How To Stop Automatic Plugin Installations In Firefox

Martin Brinkmann
Oct 18, 2009
Updated • May 26, 2015
Firefox
|
24

Mozilla Firefox users noticed yesterday that a new plugin was installed in their web browser without them being informed about it (read Microsoft Silently Installing Windows Presentation Foundation Plugin For Firefox for pointers. Mozilla Firefox users on Windows who installed the Microsoft net. Framework 3.5 SP1 on the operating system had a plugin installed in Firefox automatically without receiving a prompt or notification about it.

This is problematic from a security point of view but also when it comes to stability and privacy.

The majority of blame should not be put solely on Microsoft though as other software companies like Apple or Google have done exactly the same thing in the past to load their plugins in the web browser.

Firefox users may notice a Google Update plugin or Apple iTunes plugin in the plugin section of the web browser, and those installations are not blocked by the Firefox browser as well. These companies use how Firefox detects and loads plugins, and while there are ways to block plugins from being loaded, no initial protection is provided by the browser.

Firefox: block plugin installations

There is however an option to block automatic plugin installations. It is not a perfect solution though but it is all that is provided currently. Mozilla developers have added several directories and locations in the Firefox preferences that are automatically scanned by the web browser for plugins. If a plugin is found it will be added and activated in the browser.

These plugin directories are listed in the all.js files which is located in the greprefs directory of the Firefox installation.

Update: Mozilla has changed the location and name of the preferences file. The all.js file and greprefs folder are no longer available, at least not in their initial location. The resource file you are looking for has been integrated into the omni.ja file in the default Firefox installation directory.

The easiest way to control plugins is to load about:config in Firefox, and manage the preference names there:

  1. plugin.scan.plid.all - This defines if Firefox will scan the Windows Registry for plugin links (if set to true) or not (set to false).
  2. plugin.scan.Acrobat - The value of this preference defines the minimum version of Adobe Acrobat that Firefox will load as a plugin if installed on the system.
  3. plugin.scan.Quicktime - Same as Adobe, but for Apple Quicktime.
  4. plugin.scan.WindowsMediaPlayer - Same as Adobe, but for Windows Media Player. End

It is possible - but not recommended - to extract the archive, edit the greprefs.js file that you find inside, create a new archive, and replace the original file with this one.

Mozilla has integrated other means of changing values in files contained in the omni.ja file, and I'm going to show you how this is done.

All you have to do is create your own custom greprefs.js file, and place it in the /defaults/pref/ directory of your Firefox installation folder.

Here is what you need to add to it to block plugins:

This blocks the Registry scanning

pref("plugin.scan.plid.all", false);

To block individual plugins as outlined below, change the version to a very high value, e.g. 100.0. Firefox will only include the plugins if they match that version, and since they don't, will block the plugin from being used. Adding the comment symbol // in front does not work anymore.

The following directories and locations are listed in the file (search for plugin or another word that will move the cursor to that position).

// Locate Java by scanning the Sun JRE installation directory with a minimum version
// Note: Does not scan if security.enable_java is not true
pref("plugin.scan.SunJRE", "1.3");

// Locate plugins by scanning the Adobe Acrobat installation directory with a minimum version
pref("plugin.scan.Acrobat", "5.0");

// Locate plugins by scanning the Quicktime installation directory with a minimum version
pref("plugin.scan.Quicktime", "5.0");

// Locate and scan the Window Media Player installation directory for plugins with a minimum version
pref("plugin.scan.WindowsMediaPlayer", "7.0");

// Locate plugins by the directories specified in the Windows registry for PLIDs
// Which is currently HKLM\Software\MozillaPlugins\xxxPLIDxxx\Path
pref("plugin.scan.plid.all", true);

// Controls the scanning of the Navigator 4.x directory for plugins
// When pref is missing, the default is to pickup popular plugins such as
// Flash, Shockwave, Acrobat, and Quicktime. If set to true, ALL plugins
// will be picked up and if set to false the scan will not happen at all
//pref("plugin.scan.4xPluginFolder", false);

As you can see there are entries for Sun Java, Adobe Acrobat, Apple Quicktime, the Windows Registry and Netscape plugins. Putting a comment in front of the plugin locations that should not be scanned will block those plugins from being started with Firefox (comments are added by adding // in front of a row). Update: The Sun entry was removed recently

As far as Quicktime, Windows Media Player, Adobe Acrobat and Java plugins are concerned, you got a second option. Instead of commenting the line out, you can increase the minimum version that you want to install. You can set it to 500 for instance, or the very latest version so that previous versions of the plugin are not picked up anymore.

Many Microsoft, Apple and Google plugins are added from the location in the Windows Registry. It is not advised to block that location completely as it also lists the Adobe Flash plugin in the Registry which would stop Flash support in the web browser. The only solution right now would be to go into the Registry and backup and remove the plugins that are not needed. If it were not for the Flash plugin the whole Registry location could be blocked from being scanned.

The programs will not add their plugins again to the Windows Registry unless they are updated or reinstalled. Another option to automatically block plugin installation (and display a prompt instead) is to use a software that will show a prompt before a specific Registry key is edited in Windows. A program like MJ Registry Watcher can do that. Simply add the HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins, HKEY_CURRENT_USER\Software\MozillaPlugins and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins keys to the list of keys protected by the program. You are informed then whenever a program wants to add a new key to these locations on Windows.

Now Read: Make sure Firefox plugins never active again

Summary
How To Stop Automatic Plugin Installations In Firefox
Article Name
How To Stop Automatic Plugin Installations In Firefox
Description
Find out how to block the installation of new plugins in the Firefox web browser.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. FrustratedFox said on March 20, 2015 at 1:12 am
    Reply

    Oh I do hope this works.
    I don’t even have java or flash installed and want to rid the plugins being installed.
    yet I have entries for the plugin and firefox constantly tells me to install them.

  2. Lpp said on April 17, 2013 at 4:13 pm
    Reply

    I hate that nazi crap installing spyware addons on my computer’s (google, adobe, M$, etc)
    piece of shit software… coming back to Opera for good….

  3. Ken Saunders said on April 17, 2012 at 1:32 am
    Reply

    Found this through a Google search. Actually, a few related ones of yours too.
    I had once deleted plugins through the registry, but I had forgotten the path.
    Thanks a lot.

    Good and helpful articles do not have an expiration date. :)

  4. Kie said on November 13, 2011 at 3:05 pm
    Reply

    all.js no longer exists

    It seems Mozilla do not want you to have control over addon installations, they have made it difficult from day one to stop the installations, having to jump through multiple complex hoops just to remove a plugin but no way to stop any new unknown plugins from infecting Firefox.

    I’m surprised there’s anyone who doesn’t have trojans right now because most people are browsing the web with out of date addons that have serious vulnerabilities.

    Why do Mozilla not allow the user control over whether Firefox enumerates plugins? And why do they not pop-up a choice box asking the user if they want any new plugin?

    Firefox actively searches for Quicktime and many other plugins and will happily allow old vulnerable plugins to run silently allowing a users PC to be infected with all kinds of nasty crap, without ever trying to update or automatically disable the bad plugins. Not to mention zero-day-exploits.

    Fucking stupid, they should be sued for gross incompetence and clean-up costs.

  5. dan said on March 27, 2011 at 1:26 pm
    Reply

    doesn’t work for Firefox 4 – any ideas?

  6. Taomyn said on April 27, 2010 at 9:48 am
    Reply

    My tip, rather than comment the all.js entries out, use about:config and set the version values for each you want to disable to “999”, that way even after a Firefox upgrade which will re-write that file, the changes stick. Unless it finds version 999 or above, it won’t load them.

  7. Ken Mason said on February 14, 2010 at 8:33 am
    Reply

    To easily remove any plugin, first install the MR Tech Toolkit add-on. That will show you the actual ID (DLL) for each plugin. To remove any plugin, just search for that DLL in your Mozilla profile folder.and delete it. The next time FF starts, that plugin will be gone!

    BTW, it also shows you each add-on’s ID, and you can go directly to it’s install folder.

  8. ankit said on November 6, 2009 at 9:23 am
    Reply

    well that was good but there is easier way to stop automatic updates

    1.open Firefox browser
    2.go to tools —-options
    3. click advanced tab
    4.check —-“ask me what I want to do” under”when updates for Firefox are found” and click “OK”
    your done

    1. Anonymous said on February 16, 2010 at 7:32 am
      Reply

      thanks ankit. for tips…good..

  9. jj said on October 22, 2009 at 8:49 am
    Reply

    i hate auto addon crap
    just stop messing with my stuff and ASK before doing whatever you want to

    removing .net WPF, java, GOOGLE and any ADOBE crap is just stupid
    ASK and I MIGHT SAY YES

    disable and uninstall ARGHH

  10. me said on October 19, 2009 at 9:52 pm
    Reply

    Or you can go to options …advanced…update…and uncheck auto update…and manually do it….! Then you don’t have to install anything you don’;t want.

  11. Gennice said on October 18, 2009 at 9:39 pm
    Reply

    I have tweaked my Firefox many times and really made it somewhat different by performance and by apperance too, but I did not know about this one…

    Will definitely give it a try because sometimes I just don’t want some of them to install and add up to my RAM…

    Thanks!

  12. Transcontinental said on October 18, 2009 at 8:08 pm
    Reply

    Quite wise, thanks Martin. Digging sometimes does lead to non-official alternatives :)

  13. Junkmen said on October 18, 2009 at 4:30 pm
    Reply

    Thanks for the tip man, to be honest I did not even notice they (MS) installed their plugin untill I got that notification.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.