Firefox to block nearly all plug-ins for security

[nsane.forums]

Cites security, stability reasons for move to turn on 'click-to-play' for all but the latest Flash

Mozilla yesterday announced it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player, citing security and stability reasons for the move.

The feature, called "click-to-play," has been part of Firefox since version 17, which launched last November, but Mozilla will restrict plug-ins even further going forward.

By default, click-to-play bars plug-in play, but users can override the block by clicking any grayed-out content area on a Web page. The technique has become popular as browser makers try to keep users safe from a rising tide of exploits that leverage bugs in plug-ins, particularly the Java browser plug-in.

Previously, Firefox's click-to-play only kicked in for those plug-ins that Mozilla determined were unsafe or seriously out of date. (The company posts a list of those plug-ins here.)

As of Tuesday, Firefox also blocked versions 10.2.x and older of Flash Player, the first step toward the goal of barring virtually all plug-ins.

The current version of Flash Player is 11.5.x on OS X Snow Leopard, Lion and Mountain Lion, and on all editions of Windows with the exception of Windows 8, where the most up-to-date is 11.3.x. OS X Tiger and Leopard's current Flash is version 10.3.x.

Although Mozilla did not define a timeline, it will soon block all plug-ins other than the latest version of Flash. The block will include up-to-date versions of popular plug-ins such as Adobe's Acrobat Reader, Microsoft's Silverlight and Oracle's Java.

Java has been especially iffy of late. Earlier this month, exploits of a critical vulnerability in the Java plug-in were found packaged in several crimeware toolkits, and while Oracle quickly patched the bug, researchers first warned that the fix was itself flawed, then claimed an important Java anti-exploit defense could be circumvented. The U.S. Computer Emergency Readiness Team (US-CERT) has recommended that browser users disable the Java plug-in until further notice.

Mozilla said the drastic step was needed to safeguard users from "drive-by" attacks, which trigger exploits as soon as a victim visits a malicious or compromised website.

The open-source developer also cited stability reasons for the move. "By only activating plug-ins that the user desires to load, we're helping eliminate pauses, crashes and other consequences of unwanted plug-ins," said Michael Coates, Mozilla's director of security assurance, in a Jan. 29 blog post.

Mozilla will be the first browser maker to disable the bulk of plug-ins by default. Chrome and Opera Software's Opera also include click-to-play, but both leave it turned off until the user enables the feature.


Firefox will soon automatically block all plug-ins -- except for the newest version of Adobe's Flash Player -- to improve browser security and stability. (Image: Mozilla.)

View: Original Article

[DKT27]

Mozilla takes drastic step to automatically block virtually all plug-ins in Firefox

By default, people who want to use plug-ins with Mozilla's browser will have to manually enable them on each Web page. The reason: better security and performance.

To improve security and cut crashes, Firefox will block plug-ins including Microsoft Silverlight, Adobe Reader, Apple's QuickTime and Oracle's Java, Mozilla said.

Only the newest version of Adobe Systems' Flash Player will be run by default, said Michael Coates, Mozilla's director of security assurance, in a blog post yesterday.

Plug-ins extend a browser's ability to run software or handle different media and file formats, but that extra ability opens new avenues for attack. They've been a staple of Web development for years, but browser makers are working hard to reproduce their abilities directly with Web standards that don't require plug-ins.

Firefox will disable the execution of non-Flash plug-ins by default with a feature called Click to Play that lets people run each plug-in on a particular Web page if they choose.

Click to Play can be configured to override Mozilla's defaults, letting people set it to always or never run a particular plug-in.

Coates explained Mozilla's rationale this way:

Poorly designed third-party plug-ins are the No. 1 cause of crashes in Firefox and can severely degrade a user's experience on the Web. This is often seen in pauses while plug-ins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox...

One of the most common exploitation vectors against users is drive-by exploitation of vulnerable plug-ins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plug-in exploit kit. We've observed plug-in exploit kits to be present on both malicious Web sites and also otherwise completely legitimate Web sites that have been compromised and are unknowingly infecting visitors with malware.

:view: View: Original Article