Mozilla Disables Plugin Autorun

Wednesday, January 30, 2013 @ 12:01 PM gHale

In the future Firefox will only automatically run the content of the most recent version of Flash; all other plugins will default to “Click to Play.”

These changes, unveiled on Mozilla’s security blog, are a way to put users back in control of plugins which should increase the security and stability of Firefox.

Chrome Update Closes Vulnerabilities
Firefox: Silent Add-ons Possible
Chrome Updated, Fixes Security Holes
Mozilla Closes Critical Holes

Mozilla came to this conclusion after Oracle’s problems securing Java, which recently culminated in Oracle’s Java defenses falling to a security researcher. That researcher recommended “Click to Play” as a more appropriate defense against drive-by style attacks that exploited plugins such as Java. As plugins are one of the major sources of instability in the browser, the ability to only activate them on demand reduces the risks of rogue plugins as well. Mozilla had been working on a process-per-plugin model for Firefox, but abandoned that due to the complexity of re-architecting Firefox.

“Click to Play” first came out in April 2012 to give users more control over when plugins such as Flash, Adobe Reader, Silverlight or Java ran in the browser. Users can elect to re-enable auto-running on a per-plugin or per-site basis. In October 2012, Mozilla added a block-list for plugins to activate “Click to Play” on unsafe plugins. This block-list already included blocks for older versions of plugins.

Now, the company is taking another security step forward and setting all current versions of plugins, except for the most recent version of Flash, as “Click to Play.” The deployment is staged though, with more recent insecure Flash versions blocked first, then, once a user interface is complete, “Click to Play” blocking for all current versions of Silverlight, Java and Acrobat Reader and all versions on any other plugins. There is no timetable for when these changes will occur.

Mozilla Plugins, unlike Mozilla’s Add-ons, have more direct access to the memory and process space of the browser, and flaws in plugins are generally far more exploitable. Add-ons, on the other hand, end up written in JavaScript and HTML5 and also run by the browser, making it harder to exploit any flaws in them.

Leave a Reply

You must be logged in to post a comment.