Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Click To Play: The Next Step For Firefox

November 29, 2012 - 3 min read
Click to Play first appeared in Firefox 14 and it appeared in developer versions of Chrome back in 2010. I described the feature in a post last July. Click to Play disables all plugins by default on all pages. The user then has to explicitly click on a warning to let the plugin, Flash or Java for example, run. Chrome and Firefox both have Click to Play disabled by default. After trying to use Click to Play for a week in Firefox, I had to give up, too many websites were not working and the warning was not always showing on the page.

Click to Play warning in Firefox 14

Firefox 17

Firefox 17 is the first browser to enable Click to Play by default, with a caveat. Click to Play is enabled only for plugins that are outdated and vulnerable. It is possible to enable Click to Play for all plugins, including up to date ones, by changing the property plugins.click_to_play to true in about:config. However, it is not possible to disable the feature for vulnerable plugins.

One of the problems in the previous implementation of Click to Play was that plugins could be used without any visual widget on the page, so no warning would be displayed to the user. In Firefox 17, there is an additional icon on the left of the URL bar that is visible when a plugin has been disabled on the page. You can click on the blue icon to choose what to do: enable the plugin once, always enable the plugin on the site, etc.

New icon to manage disabled plugins

More options for always disable or enable outdated plugins on a site

Plugin check

Firefox has also had tools to verify whether the plugins installed are up to date for a while. However, this is a manual process: go to Tools - Add-ons - Plugins and click on Check to see if your plugins are up to date. This opens a new tab to the Firefox website with information about the plugins installed.

Information about my plugins

You will notice that four of my plugins are unknown to Mozilla. In this case, the page cannot tell me whether they are up to date or not.

Fortunately, Mozilla makes it clear when there's a difference between outdated versionssimply lacking new features and unsafe versions:

Vulnerable Flash version

Outdated Flash version
Click to Play kicks in for vulnerable versions only, not for outdated versions of a plugin. This is better for companies that don't let users upgrade to the latest version (like Flash 11) but still install safe versions of older releases (Flash 9 in my example).

Not full security

First, Mozilla cannot manage all plugins. It is not always able to tell whether a particular version is safe or not. Because Mozilla chooses to enable Click to Play for outdated and vulnerable version only, it would not have protected users against 0-day vulnerabilities, like the vulnerability that affected the latest version of the Java plugins, or the Flash 0-day exploit that circulated on the web.

Strangely, the feature stopped working for me after a while. I reinstalled Firefox, wiping out all my user settings, a couple of times, but the same thing happened: after using Firefox for about one hour, Click to Play was not kicking in anymore.

While it is not a silver bullet, this is a good step forward in making Firefox user safer. They have also made UI improvements since Firefox 14 that make the feature much more usable.
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.