The Move to Plugin-Free Browsers

Apple was the first major player to offer a browser with no plugins with Safari for iOS. Even the very popular Flash plugin cannot run in the browser. However, no vendor, including Apple, has had such restrictions on their desktop products.

Microsoft has now also gone plugin-free with Internet Explorer 10 Metro. This version of Internet Explorer does not support plugins (except for the embedded Flash plugin, which is allowed on a few explicitly permitted sites only). See "Get Ready for plugin-free browsing" for additional details.

Chrome and Firefox are also moving in the direction of plugin-free browsers too. The first step is Click to Play, which enables plugins only after an interaction from the user, not by default. With the release of Firefox 19, Mozilla has removed the need to leverage the Adobe Reader plugin by providing a JavaScript based PDF reader. Firefox is also going to enable Click to Play by default (except for Flash) in the next releases.

Blame the plugin vendors

HTML5 is helping browser vendors to get rid of some plugins, like Flash. For example, the standardization around video and sound means Flash is no longer the only option to play a video on modern browsers.

But the main drive toward plugin-free browsers is security. The latest Java vulnerabilities actively exploited and leveraged in successful attacks against Facebook and Apple, are just the latest flaws exposed in Java, Flash and Adobe Reader plugins.

Because these plugins live outside of the browser, they cannot be updated automatically by the browser vendors. Our State of the Web reports continually show that users are slow to update their plugins, even after well publicized vulnerabilities are found.

Not the end of vulnerable browsers

The end of the plugins does not mean the end of vulnerabilities in browser, just fewer of them. This month Microsoft patched about 11 security flaws. But unlike vulnerabilities in plugins which can be exploited in all browsers, browser vulns are specific to each vendor.