Firefox 26 blocks Java plugins by default

Mozilla released Firefox 26 which includes five critical, three high, three moderate, and three low security updates.

All Java plug-ins are defaulted to ‘click to play’, which is a welcome security addition.

Benjamin Smedberg, Engineering Manager, Stability and Plugins at Mozilla commented: “When Mozilla conducted a user research study on the prototype implementation of click-to-play plugins earlier this year, we discovered that many users did not understand what a plugin was. Participants were confused or annoyed by the experience, especially having to enable plugins on the same site repeatedly. We redesigned the click-to-play feature to focus on enabling plugins per-site, rather than enabling individual plugin instances on the page.”

The password manager now supports script-generated password fields and updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service).

Here’s a complete list of security fixes:

• Mis-issued ANSSI/DCSSI certificate
• JPEG information leak
• GetElementIC typed array stubs can be generated outside observed typesets
• Use-after-free in synthetic mouse movement
• Trust settings for built-in roots ignored during EV certificate validation
• Linux clipboard information disclosure though selection paste
• Segmentation violation when replacing ordered list elements
• Potential overflow in JavaScript binary search algorithms
• Use-after-free during Table Editing
• Use-after-free in event listeners
• Sandbox restrictions not applied to nested object elements
• Character encoding cross-origin XSS attack
• Application Installation doorhanger persists on navigation
• Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)