Mozilla pushed out the latest build of its flagship browser, Firefox 17, today, adding a new click-to-play blocklisting feature that will help prevent users from running out-of-date or vulnerable versions of plug-ins or extensions.
The update tweaks click-to-play in Firefox prompting users to either update or abandon old versions of software like Adobe’s Reader and Flash and Microsoft Silverlight. The browser will mark these by a click-to-play flag and not load them by default. Previous iterations of the browser allowed for opt-in activation (Firefox 14) and selective blocklisting (Firefox 16) when it comes to click-to-play, but this is the first time Firefox will block questionable plugins outright.
Firefox 17 also fixes thousands of other bugs, adds sandbox support for iframes in HTML5 and for Apple users, drops support for OS X 10.5 Leopard.
The release comes a day after Mozilla issued an update for the latest version of Firefox for Android. That release expanded support for “millions more devices,” the company claims, including those running on ARMv6 processors. The latest release also updates the browser for Android 4.2, fixes a handful of bugs and like its desktop counterpart, increases security by adding a sandbox attribute for iframes.
Mozilla announced plans for Firefox’s click-to-play feature early last month to combat the ongoing exploitation of outdated and faulty plug-ins by attackers. Mozilla’s David Keeler claimed the feature would leave otherwise unsafe plugins inactive. With the feature, “the blocklisted plugin would not automatically run, and the user would be protected,” Keeler wrote in a blog post.
Firefox 17 should also come with a new mechanism that will force some sites into using HTTPS, via HTTP Strict Transport Security (HSTS). Going forward, the preloaded list should dictate which sites the browser needs to establish a more secure connection with.