Mozilla on Tuesday released Firefox 26, which kicked off a limited form of click-to-play and patched 15 security vulnerabilities, six marked "critical."
Click-to-play -- a security feature that requires users to authorize the use of a plug-in when a website or page element requires it -- has been adopted by other browsers as protection against a rising tide of exploits that leverage bugs in plug-ins, particularly Adobe's Flash Player and Oracle's Java.
[ Also on InfoWorld: Mozilla ushers in new Firefox UI. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | For a quick, smart take on the news you'll be talking about, check out InfoWorld TechBrief -- subscribe today. ]
Google's Chrome, for example, has long offered click-to-play, although it has been turned off by default.
In January 2013, Mozilla announced it would require click-to-play for all installed plug-ins except for Flash, then later added the feature to developer and beta builds of Firefox 26.
But when the browser debuted Tuesday, only the Java plug-in was stuck behind the click-to-play wall; all other plug-ins automatically ran. Mozilla did not immediately reply to questions, but threads on the company's discussion groups hinted that the feature slipped because developers wanted to do more testing of other plug-ins before expanding click-to-play.
Firefox 26 also saw the wrap-up of "MemShrink," a two-year project to reduce the browser's memory footprint that focused on plugging "leaks" created when code doesn't properly release memory after a chore is completed. The leaked memory is never returned to the available pool, reducing what's available for other applications, or even for Firefox. Eventually, performance suffers.
Complaints about Firefox's memory usage have historically centered on the browser's habit of not releasing memory when tabs are closed.
In a post to his personal blog, Nicolas Nethercote, the developer who led MemShrink, said the project had been completed. Previously, Nethercote had touted a pair of final bug fixes that landed in Firefox 26 which curtailed memory usage spikes and improved load times of image-heavy pages.
Along with the debut of click-to-play and the wrap-up of MemShrink, Mozilla also tucked patches for 15 vulnerabilities into Firefox 26. A half-dozen of the fixes were tagged critical, Mozilla's most serious threat ranking.
Among the critical vulnerabilities were several "use-after-free" bugs, a type of memory management flaw. One of those was reported by Nils, a German researcher who goes only by his first name. Nils is a noted vulnerability researcher, half of a two-man team who won $100,000 in March for hacking Google's Chrome at the Pwn2Own contest.