Firefox to introduce click-to-play option to protect against dangerous plugins

Jared Wein of Mozilla blogged last month about a new feature he was developing for Firefox 14 called “click-to-play”. The idea is to block the default loading of plugins like Java and Flash when surfing to reduce the memory footprint and provide protection against exploitation of plugin vulnerabilities.

Firefox 14 click-to-play featureIf you have ever used NoScript, ScriptNo or Flashblock you will be familiar with this idea. When you load a page like YouTube that has an embedded Flash/PDF/Java object, instead of it instantly loading the video you will see a black box with a logo representing the plugin. When you click on the box it will launch the plugin and the video or other content will be rendered.

Writing in ZDNet’s Zero Day blog, Dancho Danchev expressed his opinion yesterday that all Firefox’s adoption of this technique will accomplish is slowing down the systematic exploitation of plugins and not really provide meaningful protection.

Sorry Dancho, I don’t think I agree with you on this one. While Danchev makes some valid points regarding the continuing prevalence of social engineering to propagate threats, implementing more secure default options are always a good thing.

Many drive-by exploits are invisible to the user and don’t involve any social engineering. I would argue the vast majority of what we see in SophosLabs doesn’t involve trickery, users simply visiting the wrong blog at the wrong time results in malware being installed without the user even being aware that the page contains a Java applet or Flash object.

This may lead the attackers to move toward social engineering more frequently, but isn’t that a good thing? Make users aware of the content they are running and give them a chance to make a decision? I am sure many users will still make the wrong decision, but I certainly want the opportunity to make the correct decision rather than be instantly exploited.

The best example I can think of was a malicious PDF file that was part of an investigation I was involved with. The victim would receive an email with a plausible looking link. They click on the link and the website they are directed to pauses for a second, then proceeds to load with the promised content.

Firefox beta logoWhat happened? Their browser loaded a booby-trapped PDF without the user even knowing that a PDF file had been downloaded. After exploiting them the page simply redirected them to the originally promised content to allay suspicion.

My opinion? Good on ya’ Mozilla. Keep making the bad guys job harder and giving Firefox users better security by default. No single feature wins the war, but every battle counts.