Mozilla on Tuesday announced a massive change to the way it loads third-party plugins in Firefox. The company plans to enable Click to Play for all versions of all plugins, except the latest release of Flash.
This essentially means Firefox will soon only load third-party plugins when users click to interact with the plugin. Currently, Firefox automatically loads any plugin requested by a website, unless Mozilla has blocked it for security reasons (which it has for old versions of Java, Silverlight, and Flash).
Going forward, Mozilla will essentially be blocking all plugins except the very latest version of Flash. The company won’t say why it is exempting Adobe’s plugin, but it’s most likely because users expect their videos to play automatically (and advertisers expect their ads to load automatically).
Firefox will thus only load plugins when you take the action of clicking to make a particular plugin play. Alternatively, you can also configure Click to Play so that it always run plugins on a particular website.
To implement this change, Mozilla still has to do the following:
- Set Click to Play for old versions of Flash (versions <=10.2.*) and slowly add more recent insecure Flash versions to the Click to Play list (Update: This is done now, see below).
- Complete final UI work.
- Set Click to Play for current versions of Silverlight, Java, and Acrobat Reader and all versions of all other Plugins.
Mozilla says this new stance will help increase Firefox performance and stability, which is understandable as plugins often bog down a browser (when they are loaded and unloaded or just lead to high memory usage while browsing) or render it unusable (poorly designed third-party plugins are the number one cause of crashes in Firefox). The company is looking to significantly cut down on all of these by only loading plugins that the user wants to load.
At the same time, Mozilla says it will be providing more control over plugins to users. This is technically true (users will be able to fine-tune the behavior of each plugin per site) but it’s also a bit of a stretch (most users won’t do this).
The real reason is lumped in with all the rest: “provide significant security benefits.” After all, that’s exactly what Mozilla used Click to Play for last time; when Java exploits got out of hand earlier this month, it added all recent versions to Firefox’s blocklist.
Click to Play is very useful as a prevention mechanism against drive-by attacks (such as urging users to click on a video link that is almost never what it claims to be or hiding in ads on a legitimate website) targeting plugins that are known to be vulnerable. Mozilla’s explanation of these scenarios is worth quoting in full:
One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit. We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website.
For those who are unaware, Click to Play has been available in Mozilla’s browser as of Firefox 17. Here’s what it looks like in action:
Currently, the prompt tells you that the plugin is vulnerable and thus Firefox has stopped it from loading automatically. This message will likely be updated with something more generic given that Mozilla is essentially looking to block almost all plugins from loading by default.
If there is an update available, you will be prompted to update the plugin. Either way, you will be able to use the plugin by clicking on the blocked grey box if you want to, but many will find this to be a bit of a hassle.
Mozilla would not reveal when this change will come into effect, but we can assume it will be made in the next few weeks or so. We’ll see soon enough how Firefox users react to it.
Update at 2:50PM EST: Mozilla has completed step one outlined above. The company has enabled Click to Play on old versions of the Adobe Flash Player plugin; for versions 10.2.* and lower, whenever you load a page that uses the plugin, you will see the prompt shown above. If you want to avoid this, update your Adobe Flash plugin.
Image credit: Damian Searles