Mozilla pulling plug on auto-running nearly all plugins
Contributed by: Email on 01/30/2013 02:15 PM [ Comments ]
By default, Firefox will, in future, only automatically run the content of the most recent version of Flash all other plugins will default to "Click to Play". The changes, announced on Mozilla's security blog as a way to put users back in control of plugins, will increase the security and stability of Firefox.
The Mozilla announcement comes after Oracle's recent troubles securing Java, which recently culminated in Oracle's Java defenses falling to a security researcher. That researcher recommended "Click to Play" as a more appropriate defense against drive-by style attacks that exploited plugins such as Java. As plugins are one of the major sources of instability in the browser, the ability to only activate them on demand reduces the risks of rogue plugins as well. Mozilla had been working on a process-per-plugin model for Firefox, but abandoned that due to the complexity of re-architecting Firefox.
"Click to Play" was introduced in April 2012 to give users more control over when plugins such as Flash, Adobe Reader, Silverlight or Java ran in the browser. Users can elect to re-enable auto-running on a per-plugin or per-site basis. In October 2012, Mozilla added a block-list for plugins to activate "Click to Play" on unsafe plugins. This block-list already included blocks for older versions of plugins.
Now, the company is going yet another step further and setting all current versions of plugins, except for some unexplained reason the most recent version of Flash, as "Click to Play". The deployment is staged though, with more recent insecure Flash versions being blocked first, then, once a user interface is complete, "Click to Play" blocking for all current versions of Silverlight, Java and Acrobat Reader and all versions on any other plugins. No timetable has been given for when these changes will be made.
Mozilla Plugins, unlike Mozilla's Add-ons, have more direct access to the memory and process space of the browser, and flaws in plugins are generally far more exploitable. Add-ons, on the other hand, are written in java script and HTML5 and are run by the browser, making it harder to exploit any flaws in them. Speaking of Add-ons, Mozilla has also recently announced an update to the Add-on SDK with a new context menu module.
The Mozilla announcement comes after Oracle's recent troubles securing Java, which recently culminated in Oracle's Java defenses falling to a security researcher. That researcher recommended "Click to Play" as a more appropriate defense against drive-by style attacks that exploited plugins such as Java. As plugins are one of the major sources of instability in the browser, the ability to only activate them on demand reduces the risks of rogue plugins as well. Mozilla had been working on a process-per-plugin model for Firefox, but abandoned that due to the complexity of re-architecting Firefox.
"Click to Play" was introduced in April 2012 to give users more control over when plugins such as Flash, Adobe Reader, Silverlight or Java ran in the browser. Users can elect to re-enable auto-running on a per-plugin or per-site basis. In October 2012, Mozilla added a block-list for plugins to activate "Click to Play" on unsafe plugins. This block-list already included blocks for older versions of plugins.
Now, the company is going yet another step further and setting all current versions of plugins, except for some unexplained reason the most recent version of Flash, as "Click to Play". The deployment is staged though, with more recent insecure Flash versions being blocked first, then, once a user interface is complete, "Click to Play" blocking for all current versions of Silverlight, Java and Acrobat Reader and all versions on any other plugins. No timetable has been given for when these changes will be made.
Mozilla Plugins, unlike Mozilla's Add-ons, have more direct access to the memory and process space of the browser, and flaws in plugins are generally far more exploitable. Add-ons, on the other hand, are written in java script and HTML5 and are run by the browser, making it harder to exploit any flaws in them. Speaking of Add-ons, Mozilla has also recently announced an update to the Add-on SDK with a new context menu module.
Comments