03:41 PM
Connect Directly

Mozilla Boldly Blocks Browser Plug-Ins For Firefox

Security experts applaud new effort by browser vendor that helps protect users from silent, drive-by attacks

Firefox browser maker Mozilla turned heads this week by brazenly blocking plug-ins for its browser in a move that it says will improve both performance and security.

It will now be up to the user to enable plug-ins, such as Java, Adobe, and Silverlight, according to Mozilla director of security assurance Michael Coates, who announced the new functionality yesterday in a blog post. Mozilla's Click to Play feature will be the tool for that: "Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play, Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play, or the user has previously configured Click To Play to always run plugins on the particular website," he wrote.

Security experts were surprised by Mozilla's aggressive change-up in its browser. "For Mozilla to disable all plug-ins, that's a really bold move on their part. I welcome it," says Jeremiah Grossman, founder and CTO of WhiteHat Security. "I would not have expected them to be so gutsy."

The only exception to the default moratorium on plug-ins for Firefox is Adobe Flash Player. "Our plan is to enable Click to Play for all versions of all plug-ins except the current version of Flash," Coates says. Older versions of Flash will eventually be added to Click to Play, however, he says.

Mozilla already offers Click to Play for risky plug-ins, like Java, Adobe Reader, and Silverlight.

"Mozilla's move to make Java, Adobe PDF, and Silverlight plug-ins Click-to-Play -- that's a brave move. It should, however, help protect users of that browser against attacks silently exploiting current and future security vulnerabilities in [those] plug-ins," says Adam Gowdiak, founder and CEO of Security Exploration.

Gowdiak recently announced that he had discovered security holes that could allow an attacker to both escape Java's sandboxing protection and cheat the highest security settings in the application. His advice to users until there's a fix was to disable Java or use the "click-to-play" feature in Firefox, Chrome, and Opera browsers.

['High' and 'Very High' Java security settings won't stop attacks, researcher says. See Java Security Feature FAIL: Researcher Bypasses Java Sandbox, Security Settings.]

The barrage of attacks exploiting Java browser apps may well have been the tipping point for Firefox plug-ins, experts say.

"Three primary motivations drove our decisions with Click to Play and plug-in handling: user control, performance and stability, and security. Over the past year, we've seen vulnerabilities and exploitation in a variety of plug-ins, including Java, and these incidents have reinforced the benefits of providing the Click to Play feature," Coates told Dark Reading in a statement.

Mozilla's Coates says in his post that Click to Play will help protect users from drive-by exploits targeting plug-ins. "We've observed plug-in exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations, the website doesn't have any legitimate use of the plug-in other than exploiting the user’s vulnerable plug-in to install malware on their machine," Coates says. "The Click to Play feature protects users in these scenarios since plug-ins are not automatically loaded simply by visiting a website."

Grossman, meanwhile, says Java should be uninstalled, not just disabled. While many enterprises can't give up Java altogether due to some applications, he says, "for home users, I cannot imagine where they would need Java on websites."

He says other browser vendors could follow suit. "I could see browser vendors wanting to push everyone to HTML5, and this is one step, killing off old [browser] extensions," Grossman says.

Grossman says while Mozilla and other major browser vendors have gradually made progress in securing users from drive-by attacks over the past few years, there's still another vector that's lacking: "Inside-the-browser-walls attacks," he says, such as cross-site scripting, cross-site request forgery, and clickjacking.

"Those remain unaddressed for the most part," Grossman says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/31/2013 | 6:41:08 PM
re: Mozilla Boldly Blocks Browser Plug-Ins For Firefox
Paragraphs 5 and 6 are inconsistent.
User Rank: Apprentice
1/31/2013 | 6:34:25 PM
re: Mozilla Boldly Blocks Browser Plug-Ins For Firefox
I started out in the computer industry in 1980 and I can truly say that most end users are not much smarter than they were 33 years ago.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.