Firefox to default all plug-ins to Click to Play--with exception of Flash
To tackle the problem of drive-by download attacks, Mozilla earlier this week announced a complete change in how the Firefox browser will deal with third-party plug-ins. In a nutshell, Mozilla plans to enable this feature for all versions of plug-ins, with the exception of the latest version of Flash.
This means that Firefox will block plug-ins, such as Java and Silverlight, by default, loading them only when users click to load a particular plug-in. This is a reversal from the previous situation where Firefox would automatically load any plug-in requested by a website.
The move offers significant security benefits given that one of the most common attack vectors is drive-by downloads designed to target vulnerable plug-ins. The move is expected the result in increased performance and stability too, by eliminating the pauses, crashes and other consequences of downloading unwanted plug-ins.
Mozilla's director of security assurance, Michael Coates elaborated: "Poorly designed third party plug-ins are the number one cause of crashes in Firefox and can severely degrade a user's experience on the web. This is often seen in pauses while plug-ins are loaded and unloaded, high memory usage while browsing and many unexpected crashes of Firefox."
At the moment, Click to Play has already been enabled for many plug-ins, including vulnerable and outdated versions of Silverlight, Adobe (NASDAQ: ADBE) Reader, and Java. The eventual plan is to enable Click to Play for all versions of all plug-ins, except the current version of Flash, Coates says.
- check out this article at ZDNet