Jared Wein, a Software Engineer at Mozilla, has come up with a rather clever security feature for Web browser plugins such as Flash – manual activation. The feature is currently only available in the nightly build of Firefox, but Wein expects it to be ready for Firefox 14.
The manual activation is called “click-to-play” and once it is enabled, plugins will require an additional click – or manual activation – before rendering Web content. For example, videos on YouTube will require that Flash be enabled before they would play.
“Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web… However, plugins can also carry with them extra vulnerabilities and system slowdowns,” Wein explained in a blog post.
“This is an incremental step towards securing our users, reducing memory usage, and opening up the web.”
Writing for ZDNet, researcher Dancho Danchev said that the click-to-play feature is only going to slow down the “systematic exploitation of client-side vulnerabilities, not preventing [them].”
Danchev noted that most attackers leverage social engineering as a means to get victims to a website hosting malicious content. His outline essentially boiled down to the fact that if a victim was tricked into visiting a malicious website with the promise of something in return, they will more than likely enable the click-to-play content automatically.
While one expert has his doubts, another disagrees and sees added value.
“Many drive-by exploits are invisible to the user and don’t involve any social engineering. I would argue the vast majority of what we see in Sophos Labs doesn’t involve trickery, users simply visiting the wrong blog at the wrong time,” Chester Wisniewski wrote.
“This may lead the attackers to move toward social engineering more frequently, but isn’t that a good thing? Make users aware of the content they are running and give them a chance to make a decision? I am sure many users will still make the wrong decision, but I certainly want the opportunity to make the correct decision rather than be instantly exploited.”
No matter where one stands on the topic of click-to-play’s value to security, it’s already in development and will likely arrive with Firefox 14 as planned. So administrators should prepare for the eventuality of an added layer of protection, which could also be used as an additional attack vector in some situations.
More information is available here.
