Firefox Continues to Curb Out-of-Date, Flawed Third-Party Plug-ins

After pushing its “click-to-play” blacklisting function live last fall, Mozilla has announced plans to further implement the security feature in its Firefox browser.

After pushing its “click-to-play” blacklisting function live last fall, Mozilla has announced plans to further implement the security feature in its Firefox browser.

The company is planning to make it so only the most recent version of Flash is automatically run on web pages while users will have to verify if they want to view content on pages that uses plug-ins such as Silverlight, Java and Acrobat Reader.

Specifically, to protect its users, Mozilla plans to block versions of Flash older than 10.2 and the most recent versions of Silverlight, Java and Reader. Users will have to “click-to-play” to allow these plugins to work in their browser and from there, decide if they want them to run regularly.

Click-to-play operates as a blacklist of sorts for Firefox plugins. If a plug-in such as Java is either vulnerable or out of date, Firefox will disable it and require the user to verify whether they’d like to run it. When it comes to certain plug-ins, users can elect to always run them, run them on a page-by-page basis or never run them.

According to a post by Mozilla’s Director of Security Assurance Michael Coates on the company’s Security Blog yesterday, the change – which has no official timeline – is being done to get users more conscious exactly what’s running on their machines.

“Users should have the choice of what software and plug-ins run on their machine,” Coates wrote Tuesday, adding “This change puts the user in control.”

The move comes in the midst of a messy couple of weeks for Oracle in particular, whose Java product has been used as an attack vector by multiple exploit kits, resulting in a series of zero-day attacks.

Since insecure plug-ins are often the source of browser exploits, Firefox hopes the new universal click-to-play feature will be able to address and thwart any questionable Java plugins, not to mention any other vulnerable plugins before they’re able to wreak their havoc.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.