The Firefox 26 release, which entered beta in November, has been patched this week.

From a security perspective, the big change is that Firefox 26 introduces the concept of click-to-play plug-ins. This has restricted the ability, especially of Java plug-ins, to auto-load and automatically run.

In Firefox 26, all plug-ins except for Flash will generate a prompt, asking the user to block it or allow it to run. Furthermore, out-of-date versions of Silverlight, Java, and Adobe Reader will be blocked entirely, forcing the user to update before the plug-ins are allowed to run.

The risk from automatically enabled plug-ins is that a user could potentially be directed to a malicious website where a plug-in is used to automatically deliver a form of malware payload into the user's computer.

Plug-in whitelist

"The latest release of Firefox will continue to enable all plug-ins — except Java — by default while the click-to-play feature goes through additional testing in beta," Chad Weiner, product manager for Firefox, said. "In the coming weeks, we will announce details of a plug-in whitelist policy"

Research on click-to-play has shown that the feature can confuse and annoy users who have to continually approve pages for use. However the current implementation by Firefox means that once a website has been given permission it will permanently have it and won't need to prompt the person browsing it again.

Mozilla has also added 14 security advisories in the update, with five marked as critical. Three of these critical advisories deal with use-after-free memory errors. These errors occur when unused authorised memory remains accessible to other programs, which attackers can use to execute arbitrary code.

The update includes advisories that had been spotted by research teams at firms other than Mozilla. Their security advisory credits Google and BlackBerry research and analysis teams for discovery of the flaws, two of which were deemed critical.