Mozilla is developing a feature in Firefox that would require some user interaction in order for Flash ads, Java scripts and other content that uses plugins to play. In addition to easing system slowdowns, the opt-in for Web plugins is expected to reduce threats posed by exploiting security vulnerabilities in plugins, including zero-day attacks.
“Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web. So much so, that over 99% of internet users have Flash installed on their browser,” writes Mozilla’s Jared Wein, the lead software engineer on the project, in a blog post.
The Firefox Nightly channel has an early rendition of the “click to play” permission model and instructions on how to load it for review.
One of the issues Mozilla is weighing is how best to manage settings and differentiate plugins, including content loaded over SSL, so that Web browsing is more secure but not burdensome to users, particularly if there are multiple plugins on a site or Web page. For instance, if it’s content the user views frequently, should it play automatically for up to a month after its last use as long as it is considered safe?
“Plugins are the most common source of user compromise, so not running them by default provides a defense against drive-by attacks, while still enabling them to run on sites where the user desires (YouTube, intranet, whatever),” according to the Mozilla wiki. Additionally, “plugins can be installed without user interaction or consent, causing potential security and stability issues.”
Web plugins are a hot topic at the moment because of malware like Flashback that first surfaced last fall and continues to infect machines with each iteration, most recently by exploiting a vulnerability in Java. Patches for popular operating systems running Windows and newer versions of Mac OS X are available.
Developers hope to have the new opt-in feature for Web plugins in the release of Firefox 14, currently scheduled for July 2012.