Firefox to block content based on Java, Reader, and Silverlight | Ars Technica

Mozilla engineers plan to disable Java, Adobe Reader, and Microsoft Silverlight capabilities in their flagship Firefox browser in a move aimed at improving security and performance.

By default, Firefox will load content based on all three plugins only after users click an icon that explicitly permits it. The feature, known as click to play, was introduced late last year. Until now, it disabled out-of-date plugins to prevent hack attacks and browser crashing. Sometime soon, it will begin blocking all plug-ins except for the most recent version of Adobe Flash.

"One of the most common vectors against users is drive by exploitation of vulnerable plugins," Michael Coates, Mozilla's director of security assurance, wrote in a blog post announcing the change. He was referring to website attacks that surreptitiously install malware on end-user computers by targeting security bugs in the browser components that process Java- and Flash-based content. "The click to play feature protects users in these scenarios," he added.

Over the past year, plugins for Oracle's Java software framework have emerged as one of the chief targets for drive-by attacks. Adobe's Flash Player has also been popular. While click-to-play won't affect the most recent version of Flash, older releases will also be blocked unless users explicitly permit it.

Coates didn't provide a timeline for the change.