The Mozilla Security Blog reports that the company is changing the way Firefox loads third-party plugins through an updated feature called Click to Play. Thanks to this change, Firefox will only load a plugin if the user clicks on it to make it play, or if the user already configured Click to Play to activate a plugin on a particular website. This not only increases the browser's performance and stability, but makes it more secure.
"Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user’s experience on the Web," said Michael Coates, Director of Security Assurance. "This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox. By only activating plugins that the user desires to load, we’re helping eliminate pauses, crashes and other consequences of unwanted plugins."
Click to Play has actually been a part of Firefox since version 17 launched in November, but Mozilla has essentially made the feature even more restrictive on plugins. Click to Play prevents plug-ins from automatically playing, but users can override the block by clicking on the grayed-out content area on the web page. This should help reduce the number of malware infections due to drive-by exploitations of unsecured, outdated plugins.
"We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware," he said. "In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website."
The plan is to block all plugins using Click to Play except for the very latest version of Flash (which on a personal note can be the biggest cause of Firefox crashes). The latest version of Flash is 11.5x for Windows 7 and older, OS X Snow Leopard, Lion and Mountain Lion (Windows 8 is using 11.3x). Firefox is now blocking versions 10.2x and older.
Once the final UI work is completed on Click to Play, current versions of Silverlight, Java, and Acrobat Reader and all versions of all other plugins will be blocked by default. During the change, Mozilla will monitor feedback regarding the new settings and UI to ensure a quality Firefox experience.
To determine if your plugins for Firefox are current, head here.