Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mozilla Alters Plug-in Operation to Boost Security

Mozilla is making changes to an initiative called “Click to Play“, which has been in existence since Firefox 17 was released, that prevents Firefox from automatically loading plug-ins unless the user authorizes it. The move is aimed at helping Firefox improve performance, while adding a side benefit of security.

Mozilla is making changes to an initiative called “Click to Play“, which has been in existence since Firefox 17 was released, that prevents Firefox from automatically loading plug-ins unless the user authorizes it. The move is aimed at helping Firefox improve performance, while adding a side benefit of security.

Firefox from Mozilla Logo“Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play or the user has previously configured Click To Play to always run plugins on the particular website,” explained Mozilla’s director of security assurance, Michael Coates, in a blog.

“One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit… The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website.”

Mozilla says that Click to Play will be enabled for all versions of all plugins, except current versions. Accordingly, Click to Play has already been enabled for many plugins that pose significant security or stability risks, the blog post noted – including vulnerable and outdated versions of Silverlight, Adobe Reader, and Java.

Focusing on more recent drive-by malware attacks, Mozilla has enabled Click to Play for all versions of Adobe’s Flash Player 10.2.* and below.

An example of Click to Play in action can be seen in the image below: 

Firefox Click to Play Plugins Example

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.