Mozilla added a new feature to Firefox that will block by default known vulnerable versions of plugins from running.
This new feature is in the beta version of Firefox right now and it works in conjunction with a blacklist of vulnerable versions of popular plugins.
When a user lands on a site that requires the use of a plugin if the version running in the user’s browser is on the list of known vulnerable applications, Mozilla will disable it and show the user a message saying that he needs to update the plugin.
The idea is to help protect users from themselves, something that security people have been trying to do for quite a while.
“For instance, when browsing a reputable video sharing website, a user might feel safe enough to enable a vulnerable plugin in order to view the site’s content (in fact, the trusted site can be whitelisted using the ‘Always activate plugins for this site’ option in the button drop-down menu), said David Keeler of Mozilla.
“Of course, it would be best if the user upgraded the plugin to a secure version, but perhaps they can’t for one reason or another. In another scenario, they might not fully trust a site they arrive at after visiting a link sent from a friend,” he said. “In this case, the blocklisted plugin would not automatically run, and the user would be protected.”
The click-to-play blocklist feature ends up enabled by default in the Firefox beta but it only covers a few select plugins right now, namely Adobe Flash, Adobe Reader and Microsoft Silverlight.
“At the moment, click-to-play blocklisted plugins is a security feature that protects against drive-by attacks targeting plugins that are known to be vulnerable,” Keeler said. “It does not prevent attacks where a user is convinced to activate a vulnerable plugin on a malicious site. It also is not an all-purpose plugin management system.”