Want CNET to notify you of price drops and the latest stories?

Firefox to block Silverlight and Java -- but not Flash

By default, people who want to use plug-ins with Mozilla's browser will have to manually enable them on each Web page. The reason: better security and performance.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
2 min read
Firefox logo

To improve security and cut crashes, Firefox will block plug-ins including Microsoft Silverlight, Adobe Reader, Apple's QuickTime and Oracle's Java, Mozilla said.

Only the newest version of Adobe Systems' Flash Player will be run by default, said Michael Coates, Mozilla's director of security assurance, in a blog post yesterday.

Plug-ins extend a browser's ability to run software or handle different media and file formats, but that extra ability opens new avenues for attack. They've been a staple of Web development for years, but browser makers are working hard to reproduce their abilities directly with Web standards that don't require plug-ins.

Firefox will disable the execution of non-Flash plug-ins by default with a feature called Click to Play that lets people run each plug-in on a particular Web page if they choose.

Click to Play can be configured to override Mozilla's defaults, letting people set it to always or never run a particular plug-in.

Coates explained Mozilla's rationale this way:

Poorly designed third-party plug-ins are the No. 1 cause of crashes in Firefox and can severely degrade a user's experience on the Web. This is often seen in pauses while plug-ins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox...

One of the most common exploitation vectors against users is drive-by exploitation of vulnerable plug-ins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plug-in exploit kit. We've observed plug-in exploit kits to be present on both malicious Web sites and also otherwise completely legitimate Web sites that have been compromised and are unknowingly infecting visitors with malware.