On 11 April 2012, Jared Wein, a software engineer working on Firefox, described a new ‘click-to-play’ feature slated for Firefox 14. When this feature is activated, he wrote, “plugins will require an extra click to activate and start ‘playing’ content. This is an incremental step towards securing our users, reducing memory usage, and opening up the web.” In so doing, the feature will make silent drive-by downloading more difficult for the cyber criminals.
On 20 April, Wein described phase 2 of the project: site-specific permissions for Firefox’ opt-in plugins. The intention here is to make the feature more user-friendly. “With site-specific permissions, users can whitelist sites that they visit often and trust. Sites that are whitelisted will activate plugins automatically upon load.”
Phase 3 is still being developed. This will allow Mozilla to “remotely configure the user's browser to require click to play for specific plugins that are out-of-date and/or vulnerable.” Meanwhile, however, Dancho Danchev has questioned the value of the project: “is this a sound response to preventing the currently ubiquitous exploitation of client-side vulnerabilities on end and corporate PCs...? he asks; and “Not necessarily,” he answers.
Danchev believes that the feature will merely delay the social engineering element used by cybercriminals in drive-by downloading. “It would [not] take long before they start mimicking Mozilla’s ‘click-to-play’ feature, offering additional advice to users for enabling it in order to view the promised content,” he suggests. “What do you think?” he concludes.
Now Chet Wisniewski of Sophos has responded; and he disagrees with Danchev. Many drive-by exploits are invisible to the user, he says, describing a particular example he worked on. The victim’s “browser loaded a booby-trapped PDF without the user even knowing that a PDF file had been downloaded. After exploiting them the page simply redirected them to the originally promised content to allay suspicion.” Click-to-play would have prevented this (provided, of course, that the user doesn’t whitelist malicious websites). “Keep making the bad guys job harder and giving Firefox users better security by default,” he says. “No single feature wins the war, but every battle counts.”