Firefox to restrict all plug-ins except latest Flash with Click to Play

Firefox to restrict all plug-ins except latest Flash with Click to Play

Summary: Mozilla takes a stand against the rise of exploits targeting vulnerable plug-in software.

TOPICS: Security, Browser

Mozilla is tackling drive-by download attacks by rolling out a tool to restrict, by default, all Firefox-browser plug-ins except the current version of Flash.

The "Click to Play" feature, recently included in Firefox, acts as a control gateway, determining which plug-ins can play when a website requests one to be loaded. Although plug-ins are legitimately used to display content that, for example, requires Flash, Silverlight, or Java, attackers frequently exploit flaws in un-patched versions of the products to compromise PCs.

Now, instead of automatically loading any plug-in requested by a website, Firefox users will need to deliberately click on a plug-in when a request is made; or configure Click to Play to run plug-ins on a particular website.

The control feature should help combat drive-by web attacks that exploit vulnerable versions of popular software like Adobe Flash and Java.

Mozilla's ultimate plan is to force all plug-ins except the current version of Flash through its Click to Play gateway.

"Click to Play has already been enabled for many plug-ins that pose significant security or stability risks to our users. This includes vulnerable and outdated versions of Silverlight, Adobe Reader, and Java," Mozilla's director of security assurance, Michael Coates, said in a blog post on Tuesday.

Initially, Mozilla will enable Click to Play for Flash versions older than 10.2.x and add more recent insecure versions from there.

Mozilla touted Click to Play early last month as a means for Firefox users to protect themselves against attacks that exploited a zero-day flaw in Java 7u10.

The feature should help address drive-by download threats, which have become the most popular method for compromising PCs and often exploit older versions of popular software, in particular Java and Flash.

Adobe has tackled drive-by attacks against Flash by adopting Chrome-like automatic-updates under its patching procedures; however, Oracle is yet to implement similar measures for Java.

Topics: Security, Browser

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Use IE10

    IE10 is Saftest browser with tracking protection and privacy. Any Browser associated with Google is a no go area. Firefox gets a $300 million check from Google, but at what cost to Mozilla and user privacy?
    • You got bigger problems than google

      FISAAA sound familiar?
      Little Old Man
      • Yes, but...

        ...if he didn't demonize Google, he'd be calling Steve Ballmer a liar.
        John L. Ries
    • A Few Things

      1. When IE10 is cross-platform, I'll consider it.
      2. If it's closed source, how do you know it's safe?
      3. Since the bug tracker is kept secret, how do you know it's safe?
      4. Firefox gets money for making Google search the default search engine in Firefox. What sinister conspiracy are you imagining goes on?
      5. Did I mention Firefox is OPEN SOURCE? There can't be a sinister conspiracy by definition!
      6. For the millionth time, unless you're Oprah or Justin Bieber, no one cares about you. There's no one out there interested in personally identifiable information about you. To Google you're just an anonymous search history and to Amazon you're just an unidentifiable id number associated with a product basket. No human will ever even look at this data.
      • Well,

        I agree with all comments but #6. I don't care about Oprah or Justin Bieber.
    • Well...

      IE is the only browser that doesn't allow you to easily disable the Java plug-in - you can disable it, but it still runs unless you clean out a bunch of registry entries. For the average user, the only way to protect yourself from the current Java exploits is to uninstall Java - if you use IE. If you have apps that need Java, too bad.

      IE the safest? I don't think so!
  • The following aliases

    Owll1net, Will Farrell, Loverock Davidson are all Microsoft-paid liars and manipulators.
    • Have I been kicked out then?

      I never know whether I'm in the club or not.
      Little Old Man
    • I thought....

      ...they were just obnoxious trolls?
      • Trolls Gotta Eat Too

        Just saying.

        If the troll is on every day, and quickly after the blog posts, then you know they are paid for what they do.

        The rest of us have to work sometime.
    • And how do you know this?

      Are you a former co-worker of theirs?
      John L. Ries
      • Try asking them if they get paid to post and see if you get an answer

        They're are others on these comment boards that appear to be paid by Microsoft too.
        K B
  • did you mean with _illusory_ tracking protection?

    last i heard, the "do not track" flag is being ignored by most, if not all, ad networks. when it comes to IE anyway
    • Yes, but

      at least MS is taking the right step toward end-user privacy. What does this say about Google and the ad companies they get cozy with?

      IE 10 has been doing this since day 1 and it's only a matter of time before others jump aboard. We shouldn't be forced into exposure to corporations if we don't want to be! Freedom of choice is a good thing!
      • you can only call it the right step

        if it actually improves your privacy. as things stand now, it actually made it worse. because now you simply have no way of benefiting from the flag, because MS in their PR stance made the flag completely useless

        they have achieved their PR goals, though.
        • Sorry, But

          I don't often agree with Microsoft, but, in this particular area, they are right.

          For personal data, Opt Out is a bad idea. Opt In should be the required standard for all except Government Services. Even then, it should not be universal. It's a question of personal rights.
      • Freedom of Choice???

        I do agree they shouldn't be tracking (or able to track) unless you opt in but freedom of choice??? Microsoft??? Take a look at windows 8 and then tell me they left you with freedom of choice. I am still hoping they pull their heads out of that dark place and go back to improving Windows 7....the best OS currently available. If not as much as I hate to say it, I will be moving to something else in the future.
    • agree, but incomplete

      The DoNotTrack is useless in any browser. The tracking protection lists, however, are another story. You can effectively block almost all outgoing trackers, beacons etc. There is even a separate list that keeps up on all the Google analytics IPs. There are a number of different lists so you can choose your level of protection.
      • useless, but not completely

        seems that some networks honor it, if you are not using IE. at least when I turned it on in FF I immediately noticed that ads have become random. and the reason I turned it on in the first place was that I just got fed up with the ads about the things I just looked at on Amazon. in IE those ads are still following me from one site to another.

        Speaking of which, I wonder how Amazon manages to always remain in the shadow when it comes to privacy. They are the ones who supply my shopping habits straight to ad networks.

        As for blocking trackers, it can be done in FF just as easily by installing adblock... in addition to the flag
        • What?

          "when I turned it on in FF I immediately noticed that ads have become random"

          Why aren't you using AdBlock Plus? Then you don't have to see any ads.