Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days 111
mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
also applies to flash and acrobat (Score:5, Insightful)
Re:also applies to flash and acrobat (Score:4, Funny)
That's why we all have flashblock, right?
Re:also applies to flash and acrobat (Score:5, Interesting)
That's why we all have flashblock, right?
This is actually a problem. I've been running Flashblock, then NoScript, for probably 8 if not 10 years. The problem was well-known then, and Google and Netscape (and Safari?) did something about it a year or two ago.
I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps. For all that time, the Internet was much, much less safe for their cowardice.
Re:also applies to flash and acrobat (Score:4, Insightful)
That's crazy talk. Browser vendors *are* innovating. Why just yesterday my computer automatically upgraded to Firefox ESR 31. I was surprised to discover in this new version that Mozilla has rearranged the browser display and hidden more options and buttons behind a single menu button. If you thought it was easy to get to a button with a single click, just wait until you have to make several more clicks to do the same thing. Now that's innovation and forward thinking!
And I can't forget to mention that the browser tabs now have rounded edges. Browser vendors are at the cutting edge of innovation, bringing the public the things they need most. You just weren't paying attention.
Re: (Score:2)
"I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps."
FWIW, when they do that most people on Slashdot complain. Damned do/don't, and all that.
Re: (Score:2)
I dumped it after Mozilla added start plugin on demand options.
Re: (Score:2)
Nah, I use NoScript. It's a bit of a pain, but I really don't like random people running programs of their choosing on my computer, no matter in what language or interpreter/compiler.
Re: (Score:1)
Not all of us choose to run the big brother browser.
Re: (Score:1)
It's not big brother if you choose to use the open source chromium instead.
Re:also applies to flash and acrobat (Score:4, Interesting)
Re: (Score:2)
It's not big brother if you don't point it at Google sites either. Whether or not you think Google is Big Brother, it doesn't much matter what browser you use - if you use their sites, they get what they get. And yet the meme lives on:
1. Google sells your info to third parties (it doesn't)
2. Chrome somehow gives more of your info to Google than other browsers do (it doesn't)
3. Somehow the alternatives are better (they're not)
Why, it's almost as if a huge company had mounted a multi
Re: (Score:2)
Scroogled was meant to get you to distrust Google in general. Chrome gets some spillover from that. Duh.
Re: (Score:2)
Re: (Score:2)
Re: also applies to flash and acrobat (Score:1)
Why not provide users with an opportunity to learn exactly what's going on behind the pretty scenery of their wepages, java scripts, html headers and the server side requests they enable?
Personally, I have ALWAYS been bothered by the fact that as an unsophisticated user I do not have the option to exercise real time granular control over what data is sent or which scripts are allowed to interact with my browser. But even when I run NoScript, RoadBlock, et al, there is no facility by which I am allowed to un
Re: (Score:1)
Your position is nonsense.
If "we're not all programmers", how do you expect anyone to "exercise real time granular control over what data is sent"?
If you cannot understand their web application, how on Earth to expect to exercise real control over the data? Nevermind doing it in real time.
Develop the necessary expertise, accept the options that are available, or STFU. You post is, quite frankly, little more than an empty whine.
Re: (Score:1)
Re: (Score:1)
Not that fringe. Safari has a significant market share, mostly because of iOS, and quite a few people still use IE. If you use something that isn't one of those four, then I will agree that you are in a fringe minority.
gs.statcounter.com lets you see the market share of various browsers, and also lets you select which platforms (desktop, mobile, tablet, and/or console) you want to look at. If you look at the total stats (including mobile) they have Chrome at just under 40%, IE at 14.5%, Firefox at 12.5%, an
Re: (Score:3)
Users shouldn't have to hunt for a specific browser just to keep safe. Likewise, they shouldn't have to hunt for a specific extension to keep safe either, as those features should be built-in to the browser.
Also, the main security flaw is automatically executing anything that gets fed into the browser - and JavaScript security issues had remained unchecked for 10+ years, and still are as demonstrated by visitng a random webpage only to be directed to "Your java
Re: (Score:2)
Preferences > Show advanced settings > content settings > Plugins > click to play.
When it's hidden so deeply (in Chromium) that I had to keep referring back to your instructions to find exactly where it was, I'd say that installing Flashblock is about 10x easier. In any case, thanks for the tip.
Aside from compatibility testing, about the only reason I ever use Chromium is for viewing sites which break with Firefox+Flashblock. So I guess I'll find out before long if Chromium's "click to play" feature is any better on such obnoxious sites.
Click-to-play should the default for all video
Re: (Score:2)
Speaking of Apples ... Safari already requires you to click to play Flash OR Java.
Re: (Score:1)
how's them applets?
FYFY
Pot, This is Kettle (Score:5, Insightful)
Adobe isn't exactly in the best position to be lobbing stones at others' houses of security.
Re: (Score:1)
My software is more secure than yours, especially when it is not run by users. *facepalm*
Re: (Score:3)
I cannot recall a single vulnerability assessment meeting at work where an Adobe product didn't come up.
Re: (Score:2)
People who live in flash houses.... :-)
Hindsight... (Score:4, Funny)
Re: (Score:2)
This is a job for Adobe "security boss" Brad Arkin! [youtube.com]
Click-to-Play Would Improve Flash, Too (Score:5, Interesting)
Re: (Score:2)
I totally agree...
That's why the browser I use for regular surfing doesn't have Flash, Java, Shockwave, or Silverlight.. and I browse with all scripting turned off and only enable the scripting needed to make the page work IF I trust the site.
If I run into content I want - Netflix, a Youtube video, or some other similar thing, I switch to Chrome where I have those installed.
Re: (Score:3, Funny)
You realise the web site you are typing into now uses Javascript, and therefore you have just classified it as malware, right?
Re:Click-to-Play Would Improve Flash, Too (Score:5, Insightful)
If you think Java is JavaScript then you're wrong. And on the other hand, if you think JavaScript on Slashdot is "code that doesn't await the user's consent before running", I'd say you give consent for Slashdot to run JavaScript when you visit the site. Any third party JavaScript, however, is quite often pretty close to spyware/malware, but there are tools such as NoScript and Ghostery to limit when and how these scripts are run if they're even run at all.
Re: (Score:3)
I know Java isn't Javascript, but no web site awaits consent before running Javascript. Slashdot basically wouldn't work en-toto without javascript. Back in the old days it would have, but not now.
The problem with this article is that I'm sure Oracle wanted Java to be more like the web's javascript, running by default and running everywhere. Unfortunately it was just a bit too bloated (and as it turns out, buggy) for the world to accept this proposal, and yet the world is perfectly happy to run javascript c
Re: (Score:3)
Content like Flash and Java should always, always require the user's consent before running
You realise the web site you are typing into now uses Javascript
If you think Java is JavaScript then you're wrong.
JavaScript is "like Flash and Java" to the same extent that Java is "like Flash".
I'd say you give consent for Slashdot to run JavaScript when you visit the site.
If visiting a web site implies JavaScript consent, then why doesn't it imply SWF or JVM consent?
Your use of "inherent" confuses me (Score:3)
Flash and Java are inherently more insecure than JavaScript.
In what sense do you mean "inherently"? Do you mean that it would be theoretically impossible to interpret .swf and .jar files in JavaScript? The existence of a PC emulator written in JavaScript defeats that. So you must mean "inherently" in another sense.
Running arbitrary code on a user's computer using JavaScript is rather difficult on any modern browser.
What "inherent" advantage of JavaScript over SWF and JVM makes this the case?
Also, JavaScript is very widely adopted and a core function in today's web design whereas Flash and Java are slowly being phased out from web applications.
How would one go about phasing Flash out of, say, Newgrounds or Albino Blacksheep or Weebl's Stuff?
Re: (Score:2)
Plugins such as SWF, JVM or ActiveX imply having better access to the system (e.g. clipboard, save files to disk, etc.) than regular JavaScript (which is supposed to be limited to the browser). Plugins wouldn't have been necessary if JavaScript can do anything the plugin could. The situation may changed since the introduction of plugins and Javascript, but the implication remains the same.
That, and because I s
Re: (Score:2)
Plugins such as SWF, JVM or ActiveX imply having better access to the system (e.g. clipboard, save files to disk, etc.) than regular JavaScript
The system integration exposed to JavaScript programs by the HTML DOM has increased dramatically in the HTML5 era. It now has clipboard manipulation *cough*Tynt*cough*, an API to read and write user-selected files, etc.
Re: (Score:2)
The original idea of Java in the browser was that it would be sandboxed, that applets would run only in the browser, and therefore that it was safe. I suspect Flash had the same intentions behind it. ActiveX was just stupid, back when what Microsoft knew about security was that it was towards the back of the dictionary. There's no fundamental difference in security between Java, Flash, and Javascript.
Moreover, plugins and Javascript have different purposes. Plugins are what I install in my browser to
Re: (Score:2)
Any third party JavaScript, however, is quite often pretty close to spyware/malware,
Many sites use third-party javascript libraries such as jquery or will host javascript files on a CDN. That doesn't make them close to malware.
Re: (Score:2)
And you do realize that javascript is not the same as either Java or Flash in this regard, right?
As to javascript, well, by now I'm sure many of us are only allowing after we whitelisted. My browsers reject it by default and have to have it enabled.
But letting Java plugins and Flash plugins run without prompting has been a security hole for a very long time by now. it's not like people haven't known about it .. it's right up there with the stupidity of Windows doing an autorun of "hey, you put in a devic
Re: (Score:2)
In 2014 you are a very unusual person who bothers to whitelist for javascript. You may be the last man standing to do that.
Re: (Score:1)
In 2014 you are a very unusual person who bothers to whitelist for javascript. You may be the last man standing to do that.
You obviously have forgotten about NoScript's userbase.
If we're talking about first party javascript, you may have a point.
Re: (Score:2)
Re: (Score:2)
You may be technically correct. I'm sitting in my chair right now, so I'm not standing.
Re: (Score:3)
Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.
That's overly broad. I run NoScript, and I like the idea of a world without JavaScript-based ads (or any unjustified use of JavaScript, ideally) but I'd hardly call such adverts 'malware'.
Re: (Score:2)
Why stop there? How about click-to-play for Javascript?
My point is that Javascript, Java and Flash are meant to run in a sandbox. They are all equally vulnerable to such bugs.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:1)
Good call. From the URL that looks like an ad-wrapper around imgur, so tried punching the same ID into imgur itself, and voila! [imgur.com].
LOL Users are going to click obliviously (Score:1)
Is there a reason not to link to the SMBC comic, itself?
http://www.smbc-comics.com/?id=3497#comic
Re: (Score:2)
Yes laziness
Apparently the SMBC site doesn't tag it's comics well enough for google to find them or put them anywhere near the top of it's rankings
Only so much effort that I am willing to make to point out the ridiculousness of this story. There are still corporate intraweb sites running on IE 6 because developers and users just didn't give a crap. Users of course are the ultimate culprits and will turn off security settings faster than you can say i can haz cheezburger. Enabling click to play isn't even a
Comment removed (Score:5, Insightful)
Re: (Score:1)
Flash is not Adobe's fault, it's Macromedia's mess
By buying Macromedia, they by default are a party to the blame. If they wanted, they could re-write the whole plugin; nah too much work...
Re: (Score:2)
Yeh right, then all the security problems with Acrobat reader plugin were my imagination!!
I still don't understand why a READ-ONLY print format needs a programming language and interactivity (hint: it doesn't! and that is why almost all other pdf reader ignore that)
Re: (Score:1)
Maybe, and I mean this as a real MAYBE, they learned something from those vulnerabilities...
Re: (Score:2)
No, those were just Photoshopped in.
Re: (Score:2)
Introduced into browsers over the last year?!!! (Score:1)
Konqueror already had this when I started using it in 2006.
Breakage (Score:2)
Click to Play is great for the public web but it is important to remember that there is a huge darknet of private intranet sites as well. Click to play breaks a lot of Java intranet applications that assumed that the applet would load at page load time without any user interaction.
Re: (Score:2)
Know whose problem that is? The owners of those private intranets and applications.
Make the default click to play. If companies have stuff which is broken by that, change the setting and accept the general security risk when you
Re: (Score:2)
Sounds great. So are you going to volunteer the 10 million dollars to re-write the applications?
Re: (Score:3)
No, that's the problem of the companies who own these apps. But it's not my problem.
But making the overall internet less secure to account for the people who own these apps? Like I said, dumb.
Make the default click-to-play. If people or corporations want to override that, then they can assume the risk.
Making it insecure by default to accommodate corporations is stupid. There's already settings on my work IE that I can't change myself, so this is a solved problem. Corporations already manage those setti
Re: (Score:3)
whitelisting
a wasp stung my hand so my posts are short today but that says it all
Letting code run without a prompt has been dumb (Score:1)
I hate the powers that be who decided to get paid for advertising by infesting the world with malware. No doubt some people are making money and others are losing it in huge quantities.
advice from people who are wrong might be wrong (Score:2)
a zero day vulnerability http://en.wikipedia.org/wiki/Z... [wikipedia.org] does not become less zero dayish because you need to click to execute it. This is some executive who has misunderstood what his underlings actually do, and what they mean when they say they are dealing with a zero day issue.
He ends up being right, for all the wrong reasons, and he is just saying words he doesn't fully comprehend.
Re: (Score:2)
This is why software companies should never be run by business guys.
What about in house applets? (Score:2)
The reality of the Java situation is that it's not just consumers hosing their machine by visiting a website hosting an exploit. There are tons and tons of crappy internal Java applications running in businesses everywhere. A lot of them are poorly documented, or the developer isn't there anymore, or the consulting company who wrote it wants a million bucks every time you want a change. Like it or not, Java is the language of large business...I'm sure we're going to be talking about J2EE in 40 years the sam
Re: (Score:2)
You seem to be confusing some very different issues: Java code running in J2EE on servers, and users running Java applications on their client machines.
For sure Oracle totally screwed up their client machine warnings to users, and I'm still not convinced they have got it right, its nearly impossible to understand Oracle's documentation or make it work as advertised.
On the other hand, servers aren't particularly vulnerable to most of these exploits because they assume you already have the ability to run the
Re: (Score:2)
The thing about J2EE was to illustrate that Java is everywhere. Most of those J2EE systems have a Java applet-based front end provided by the same consulting company that wrote the back end. Hence, million-dollar change orders to get it to support something other than JRE 1.6.51 running on IE 6 (as an example.)
Pot calling kettle black? (Score:2)
Enough said ...
Re: (Score:2)
Translation: I'm upset that people are still using Java, when Flash is clearly a superior platform.
Click to play is only small roadblock (Score:1)
Re: (Score:2)
Yes. Not automatically running untrusted code is MUCH MORE secure than just sticking your fingers in your ears and assuming the problem will be handled.
Modern webpages are a rats nest of external scripts coming from who knows where. Browsers should not be enablers of this.