Firefox 26 blocks Java plugins by default

Mozilla released Firefox 26 which includes five critical, three high, three moderate, and three low security updates.

All Java plug-ins are defaulted to ‘click to play’, which is a welcome security addition.

Benjamin Smedberg, Engineering Manager, Stability and Plugins at Mozilla commented: “When Mozilla conducted a user research study on the prototype implementation of click-to-play plugins earlier this year, we discovered that many users did not understand what a plugin was. Participants were confused or annoyed by the experience, especially having to enable plugins on the same site repeatedly. We redesigned the click-to-play feature to focus on enabling plugins per-site, rather than enabling individual plugin instances on the page.”

The password manager now supports script-generated password fields and updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service).

Here’s a complete list of security fixes:

  • Mis-issued ANSSI/DCSSI certificate
  • JPEG information leak
  • GetElementIC typed array stubs can be generated outside observed typesets
  • Use-after-free in synthetic mouse movement
  • Trust settings for built-in roots ignored during EV certificate validation
  • Linux clipboard information disclosure though selection paste
  • Segmentation violation when replacing ordered list elements
  • Potential overflow in JavaScript binary search algorithms
  • Use-after-free during Table Editing
  • Use-after-free in event listeners
  • Sandbox restrictions not applied to nested object elements
  • Character encoding cross-origin XSS attack
  • Application Installation doorhanger persists on navigation
  • Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)