January 31, 2013
Mozilla Looks To Unplug Firefox Plug-Ins To Improve Security, Reduce Crashes
Peter Suciu for redOrbit.com — Your Universe Online
Mozilla is getting “foxy” as it looks to improve security and reduce crashes on its Firefox browser. Beginning soon Mozilla will in essence unplug most browser plug-ins, and users will have to manually approve any content via a so-called “Click to play” action.
Firefox will only load the content based on all three plug-ins after a user clicks an icon that explicitly permits it. This “click to play” action feature was introduced last year, but was originally only disabling out-of-date plug-ins to prevent hack attacks and browser crashes. Going forward Firefox will begin blocking all plug-ins except for the most recent version of Adobe Flash.
Michael Coates, Mozilla´s director of security assurance wrote in blog post on Wednesday addressing the changes:
“Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user´s experience on the Web. This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox. By only activating plugins that the user desires to load, we´re helping eliminate pauses, crashes and other consequences of unwanted plugins.”
Coates also noted that common exploitation vectors against users come through so-called vulnerable plug-ins, and that these browser add-ons put users at risk for malware and other attacks.
Plug-ins are meant to extend a browser´s ability to run software and handle different media and file formats, but do open new avenues for attack. Orcale´s Java, which was developed by Sun Microsystems in the early 1990s and first released as a web-based plug-in in 1995, has been seen as one of the chief targets for so-called “drive by attacks,” and has a history of security vulnerabilities.
Browser exploits are in essence one-size-fits-all bundles of malware that can attack a user´s web browser with one exploit after another until something gets through and infects the target computer. Exploit kits can be inserted into webpages in ways that even get passed site administrators without detection. In many cases these exploits take advantage of newly found holes most anti-virus software programs aren´t even able to protect against.
Oracle acquired Java when it purchased Sun Microsystems and earlier this month worked to release a large batch of security fixes to address the newly discovered vulnerabilities.
But it isn´t just Java that remains at risk.
Adobe´s Flash Player also remains a popular target, as it is used by millions of sites including YouTube, where hundreds of millions of users visit every day. Interestingly enough, Firefox won´t unplug the newest version of Flash, but older versions will require click-to-play action by users in order for the plug-in to work.
Mozilla has published a list of blocked add-ons, which are known to cause serious security, stability or performance issues with FireFox.