So other than that yellow bar at the top displaying "install plugins", there's nothing else?
I had a recent thread on internet safety with a Mac. I learned a password will be asked for before installing any sort of malware/trojan. At what point does that prompt take place? How am I safe it it doesn't ask for a password?
Right, you'll just get a yellow bar asking you to install that particular plugin. Once you click it, it will download the plugin installer to your desktop or downloads folder and if you run that installer ... it will then ask you for an admin password.
It's just like installing apps. If you are in standard mode, once you drop the app into the Applications folder it will ask you for the password.
And that's the default setting already, right? No need to mess around with any settings?
btw, here's the link to the safety thread I'm refering to: https://forums.macrumors.com/threads/1146986/
Are you running as an Admin user (which is default) or Standard user?
If standard, then any plugin that wants to install itself will ask you with that yellow bar in Firefox. If you know that the plugin is good and not malicious, it will then redirect you to a page to download the .dmg installer. This will download to your downloads folder. From there, you will double click it and it will prompt you with an admin password dialog. You enter your credentials and it's installed.
As for this being the default setting, yes it is the default as long as you are a standard user. If in admin, the same process applies ... but in the end it will not prompt you for a username/password to install.
I really hope this helps clear up the confusion. Basically follow what GGJstudios said about unchecking "Enable Java and open 'Safe" files" in Safari. In Firefox, you don't have to do that as "Enable Java" isn't an active preference and Firefox doesn't automatically open "safe" files.
TL;DR: Make yourself a "standard" user in System Preferences>Accounts and use common sense when surfing and downloading items from the Internet.
Yes, I'll follow your advice of common sense surfing. That's best. Nothing is completely 100% safe.
I think I'm already admin (as I'm the only user that uses my Mac & haven't changed any of those settings since my computer was brand new)
When I lock/unlock KeyChain for example it does ask me for a password though.
Yes, I let my firefox update its pluggins automatically.
Thanks for all your help too!
Alright, think about changing to a standard user account if you really want to be protected. It's a bit of a pain though. You have to constantly enter your admin username/password anytime you want to install anything, whether it is OS X updates or apps to your App folder. It's worth the pain though, especially when that day comes when OS X becomes a big target for virus/trojan writers.
See this tutorial: http://www.helpdesk.umd.edu/os/macosx/security/4669/
If you want more information about OS X security, feel free to ask. Here's more resources if you are interested.
http://www.princeton.edu/servers/osxsecurity/
http://research.corsaire.com/whitepapers/technical.html
http://research.corsaire.com/whitepapers/080818-securing-mac-os-x-leopard.pdf (it automatically downloads the PDF)