Last week, Mozilla announced it will prompt Firefox users on Windows with old versions of Adobe Reader, Adobe Flash, and Microsoft Silverlight, but refused to detail how the system will work. Today, the organization unveiled “click-to-play plugin blocks” will be on by default in Firefox 17, starting with the three aforementioned plugins (expect more to be added eventually). Furthermore, you can try out the feature for yourself now in Firefox 17 beta for Windows, Mac, and Linux.
Essentially Mozilla is merging together the idea of click-to-play plugins (don’t load plugins until they’re clicked) with the concept of a blocklist (a list of addons and plugins that are disabled). As such, click-to-play blocklisted plugins will consist of a list of plugins that Mozilla deems unsafe for its Firefox users. Instead of completely disabling what’s on the list, however, the company will prevent them from running when the page loads: you’ll have to click first.
Here’s how it will look:
The prompt will tell Firefox users that the plugin is vulnerable and stops it from loading automatically. If there is an update available, you will be prompted to update the plugin. Either way, you will be able to use the plugin by clicking on the blocked grey box if you want to.
Additionally, if plugins are blocked on the Web page, Mozilla will feature a blue icon to the left of the address bar for more information. Here’s how it will look when opened:
Mozilla believes this is the best solution for plugins that are outdated and unsafe, or just unsafe. The company explains:
By combining the safety of the blocklist with the flexibility of click-to-play, we now have an even more effective method of dealing with vulnerable or out-of-date plugins. Instead of choosing between vulnerable but useful (by allowing an old plugin to run automatically) and safe but less useful (by completely disabling old plugins), click-to-play blocklisted plugins gives the user the ability to make an informed decision depending on their current activity.
As already mentioned, this feature will be enabled by default in Firefox 17. There is, however, an about:config preference “plugins.click_to_play” that can be set to true to enable click-to-play for all plugins, not just out-of-date ones. Mozilla says it is still developing this part.
While this is not an all-purpose plugin management system, it will be particularly useful as a prevention mechanism against drive-by attacks targeting plugins that are known to be vulnerable. These are often found on sites trying to push malware, typically done in a myriad of ways, but here are the two most popular ones: trying to get users to click on a video link that is almost never what it claims to be, or hiding in ads on a legitimate website.
This feature won’t help in the scenario where users are convinced to activate a vulnerable plugin on a malicious site. In the end, the biggest security flaw is still between the computer and chair.
Image credit: Andrew Beierle