Firefox to introduce click-to-play option to protect against dangerous plugins

Filed Under: Adobe Flash, Featured, Firefox, Java, Malware

Jared Wein of Mozilla blogged last month about a new feature he was developing for Firefox 14 called "click-to-play". The idea is to block the default loading of plugins like Java and Flash when surfing to reduce the memory footprint and provide protection against exploitation of plugin vulnerabilities.

Firefox 14 click-to-play featureIf you have ever used NoScript, ScriptNo or Flashblock you will be familiar with this idea. When you load a page like YouTube that has an embedded Flash/PDF/Java object, instead of it instantly loading the video you will see a black box with a logo representing the plugin. When you click on the box it will launch the plugin and the video or other content will be rendered.

Writing in ZDNet's Zero Day blog, Dancho Danchev expressed his opinion yesterday that all Firefox's adoption of this technique will accomplish is slowing down the systematic exploitation of plugins and not really provide meaningful protection.

Sorry Dancho, I don't think I agree with you on this one. While Danchev makes some valid points regarding the continuing prevalence of social engineering to propagate threats, implementing more secure default options are always a good thing.

Many drive-by exploits are invisible to the user and don't involve any social engineering. I would argue the vast majority of what we see in SophosLabs doesn't involve trickery, users simply visiting the wrong blog at the wrong time results in malware being installed without the user even being aware that the page contains a Java applet or Flash object.

This may lead the attackers to move toward social engineering more frequently, but isn't that a good thing? Make users aware of the content they are running and give them a chance to make a decision? I am sure many users will still make the wrong decision, but I certainly want the opportunity to make the correct decision rather than be instantly exploited.

The best example I can think of was a malicious PDF file that was part of an investigation I was involved with. The victim would receive an email with a plausible looking link. They click on the link and the website they are directed to pauses for a second, then proceeds to load with the promised content.

Firefox beta logoWhat happened? Their browser loaded a booby-trapped PDF without the user even knowing that a PDF file had been downloaded. After exploiting them the page simply redirected them to the originally promised content to allay suspicion.

My opinion? Good on ya' Mozilla. Keep making the bad guys job harder and giving Firefox users better security by default. No single feature wins the war, but every battle counts.

, , , , ,

You might like

19 Responses to Firefox to introduce click-to-play option to protect against dangerous plugins

  1. I've been waiting for this ever since I noticed a similar feature in Android's web browser.

  2. "Default Deny" has always been a good policy.

  3. My original thought was the same as Dancho Danchev but I have changed my mind. He's assuming that the only embedded items in a page are going to be the content that you want to view eg youtube videos.
    The default deny behaviour will stop non visible embedded items from auto loading.

  4. This is great! finnaly. Thanks to mozzila!

  5. Jonathan Wilson · 1256 days ago

    The other advantage of this is that all those annoying bandwidth-gulping Flash ads (and embedded YouTube videos) will not play unless you specifically click on them.

  6. Donkeypunch6936 · 1255 days ago

    This feature has been in Chrome for quite a while now. Don't know why it hasn't been implemented yet in FF.

  7. I've been wanting this built into Firefox for ages! I've used Flashblock for a long time.

  8. Keiran · 1255 days ago

    The only thing that worries me is that disabling flash by default on one of the world's most popular browsers can diminish revenue from flash ads, making it less profitable and maybe taking down websites that rely on them to stay afloat. No one is going to click to enable something they know will probably be annoying. The internet has always relied on the sheep who don't install security-related addons and click those things. It's otherwise a great idea, so long as it has the ability to whitelist particular sites. (If you can't, users will find it annoying, and ditch it)

  9. Alex · 1255 days ago

    Poor Bobby, being trapped in a PDF...

  10. anon · 1255 days ago

    If a website relies on annoying flash ads for survival, well then too bad for them. Though I don't see this changing much since I do believe most firefox users use adblock already and there are sites responding to that. Either they move to text-based less intrusive ads that people won't mind as greatly (google ads) or start requiring you to view ads before serving content/making video ads more interesting (youtube/hulu).

    There's also the security risks associated with running scripts. Preventing them is worth the inconvenience, IMO.

  11. nawarez · 1255 days ago

    Opera has this feature for ages now lol

    Firefox and Chrome always just copy stuff Opera has done before...

  12. thing · 1255 days ago

    Um. Pretty much most of the internet survives on advertising revenue.

    Where exactly do you think that all of these companies are going to find the money to survive?

    You're not going to pay them after all are you? You think that you should be served everything for free right? You think that entropy isn't a law of physics right?

  13. bob · 1255 days ago

    I just hope they implement it as a per-page button, and not a per-applet button. The number of pages I've been on where there's five little interacting bits of flash, or dynamically loaded flash, or otherwise, where the current approach just doesn't work, is astounding.

  14. Freida Gray · 1255 days ago

    When I go to a page containing a video,I don't always want to automatically see the video.Sometimes I want to see if there is an article associated with the video & read that instead of watching the video.If this feature will prevent those videos from automatically loading & playing I would consider that a good thing to have.As for stopping the automatic downloading of malware,this add-on won't do that.Clicking on a link to view a video on a site containing malware doesn't get you the promised video;it does get you the malware that wasn't promised.Also, the average user tends to be pretty persistent about viewing a promised video & will do whatever they "have to" to see such video,so they will probably click to view the video....even on a malware site.

  15. Matt · 1254 days ago

    "Um. Pretty much most of the internet survives on advertising revenue."

    Are you lumping together advertisers and businesses that *use* advertising? They are not likely to be impacted nearly the same.

  16. Olleks · 1254 days ago

    You should probably specify that this will be a non-default feature. Yes, if you activate the feature, plug-ins will be blocked by default (unless the website is whitelisted), but you have to opt into the feature first.

    From : "Firefox 14′s non-default support for opt-in (also known as click-to-play) plugins"

  17. Sharp · 1253 days ago

    Great, The only better thing I can hope for is an add-on that disables all the ads from the side of pages. I would rather see 1 frame of text related to what I am looking for, than 20 frames of ads along the side of a page. Let's hope it saves my Wireless account Bandwidth from maxing, due to the huge amount of ads and pictures it would transfer for no better reason than to eat up my usage.

  18. Advertising and the companies aside, when looking at 1000 users I'm happy to deploy a browser that may cut down on those awfull incidents when you take a user's laptop in hand to try to fight several malware infections and fail. These end users aren't geared towards the latest in IT security but they do try, they try to listen and understand our weird jargon but at the end of the day they are concerned in their field not ours. So, if I can deploy a browser that may cut down on these incidents and help the staff to achieve their goals then the very last thing I care about is some fly-by-night shelf company hawking their wares. Besides flash etc burns battery life.

  19. Thrawn · 1120 days ago

    @Sharp: That already exists. It's called Adblock Plus and it works well. It even has the option to subscribe to an anti-malware list, as well as the anti-advertising lists.

    Or, if you're more hardcore, you can install NoScript and RequestPolicy...then the only ads you'll see will be inline text and first-party static images.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at