Security experts applaud new effort by browser vendor that helps protect users from silent, drive-by attacks

Firefox browser maker Mozilla turned heads this week by brazenly blocking plug-ins for its browser in a move that it says will improve both performance and security.

It will now be up to the user to enable plug-ins, such as Java, Adobe, and Silverlight, according to Mozilla director of security assurance Michael Coates, who announced the new functionality yesterday in a blog post. Mozilla's Click to Play feature will be the tool for that: "Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play, Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play, or the user has previously configured Click To Play to always run plugins on the particular website," he wrote.

Security experts were surprised by Mozilla's aggressive change-up in its browser. "For Mozilla to disable all plug-ins, that's a really bold move on their part. I welcome it," says Jeremiah Grossman, founder and CTO of WhiteHat Security. "I would not have expected them to be so gutsy."

The only exception to the default moratorium on plug-ins for Firefox is Adobe Flash Player. "Our plan is to enable Click to Play for all versions of all plug-ins except the current version of Flash," Coates says. Older versions of Flash will eventually be added to Click to Play, however, he says.

Mozilla already offers Click to Play for risky plug-ins, like Java, Adobe Reader, and Silverlight.

"Mozilla's move to make Java, Adobe PDF, and Silverlight plug-ins Click-to-Play -- that's a brave move. It should, however, help protect users of that browser against attacks silently exploiting current and future security vulnerabilities in [those] plug-ins," says Adam Gowdiak, founder and CEO of Security Exploration.

Gowdiak recently announced that he had discovered security holes that could allow an attacker to both escape Java's sandboxing protection and cheat the highest security settings in the application. His advice to users until there's a fix was to disable Java or use the "click-to-play" feature in Firefox, Chrome, and Opera browsers.

['High' and 'Very High' Java security settings won't stop attacks, researcher says. See Java Security Feature FAIL: Researcher Bypasses Java Sandbox, Security Settings.]

The barrage of attacks exploiting Java browser apps may well have been the tipping point for Firefox plug-ins, experts say.

"Three primary motivations drove our decisions with Click to Play and plug-in handling: user control, performance and stability, and security. Over the past year, we've seen vulnerabilities and exploitation in a variety of plug-ins, including Java, and these incidents have reinforced the benefits of providing the Click to Play feature," Coates told Dark Reading in a statement.

Mozilla's Coates says in his post that Click to Play will help protect users from drive-by exploits targeting plug-ins. "We've observed plug-in exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations, the website doesn't have any legitimate use of the plug-in other than exploiting the user’s vulnerable plug-in to install malware on their machine," Coates says. "The Click to Play feature protects users in these scenarios since plug-ins are not automatically loaded simply by visiting a website."

Grossman, meanwhile, says Java should be uninstalled, not just disabled. While many enterprises can't give up Java altogether due to some applications, he says, "for home users, I cannot imagine where they would need Java on websites."

He says other browser vendors could follow suit. "I could see browser vendors wanting to push everyone to HTML5, and this is one step, killing off old [browser] extensions," Grossman says.

Grossman says while Mozilla and other major browser vendors have gradually made progress in securing users from drive-by attacks over the past few years, there's still another vector that's lacking: "Inside-the-browser-walls attacks," he says, such as cross-site scripting, cross-site request forgery, and clickjacking.

"Those remain unaddressed for the most part," Grossman says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights