Following the recent debacle of the critical Java 0-day that was being actively exploited in the wild, in an attempt to minimize its users’ attack surface Mozilla has enabled “Click To Play” for recent versions of Java on all platforms, ensuring that the Java plugin will not load unless a user specifically clicks to enable the plugin.
The security feature – first introduced with Firefox 17 late last year – was aimed at preventing outdated versions of Oracle’s Java, Adobe’s Flash Player and other popular plugins from loading automatically.
But now it seems that all plugins will soon be on the chopping block (so to speak), as Mozilla has announced its intention of enabling Click to Play for all versions of all plugins except the current version of Flash (click on the screenshot to enlarge it):
They will start by enabling Click to Play for old versions of Flash, then slowly add more recent insecure Flash versions to the list, and end with adding current versions of Silverlight, Java, and Acrobat Reader and all versions of all other plugins.
“One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit. We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website,” they explained.
The move will also add to the stability and performance of the browser, they say, and allows users to choose which plugins to run on a particular site.