Java has had a bit of a rough year so far with it falling victim to a zero day attack, and then having a second, potentially more devastating attack, auctioned off to unknown hackers. To prevent attacks like these from affecting users, Mozilla is expanding its Click to Play plugin blocker.
Mozilla announced today that Click to Play, which was introduced in Firefox 17, will have more plugins added to it. For those who don't know what Click to Play is, the feature makes it so that the user has to manually enable the plugin being requested on any particular Web site. For example, a user visits YouTube to watch a video in Flash. Firefox will block Flash from playing until the user gives their permission. Of course, YouTube is a trusted site so users can add it to a whitelist where all Flash content on YouTube will automatically play.
Besides the aforementioned example, Mozilla thinks that Click to Play will have a number of benefits for users of Firefox. For starters, users will have more control over which plugins they want running on their machines. I've already mentioned that users can whitelist sites for certain plugins, but users can also blacklist sites if they don't want certain plugins running at all.
Firefox's performance and stability is also improved thanks to Click to Play. Mozilla says that the number one cause of instability in Firefox is due to "poorly designed third party plugins." Turning these off when they're not needed - like Silverlight or Java - will help reduce the memory Firefox consumes.
The biggest advantage to using Click to Play comes in the form of security enhancements. A study from earlier this month found that instances of malware will only increase this year, and Java will remain a highly exploitable software. This is where Click to Play comes in. Firefox will alert users to potential threats and keep a plugin from running until the user can verify if the site is malicious or not.
In future versions of Click to Play, Mozilla add all plugins to the blocklist except for the newest version of Flash. Previously added plugins to the blocklist include older versions of Sliverlight and Java. Older versions of Flash will soon be added alongside current versions of Silverlight, Java and Acrobat Reader.