Techboy_z