facebook rss twitter

Firefox 'Click to Play' to prevent drive-by exploits

by Mark Tyson on 6 May 2012, 22:52

Tags: Mozilla

Quick Link: HEXUS.net/qabgbf

Add to My Vault: x

There is a new security focussed feature being developed for Firefox 14 called ‘Click to Play’. The idea is to block the default loading of plugins like Flash, Java and the PDF viewer that are often used as routes to run auto-loading/running drive-by exploits via the web browser. I actually have experience of receiving such a payload via a Flash banner ad which downloaded a trojan to my old netbook. I think the ad was served by Clicksor, well known for malware infested adverts. Similarly the security bods at Sophos have experience of drive-by downloading of booby trapped PDFs.

With the new Firefox Click to Play feature, when a page you have opened has a plugin that wants to load content, it will wait for you to click to confirm that you are happy for it to load (i.e. to opt-in). For example, in YouTube, the first time you visit the site with the Click to Play browser, the space where the video would be is replaced by the plugin icon, which you click to start the Flash that loads the video player and streaming video.

Click to Play

Benefits of Click to Play

  • Better security - default deny
  • Lower memory usage
  • Lower CPU usage (might save you some battery if you are on the road)
  • Your preferences for each site/domain can be saved AKA site specific permissions

Click to Play

There are various plugins for Firefox which have similar functionality; NoScript, Flashblock and ScriptNo stop various java and flash embedded files from running/loading automatically. The popularity of these plugins with tech savvy Firefox users probably flagged up to the Firefox developers that it is probably a good feature for the main program. The people who need protecting the most from these drive-by exploits might never download or know about script blocking extensions. For the average punter it won’t take long to white list their favourite trusted web sites and be enjoying quite a bit more security when they browse further afield (default deny).



HEXUS Forums :: 7 Comments

Login with Forum Account

Don't have an account? Register today!
Correct me if I'm wrong, but didn't Firefox used to do this several years ago anyway?
I wonder why it's taken the folks at Mozilla this long, and why it will take them even longer (Firefox 14?) to implement this feature. Opera has had it for a long time now, for example.
Zeven
I wonder why it's taken the folks at Mozilla this long, and why it will take them even longer (Firefox 14?) to implement this feature. Opera has had it for a long time now, for example.

At the rate Mozilla do new version numbers these days Firefox 14 will be out next month anyway lol

On a serious note this is long overdue!
Sickorz
At the rate Mozilla do new version numbers these days Firefox 14 will be out next month anyway lol

On a serious note this is long overdue!

More like 12 weeks or so. :(
Even on a 12 week schedule, we're still going to see pretty massive version numbers. I never did understand the policy shift:
http://www.extremetech.com/internet/92792-mozilla-takes-firefox-version-number-removal-a-step-further

In 10 years, Mozilla will be rolling out Firefox v53. Now you could say, “there'll be no Firefox in 10 years”, but look at Internet Explorer. It was born 16th August 1995. If Microsoft had taken the new Mozilla approach to versioning, we'd have IE v72! It would still be a beta.