Last week Mozilla announced it will notify users about the outdated plugins on Windows for old versions of Silverlight, Adobe Reader and Adobe Flash. The plugin update notification feature that was announced used the old update notification mechanism for Firefox 16 and below. But today, Mozilla Firefox announced Click-to-play block plugin–combination of Blocklist feature with click to play plugin which will be available on Firefox 17.
Click-to-play blocklisted plugin is a security feature that protects against drive-by attacks targeting plugins that are known to be vulnerable. It doesn’t prevent attacks where a user is convinced to activate a vulnerable plugin on a malicious site. It also is not an all-purpose plugin management system.
“The feature will be available by default so users can automatically be protected”. However, the about:config preference “plugins.click_to_play” can be set to true to enable click-to-play for all plugins, not just out-of-date ones.
This is how the plugin would look like in action:
The prompt in the grey box will tell the users that the plugin is vulnerable and if there is an update available it will notify you to update the plugin. Moreover, the popup notification above won’t show itself automatically. To open the popup, simply click the plugin icon in the URL bar as shown below.
Mozilla explains “By combining the safety of the blocklist with the flexibility of click-to-play, we now have an even more effective method of dealing with vulnerable or out-of-date plugins. Instead of choosing between vulnerable but useful (by allowing an old plugin to run automatically) and safe but less useful (by completely disabling old plugins), click-to-play blocklisted plugins gives the user the ability to make an informed decision depending on their current activity”
This feature is currently available in Firefox Beta version.
