Attackers have been going after vulnerabilities in browser plugins and extensions for years now, as they know that users are slow about updating these components. Even if users have the browser set to update automatically, the third-party components are a separate issue and need to be patched on their own. With that in mind, Mozilla has added a new feature to Firefox that will, by default, block known vulnerable versions of plugins from running.
The new feature is in the beta version of Firefox right now and it works in conjunction with a blacklist of vulnerable versions of popular plugins. When a user lands on a site that requires the use of a plugin, say Adobe Flash, if the version running in the user’s browser is on the list of known vulnerable applications, Mozilla will disable it and show the user a message saying that she needs to update the plugin.
The idea is to help protect users from themselves, something that security people have been trying to do for as long as there have been users.
“For instance, when browsing a reputable video sharing website, a user might feel safe enough to enable a vulnerable plugin in order to view the site’s content (in fact, the trusted site can be whitelisted using the “Always activate plugins for this site” option in the button drop-down menu). Of course, it would be best if the user upgraded the plugin to a secure version, but perhaps they can’t for one reason or another. In another scenario, they might not fully trust a site they arrive at after visiting a link sent from a friend. In this case, the blocklisted plugin would not automatically run, and the user would be protected,” David Keeler of Mozilla wrote in a blog post.
The click-to-play blocklist feature is enabled by default in the Firefox beta but it only covers a few select plugins right now, namely Adobe Flash, Adobe Reader and Microsoft Silverlight. However, users shouldn’t think of this as a complete management system for plugins.
“At the moment, click-to-play blocklisted plugins is a security feature that protects against drive-by attacks targeting plugins that are known to be vulnerable. It does not prevent attacks where a user is convinced to activate a vulnerable plugin on a malicious site. It also is not an all-purpose plugin management system,” Keeler wrote.