Sign in with
Sign up | Sign in

Firefox Now Blocking All Plug-Ins Except Latest Flash

By - Source: Mozilla | B 18 comments

Now you get to choose if a plugin will play on a specific website.

The Mozilla Security Blog reports that the company is changing the way Firefox loads third-party plugins through an updated feature called Click to Play. Thanks to this change, Firefox will only load a plugin if the user clicks on it to make it play, or if the user already configured Click to Play to activate a plugin on a particular website. This not only increases the browser's performance and stability, but makes it more secure.

"Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user’s experience on the Web," said Michael Coates, Director of Security Assurance. "This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox. By only activating plugins that the user desires to load, we’re helping eliminate pauses, crashes and other consequences of unwanted plugins."

Click to Play has actually been a part of Firefox since version 17 launched in November, but Mozilla has essentially made the feature even more restrictive on plugins. Click to Play prevents plug-ins from automatically playing, but users can override the block by clicking on the grayed-out content area on the web page. This should help reduce the number of malware infections due to drive-by exploitations of unsecured, outdated plugins.

"We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware," he said. "In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website."

The plan is to block all plugins using Click to Play except for the very latest version of Flash (which on a personal note can be the biggest cause of Firefox crashes). The latest version of Flash is 11.5x for Windows 7 and older, OS X Snow Leopard, Lion and Mountain Lion (Windows 8 is using 11.3x). Firefox is now blocking versions 10.2x and older.

Once the final UI work is completed on Click to Play, current versions of Silverlight, Java, and Acrobat Reader and all versions of all other plugins will be blocked by default. During the change, Mozilla will monitor feedback regarding the new settings and UI to ensure a quality Firefox experience.

To determine if your plugins for Firefox are current, head here.

 

Contact Us for News Tips, Corrections and Feedback

Display 18 Comments.
This thread is closed for comments
  • 1 Hide
    LuckyDucky7 , January 30, 2013 11:27 PM
    That might be great, but how exactly does NoScript-by-default protect people from downloads and entities that they subsequently assume are safe (i.e. on completely legitimate sites)?
  • 4 Hide
    A Bad Day , January 30, 2013 11:49 PM
    LuckyDucky7That might be great, but how exactly does NoScript-by-default protect people from downloads and entities that they subsequently assume are safe (i.e. on completely legitimate sites)?


    If you done everything you can, then it's up to the website admin to maintain the website. For example, MS can do it's best to secure its OSes, but it's up to the users to not act like idiots.
  • -5 Hide
    sykozis , January 31, 2013 12:31 AM
    So, we inconvenience the user....for the sake of security.... Why don't they just stop releasing new browser "versions" now while people still have fond memories of Firefox....
  • 6 Hide
    A Bad Day , January 31, 2013 1:02 AM
    sykozisSo, we inconvenience the user....for the sake of security.... Why don't they just stop releasing new browser "versions" now while people still have fond memories of Firefox....


    Tell that to Google.
  • 0 Hide
    tpi2007 , January 31, 2013 1:12 AM
    One useful feature that IE has and that I'd like for Firefox to implement is a benchmark of how much time each plug-in adds to the start-up time of the browser. But, if possible, I'd like even more, I'd like to know what the impact of each plug-in is when loading a web page; the ability to perform this benchmark on demand, so you can appreciate the impact of the plug-ins on different websites would be ideal.
  • -4 Hide
    pythy , January 31, 2013 1:19 AM
    I dont't get it. If a user can pre-configure Click to Play on a trusted website to load plugins automatically, what happens if that "legitimate" website gets compromised? Does Click to Play have a way to tell whether a site has been compromised? If not, then what's the point of all this?
  • 5 Hide
    Anonymous , January 31, 2013 1:44 AM
    If a "legitimate" website gets compromised, and you told your browser to always load whatever comes from this website because you, as a user, trust it implicitly, then you will get owned. Period. You told Firefox that you want it to load whatever this website gives you and not question it. What's the solution? Don't tell your browser to implicitly trust ANY website. All websites are susceptible to getting hacked. Why would you lower the barrier for hackers by telling your browser to ignore its built-in safeguards?

    This is something Mozilla should have done a long time ago, and I welcome this change. If users don't "get it", or think this is too much of a nuisance, then go back to IE or Safari and enjoy getting owned with the rest of those users.
  • -5 Hide
    jackt , January 31, 2013 3:27 AM
    Firefox gonna lose share being security paranoid, stuf like this and the https ...
  • 1 Hide
    webbwbb , January 31, 2013 3:28 AM
    I wonder how long it will be until they get sued by a patent troll who claims Mozilla stole their "invention". I seem to remember IE once having a similar feature that Microsoft subsequently removed for this very reason..
  • 1 Hide
    digiex , January 31, 2013 3:50 AM
    Many casual not "tech savvy" users can't comprehend this changes.
  • 2 Hide
    xpeh , January 31, 2013 4:08 AM
    digiexMany casual not "tech savvy" users can't comprehend this changes.


    Grey space and a button that says "Play." If those people don't know what to do, then those people shouldn't be using the internet.

    jacktFirefox gonna lose share being security paranoid, stuf like this and the https ...


    I think it would gain market share instead. Not only is it more secure, it's going to be faster because it doesn't load the plugins.

    sykozisSo, we inconvenience the user....for the sake of security.... Why don't they just stop releasing new browser "versions" now while people still have fond memories of Firefox....


    I find it a convenience. Most casual users use Chrome.
  • 1 Hide
    spectrewind , January 31, 2013 5:32 AM
    digiexMany casual not "tech savvy" users can't comprehend this changes.


    Actually, you're correct. This feature fails the "grandma test". A lot of the techies in here will not recognize that (hence the - votes you receive). Most users are more concern with usability than security. Moreover, even after getting their computers hacked, I have still seen them remain this way.

    The casual user will not see this as a feature. They will see it as a roadblock of just one more thing that doesn't work as they expect it (per their experience) to. Too many things to left click on... Or octuple right click on... etc.
  • -4 Hide
    martel80 , January 31, 2013 5:52 AM
    Does it mean that I will have to explicitly enable adblock and flashblock for each site? I guess I'm going to disable the FF auto-updates until they wake up.
  • 0 Hide
    trumpeter1994 , January 31, 2013 5:54 AM
    So when is this more serious implementation of the feature gonna get rolled out, say it was in FF17 and I'm running 18 right now
  • 0 Hide
    juan83 , January 31, 2013 12:31 PM
    Since i've installed adblock plus, i just don't remember when was the last time i saw firefox crash.

    And thanks to that the days of the annoying adds which play loud sounds are over, and the CPU utilization is pretty lower as well as memory consumption. At least, using linux i saw this very helpful. And my laptop with and old dual core, the cpu responsiveness improved a lot and also works cooler than before when ads put a burden bigger than 50% of cpu.
  • 0 Hide
    susyque747 , January 31, 2013 1:13 PM
    What about Ubuntu, Firefox is the default browser for it.
  • 1 Hide
    john15v16 , January 31, 2013 2:28 PM
    Look, I'm all for security but the "Fix" for this issue is NOT the plugins...the issue is Mozilla's browser sandbox model and how it handles access requests...blocking plugins by default degrades the users experience and adds an extra step (or maybe two) to view the web as it is designed...that's the easy way out Mozilla, block everything cause you're too lazy or it takes to much time and $$$ to get the sandbox right...
  • 0 Hide
    tarzan2001 , February 1, 2013 8:07 PM
    Well, hopefully this feature will at least prevent those annoying auto-play ads (with sound) for users that don't have AdBlock Plus installed. :) 
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter