Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Firefox Adds “Click-to-play” Plugin as Additional Layer of Security

Jared Wein, a Software Engineer at Mozilla, has come up with a rather clever security feature for Web browser plugins such as Flash – manual activation. The feature is currently only available in the nightly build of Firefox, but Wein expects it to be ready for Firefox 14.

The manual activation is called “click-to-play” and once it is enabled, plugins will require an additional click – or manual activation – before rendering Web content. For example, videos on YouTube will require that Flash be enabled before they would play.

Jared Wein, a Software Engineer at Mozilla, has come up with a rather clever security feature for Web browser plugins such as Flash – manual activation. The feature is currently only available in the nightly build of Firefox, but Wein expects it to be ready for Firefox 14.

The manual activation is called “click-to-play” and once it is enabled, plugins will require an additional click – or manual activation – before rendering Web content. For example, videos on YouTube will require that Flash be enabled before they would play.

“Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web… However, plugins can also carry with them extra vulnerabilities and system slowdowns,” Wein explained in a blog post.

“This is an incremental step towards securing our users, reducing memory usage, and opening up the web.”

Writing for ZDNet, researcher Dancho Danchev said that the click-to-play feature is only going to slow down the “systematic exploitation of client-side vulnerabilities, not preventing [them].”

Danchev noted that most attackers leverage social engineering as a means to get victims to a website hosting malicious content. His outline essentially boiled down to the fact that if a victim was tricked into visiting a malicious website with the promise of something in return, they will more than likely enable the click-to-play content automatically.

While one expert has his doubts, another disagrees and sees added value.

“Many drive-by exploits are invisible to the user and don’t involve any social engineering. I would argue the vast majority of what we see in Sophos Labs doesn’t involve trickery, users simply visiting the wrong blog at the wrong time,” Chester Wisniewski wrote.

“This may lead the attackers to move toward social engineering more frequently, but isn’t that a good thing? Make users aware of the content they are running and give them a chance to make a decision? I am sure many users will still make the wrong decision, but I certainly want the opportunity to make the correct decision rather than be instantly exploited.”

No matter where one stands on the topic of click-to-play’s value to security, it’s already in development and will likely arrive with Firefox 14 as planned. So administrators should prepare for the eventuality of an added layer of protection, which could also be used as an additional attack vector in some situations.

More information is available here.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...