Firefox will block by default nearly all plugins
Posted on 30 January 2013.
Following the recent debacle of the critical Java 0-day that was being actively exploited in the wild, in an attempt to minimize its users' attack surface Mozilla has enabled "Click To Play" for recent versions of Java on all platforms, ensuring that the Java plugin will not load unless a user specifically clicks to enable the plugin.

The security feature - first introduced with Firefox 17 late last year - was aimed at preventing outdated versions of Oracle's Java, Adobe's Flash Player and other popular plugins from loading automatically.

But now it seems that all plugins will soon be on the chopping block (so to speak), as Mozilla has announced its intention of enabling Click to Play for all versions of all plugins except the current version of Flash (click on the screenshot to enlarge it):




They will start by enabling Click to Play for old versions of Flash, then slowly add more recent insecure Flash versions to the list, and end with adding current versions of Silverlight, Java, and Acrobat Reader and all versions of all other plugins.

"One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit. We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website," they explained.

The move will also add to the stability and performance of the browser, they say, and allows users to choose which plugins to run on a particular site.






Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //