Firefox – How to block new plugins from installing on Mozilla browsers (to prevent installation of malicious plugins)

tl;dr ok sorry my answer may not be very readable but it incorporates several original research results that I successfully used in personal scope to block new plugins, while retaining addons.

ultra short version

• there is now a restartless extension called new plugin disabler. it will disable each new plugin on startup! (most handy)

short version (additionally):

• you can revoke write rights, keeping only read rights, from everyone (including the user 'Everyone') for <Firefox installation dir>/plugins. This would prevent any plugins from directory-based installing (as long as an installer doesn't replace the rights), except the few four that Firefox is prepared to know about.
• you can try setting plugin.scan.plid.all to false in about:config. This disables firefox registry-based scanning for new plugins.

• click to play: you can make firefox ask you each time a site needs a plugin whether to activate it. In about:config set plugin.default.state to 1 (meaning "clicktoplay"), and also set plugins.click_to_play to true.

• when using windows, for configuring directory permissions, you can use cacls with psexec (link below) for system-level access, or perhaps the permission listing on right-click properties' security tab

• when using windows, for extra registry protection, rewoke write rights, keep read rights for HKEY_CURRENT_USER\Software\MozillaPlugins\plugin-id, HKEY_LOCAL_MACHINE\Software\MozillaPlugins\plugin-id, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\plugin-id. you can use regedit with the tool psexec -s -i regedit.exe (or regedt32.exe).

very long version

update 2014/06

additionally to my original answer:

• click_to_play were mixed in 885357 with plugin.default.state. you want to set plugin.default.state to 1 meaning "clicktoplay" or 0 meaning "disabled". the possible values are here in source/dom/plugins/base/nsIPluginTag.idl
• there is now a restartless extension/addon called new plugin disabler
• plugin.expose_full_path is gone in newer versions
• security.xpconnect.plugin.unrestricted may or may not be related
• 9999.0 too seems to be a valid value to minimum version. with todays media-hyped "increment version number per month" strategies 99.0 may be not enough, albeit I doubt the sales power of version 139 and 9999.0 still could cause surprise if it ever gets invalidated as a version.
• gecko.handlerService.defaultHandlersVersion and MimeTypes.rdf can also induce program execution. there may or may not be other relevant concepts.

even more additional info:

• mozilla has dedicated technical privacy reviews https://wiki.mozilla.org/Privacy/Reviews which may be relevant to you
• this is out of scope but if you are an administrator or just curious you may want to consider creating an update policy. firefox now has an extended support release (esr) intended for organizations.
• additionally you may be interested in "firefox lockdown" or this other link on pcc-services.com like lockPref, mozilla.cfg and co.
• additionally you may want to know about customizing firefox default profiles (unofficial by mike kaply)
• additionally current about:config entries of interest regarding update may include extensions.update.enabled, plugins.update.notifyUser, extensions.update.autoUpdateDefault, browser.search.update, app.update.service.enabled, app.update.silent, app.update.enabled, app.update.staging.enabled, app.update.url, services.sync.prefs.sync.app.update.mode, app.update.channel, app.update.auto and app.update.mode for which you can get a hint of possible values in for example source/browser/components/preferences/in-content/advanced.js, 2 being roughly warn for mode, and false meaning ask for auto, and more eg. app.update.incompatible.mode with hint of values in source/browser/app/profile/firefox.js, etc.
• you can search the source code for stuff in the great mozilla cross reference (mxr) in the sky

original answer

There's actually a way to prevent some, or all, plugins from "installing" but keep addons in Firefox. The problem is that on Windows, Firefox scans for plugins on some locations. On each of these locations can reside one or more plugins.

You can control how Firefox treats each of these locations but you cannot control how it treats individual plugins if the location lists more than one. Doing this involves multiple methods. Not all are nice.

Before getting into it, it's worth to mention that there is also click to play, that will ask you to click before activating any plugin individually, if a webpage asks for any. It can be found in about:config as plugins.click_to_play. You can set it to true.

Now, first the nicer parts:

You shall go to the about:config page and filter for plugin.scan. Here, plid means a registry key location. The rest is for plugins that are handled individually.

plugin.scan.SunJRE", "1.3"
plugin.scan.Acrobat", "5.0"
plugin.scan.Quicktime", "5.0"
plugin.scan.WindowsMediaPlayer", "7.0"
plugin.scan.plid.all", true

The "1.3", etc. is the minimum version number that Firefox accepts. The recommendation is that for plugins you want to disable, set this value to 19.0. I've set it to 99.0 and it works in Firefox 18.

You can check the actual location of these plugins by the means described on Mozilla's KB. The idea is that you go to the about:plugins page to see active plugin's location. But you need to set plugin.expose_full_path to true first.

To disable all registry-based plugin location scan, set plugin.scan.plid.all to false. The actual registry key is described on another page the KB. I listed the keys later.

If you ever need to reset these about:config settings, right click on them and choose reset.

Now for the uglier part:

Firefox will look for plugins in <Firefox installation dir>/plugins. This was where plugins like Acrobat, QuickTime and Office installed themselves in my computer.

The setting that was controlling this directory was removed. That's why I choose to modify the access rights of this directory. Set the rights for all users to read-only. Then no new program will be able to write to it.

I guess you could do the same with the registry key, too. The actual registry keys are:

HKEY_CURRENT_USER\Software\MozillaPlugins\plugin-id
HKEY_LOCAL_MACHINE\Software\MozillaPlugins\plugin-id

And on 64-bit Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\plugin-id

(To set permission on a registry key, you right-click it and go for "Permissions...". You shall see it, but if don't try starting regedit with the tool psexec -s -i regedit.exe or using regedt32.exe if I recall it well.)

Just for the record, I've removed all access from the system user for the plugins dir, and Firefox didn't crash. Any new installation may, though.

For archiving purposes, I include the full url's as text here:

_{plugin scanning: http://kb.mozillazine.org/Plugin_scanning . registry key: https://developer.mozilla.org/en-US/docs/Adding_Extensions_using_the_Windows_Registry#Plugins . location: http://kb.mozillazine.org/Issues_related_to_plugins#Plugin_location .}

I've found these articles by browsing a category page listing all kind of interesting articles: http://kb.mozillazine.org/Category:Plugins