Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days

mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.

Click-to-Play Would Improve Flash, Too

[Lilith's+Heart-shape]

Click-to-Play makes flash videos better by making them less useful as advertisements. Content like Flash and Java should always, always require the user's consent before running. There's no excuse for doing otherwise. Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.

Re:also applies to flash and acrobat

[tepples]

To run Chromium without the proprietary extras that come with Google Chrome, Google's solution is "compile it yourself", as far as I can find. Many GNU/Linux distributors provide Chromium, but the "Beta or Dev channel" link on Google's "getting involved" page points at Google Chrome including proprietary extras. Or are Windows and OS X "big brother operating systems" that defeat the purpose of running open source Chromium?

Re:also applies to flash and acrobat

[bill_mcgonigle]

That's why we all have flashblock, right?

This is actually a problem. I've been running Flashblock, then NoScript, for probably 8 if not 10 years. The problem was well-known then, and Google and Netscape (and Safari?) did something about it a year or two ago.

I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps. For all that time, the Internet was much, much less safe for their cowardice.