Firefox to restrict all plug-ins except latest Flash with Click to Play

Mozilla takes a stand against the rise of exploits targeting vulnerable plug-in software.
Written by Liam Tung, Contributing Writer

Mozilla is tackling drive-by download attacks by rolling out a tool to restrict, by default, all Firefox-browser plug-ins except the current version of Flash.

The "Click to Play" feature, recently included in Firefox, acts as a control gateway, determining which plug-ins can play when a website requests one to be loaded. Although plug-ins are legitimately used to display content that, for example, requires Flash, Silverlight, or Java, attackers frequently exploit flaws in un-patched versions of the products to compromise PCs.

Now, instead of automatically loading any plug-in requested by a website, Firefox users will need to deliberately click on a plug-in when a request is made; or configure Click to Play to run plug-ins on a particular website.

The control feature should help combat drive-by web attacks that exploit vulnerable versions of popular software like Adobe Flash and Java.

Mozilla's ultimate plan is to force all plug-ins except the current version of Flash through its Click to Play gateway.

"Click to Play has already been enabled for many plug-ins that pose significant security or stability risks to our users. This includes vulnerable and outdated versions of Silverlight, Adobe Reader, and Java," Mozilla's director of security assurance, Michael Coates, said in a blog post on Tuesday.

Initially, Mozilla will enable Click to Play for Flash versions older than 10.2.x and add more recent insecure versions from there.

Mozilla touted Click to Play early last month as a means for Firefox users to protect themselves against attacks that exploited a zero-day flaw in Java 7u10.

The feature should help address drive-by download threats, which have become the most popular method for compromising PCs and often exploit older versions of popular software, in particular Java and Flash.

Adobe has tackled drive-by attacks against Flash by adopting Chrome-like automatic-updates under its patching procedures; however, Oracle is yet to implement similar measures for Java.

Editorial standards