firefox-beta
Jared Wein of Mozilla blogged last month about a new feature he was developing for Firefox 14 called “click-to-play”. The idea is to block the default loading of plugins like Java and Flash when surfing to reduce the memory footprint and provide protection against exploitation of plugin vulnerabilities.

Firefox 14 click-to-play featureIf you have ever used NoScript, ScriptNo or Flashblock you will be familiar with this idea. When you load a page like YouTube that has an embedded Flash/PDF/Java object, instead of it instantly loading the video you will see a black box with a logo representing the plugin. When you click on the box it will launch the plugin and the video or other content will be rendered.

Writing in ZDNet’s Zero Day blog, Dancho Danchev expressed his opinion yesterday that all Firefox’s adoption of this technique will accomplish is slowing down the systematic exploitation of plugins and not really provide meaningful protection.

Sorry Dancho, I don’t think I agree with you on this one. While Danchev makes some valid points regarding the continuing prevalence of social engineering to propagate threats, implementing more secure default options are always a good thing.

Let’s compare this to a past example that did not “solve the problem”, but moved security forward and helped prevent exploitation. Plug the SD Card into your brain, we’re going back to the beginning of the millennium.

Outlook ExpressRemember Outlook Express? Mail clients ten years ago rendered images by default and some of them even executed embedded scripts. We saw these flaws exploited by worms like ILOVEYOU and Melissa quite consistently until email clients realized this introduced a major security problem and changes the default behavior to be a safer option.

Could you still render the email? Sure. Was there a way to make a bad choice and go back to the old behavior? You betcha. Yet the vast majority of email users are safer today because of a simple mitigation like not rendering potentially malicious code by default.

Many drive-by exploits are invisible to the user and don’t involve any social engineering. I would argue the vast majority of what we see in SophosLabs doesn’t involve trickery, users simply visiting the wrong blog at the wrong time results in malware being installed without the user even being aware that the page contains a Java applet or Flash object.

This may lead the attackers to move toward social engineering more frequently, but isn’t that a good thing? Make users aware of the content they are running and give them a chance to make a decision? I am sure many users will still make the wrong decision, but I certainly want the opportunity to make the correct decision rather than be instantly exploited.

The best example I can think of was a malicious PDF file that was part of an investigation I was involved with. The victim would receive an email with a plausible looking link. They click on the link and the website they are directed to pauses for a second, then proceeds to load with the promised content.

What happened? Their browser loaded a bobby-trapped PDF without the user even knowing that a PDF file had been downloaded. After exploiting them the page simply redirected them to the originally promised content to allay suspicion.

My opinion? Good on ya’ Mozilla. Keep making the bad guys job harder and giving Firefox users better security by default. No single feature wins the war, but every battle counts.

Source: Sophos