Mozilla blocks plugins by default

Posted by Emma Woollacott

Mozilla says it's planning to change the way Firefox loads all third party plugins apart from Flash Player, blocking them by default. It will no longer load them automatically, instead using Click to Play.

Plugins - especially Java - are notorously dodgy in terms of security. Indeed, the Department of Homeland Security recently advised users to disable or remove the software follwing the doscovery that a zero-day security vulnerability within Java 7 Update 10 was being used for identity theft and the installation of malware.

But they're also blamed for causing high memory usage while browsing, delays and frequent crashes, and Mozilla says the change will improve performance and stability.

"Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user’s experience on the Web. This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox," says the company's director of security assurance, Michael Coates.

"By only activating plugins that the user desires to load, we’re helping eliminate pauses, crashes and other consequences of unwanted plugins."

Until now, Mozilla's only used Click-to-Play for plugins that appeared to be unsafe or exteremely out of date. Now, though, while the current version of Flash will be excepted, Click to Play will become the defaut for everything else.

This includes popular plugins such as Silverlight and Acrobat Reader, as well as Java Player, and means users will have to explicitly grant permission by clicking greyed-out areas on a web page.

However, users will be able to configure the system to allow some or all plugins to load automatically on selected websites.