Mozilla Weighing Opt-In Requirement for Web Plugins

Mozilla is developing a feature in Firefox that would require some user interaction in order for Flash ads, Java scripts and other content that uses plugins to play. In addition to easing system slowdowns, the opt-in for Web plugins is expected to reduce threats posed by exploiting security vulnerabilities in plugins, including zero-day attacks.

Firefox pluginMozilla is developing a feature in Firefox that would require some user interaction in order for Flash ads, Java scripts and other content that uses plugins to play. In addition to easing system slowdowns, the opt-in for Web plugins is expected to reduce threats posed by exploiting security vulnerabilities in plugins, including zero-day attacks.

“Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web. So much so, that over 99% of internet users have Flash installed on their browser,” writes Mozilla’s Jared Wein, the lead software engineer on the project, in a blog post.

The Firefox Nightly channel has an early rendition of the “click to play” permission model and instructions on how to load it for review.

Currently there are Firefox add-ons that do something similar, such as the NoScript extension that blocks JavaScript, Java, Flash, Silverlight and other content by default and Flashblock, which requires a user click on a static image before the plugin can load. But as of yet, no Web browser does it by default.

One of the issues Mozilla is weighing is how best to manage settings and differentiate plugins, including content loaded over SSL, so that Web browsing is more secure but not burdensome to users, particularly if there are multiple plugins on a site or Web page. For instance, if it’s content the user views frequently, should it play automatically for up to a month after its last use as long as it is considered safe?

“Plugins are the most common source of user compromise, so not running them by default provides a defense against drive-by attacks, while still enabling them to run on sites where the user desires (YouTube, intranet, whatever),” according to the Mozilla wiki. Additionally, “plugins can be installed without user interaction or consent, causing potential security and stability issues.”

Web plugins are a hot topic at the moment because of malware like Flashback that first surfaced last fall and continues to infect machines with each iteration, most recently by exploiting a vulnerability in Java. Patches for popular operating systems running Windows and newer versions of Mac OS X are available.

Developers hope to have the new opt-in feature for Web plugins in the release of Firefox 14, currently scheduled for July 2012.

Suggested articles

Discussion

  • Anonymous on

    You mean like integrating NoScript into Firefox? Jesus, I never thought I'd see the day. I've been called crazy, insane and paranoid for telling people it's fscking stupid to run around websites with your scripts hanging out hoping no psycho witch with a box cutter will cut them off. So I kept clicking my "Temp allow" button only on trusted sites if I needed and guess what? No Flashfreek has got a hold of my testies, but she got a hold of 600,000 others, hahahahaha! And what's this that apx 20% of Mac users are on 10.5/10.4 and not getting their Java or security updates from Mr. Cupertino? Take him to the cleaners!!
  • Anonymous on

    Maybe you should switch to decaf.

  • Anonymous on

    NoScript is a great add-on. It's always the first thing I install on a new installation of FireFox for people and show them how to use it. The thing is, most people don't like to click "Allow Temporarily", which kind of defeats the purpose. After a few trojans hit them though, they start learning.

    Web site developers should just stop using scripts all together. I don't really care much if the menu pops out and goes down, just give me a link to where I want to go on the site.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.