The Firefox Web browser will soon block all browser plug-ins except Adobe Flash Player by default, Firefox maker Mozilla announced yesterday (Jan. 29).
"One of the most common exploitation vectors against users is drive-by exploitation of vulnerable plug-ins," Michael Coates, Mozilla director of security assurance, said in a blog posting.
Coates added that "poorly designed third-party plug-ins are the No. 1 cause of crashes in Firefox and can severely degrade a user's experience on the Web."
The move ought to severely cut down on the number of browser exploits affecting Firefox users. Dozens of exploits have been crafted against Flash, Adobe Reader and Java browser plug-ins. Users can become infected simply by landing on a corrupted website.
This month, Java browser exploits got so serious and widespread that Firefox disabled Java plug-ins entirely.
"This change will help increase Firefox performance and stability, and provide significant security benefits, while at the same time providing more control over plug-ins to our users," Coates wrote.
Instead of running plug-ins automatically, future versions of Firefox will ask users to approve each instance in which a plug-in is needed, a feature that Mozilla calls "Click to Play."
Users will be able to adjust their settings to let specific plug-ins always run when accessing specific websites.
For example, the Microsoft Silverlight plug-in is needed to play Netflix streaming content, so users may want to make sure that plug-in is always enabled for the Netflix site.
The only plug-in that Firefox will automatically load for all sites is the latest current version of Adobe Flash Player, which is used by hundreds of thousands, if not millions, of sites — most notably, YouTube.
Older versions of the Flash plug-in will be blocked along with the rest and placed on Mozilla's list of blocked add-ons and plug-ins. Coates did not give a timeline for that process.
To see which plug-ins you have running on your Firefox browser, and which of those need to be updated, go to https://www.mozilla.org/en-US/plugincheck/.