Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days

mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.

also applies to flash and acrobat

[slashdice]

how's them apples?

Re:also applies to flash and acrobat

[i+kan+reed]

That's why we all have flashblock, right?

Re:also applies to flash and acrobat

Not all of us choose to run the big brother browser.

Re:also applies to flash and acrobat

It's not big brother if you choose to use the open source chromium instead.

Re:also applies to flash and acrobat

[Gr8Apes]

Heck, all of the majors and even some minors have this capability built in or via a plugin (I don't know about IE thought). Who runs without one? Some of us want more than just click to play, however.

Re:also applies to flash and acrobat

[tepples]

To run Chromium without the proprietary extras that come with Google Chrome, Google's solution is "compile it yourself", as far as I can find. Many GNU/Linux distributors provide Chromium, but the "Beta or Dev channel" link on Google's "getting involved" page points at Google Chrome including proprietary extras. Or are Windows and OS X "big brother operating systems" that defeat the purpose of running open source Chromium?

Re:also applies to flash and acrobat

[Sigma+7]

Click to play is built into Chrome these days.

Users shouldn't have to hunt for a specific browser just to keep safe. Likewise, they shouldn't have to hunt for a specific extension to keep safe either, as those features should be built-in to the browser.

Also, the main security flaw is automatically executing anything that gets fed into the browser - and JavaScript security issues had remained unchecked for 10+ years, and still are as demonstrated by visitng a random webpage only to be directed to "Your java is outdated, please update". (Did they learn nothing from the Boot-Sector Virus era?)

Re:also applies to flash and acrobat

[Rob+Y.]

It's not big brother if you don't point it at Google sites either. Whether or not you think Google is Big Brother, it doesn't much matter what browser you use - if you use their sites, they get what they get. And yet the meme lives on:

  1. Google sells your info to third parties (it doesn't)
  2. Chrome somehow gives more of your info to Google than other browsers do (it doesn't)
  3. Somehow the alternatives are better (they're not)

Why, it's almost as if a huge company had mounted a multimillion dollar "Scroogled" ad campaign to get that idea out there...

Re:also applies to flash and acrobat

[BitZtream]

Speaking of Apples ... Safari already requires you to click to play Flash OR Java.

Re:also applies to flash and acrobat

[bill_mcgonigle]

That's why we all have flashblock, right?

This is actually a problem. I've been running Flashblock, then NoScript, for probably 8 if not 10 years. The problem was well-known then, and Google and Netscape (and Safari?) did something about it a year or two ago.

I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps. For all that time, the Internet was much, much less safe for their cowardice.

Re:also applies to flash and acrobat

[gnunick]

Preferences > Show advanced settings > content settings > Plugins > click to play.

When it's hidden so deeply (in Chromium) that I had to keep referring back to your instructions to find exactly where it was, I'd say that installing Flashblock is about 10x easier. In any case, thanks for the tip.

Aside from compatibility testing, about the only reason I ever use Chromium is for viewing sites which break with Firefox+Flashblock. So I guess I'll find out before long if Chromium's "click to play" feature is any better on such obnoxious sites.

Click-to-play should the default for all video and/or sound-producing content, with the ability to easily whitelist sites you trust.

Re:also applies to flash and acrobat

[Rob+Y.]

Scroogled was meant to get you to distrust Google in general. Chrome gets some spillover from that. Duh.

Re:also applies to flash and acrobat

[bhcompy]

Last I recall Chromium does not have native Flash playback like Chrome

Re: also applies to flash and acrobat

Why not provide users with an opportunity to learn exactly what's going on behind the pretty scenery of their wepages, java scripts, html headers and the server side requests they enable?

Personally, I have ALWAYS been bothered by the fact that as an unsophisticated user I do not have the option to exercise real time granular control over what data is sent or which scripts are allowed to interact with my browser. But even when I run NoScript, RoadBlock, et al, there is no facility by which I am allowed to understand what functionality will be provided from the server or client side when I click 'Allow'. Mozilla must certainly be aware that we're not all programmers.

Re:also applies to flash and acrobat

I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps.

That's crazy talk. Browser vendors *are* innovating. Why just yesterday my computer automatically upgraded to Firefox ESR 31. I was surprised to discover in this new version that Mozilla has rearranged the browser display and hidden more options and buttons behind a single menu button. If you thought it was easy to get to a button with a single click, just wait until you have to make several more clicks to do the same thing. Now that's innovation and forward thinking!

And I can't forget to mention that the browser tabs now have rounded edges. Browser vendors are at the cutting edge of innovation, bringing the public the things they need most. You just weren't paying attention.

Re: also applies to flash and acrobat

Your position is nonsense.

If "we're not all programmers", how do you expect anyone to "exercise real time granular control over what data is sent"?

If you cannot understand their web application, how on Earth to expect to exercise real control over the data? Nevermind doing it in real time.

Develop the necessary expertise, accept the options that are available, or STFU. You post is, quite frankly, little more than an empty whine.

Re:also applies to flash and acrobat

[antdude]

I dumped it after Mozilla added start plugin on demand options.

Re:also applies to flash and acrobat

[tepples]

Chromium is free software. Google Chrome isn't because Adobe, MPEG-LA, and MPAA won't allow it.

Re:also applies to flash and acrobat

[CauseBy]

"I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps."

FWIW, when they do that most people on Slashdot complain. Damned do/don't, and all that.

Re:also applies to flash and acrobat

[david_thornley]

Nah, I use NoScript. It's a bit of a pain, but I really don't like random people running programs of their choosing on my computer, no matter in what language or interpreter/compiler.

Re:also applies to flash and acrobat

[kmoser]

how's them applets?

FYFY

Re:also applies to flash and acrobat

[Shirley+Marquez]

Not that fringe. Safari has a significant market share, mostly because of iOS, and quite a few people still use IE. If you use something that isn't one of those four, then I will agree that you are in a fringe minority.

gs.statcounter.com lets you see the market share of various browsers, and also lets you select which platforms (desktop, mobile, tablet, and/or console) you want to look at. If you look at the total stats (including mobile) they have Chrome at just under 40%, IE at 14.5%, Firefox at 12.5%, and Safari at 8%. They break out the iPhone browser separately at 6.75% though that is another version of Safari. The Android browser has 7.25%; a big chunk of that is probably Chinese AOSP devices that don't have Chrome installed. Opera is around 4% and clearly most of that is mobile; on the version of the chart excluding mobile Opera only has 1.4%.

The desktop only stats: Chrome 49%, IE 22.5%, Firefox 19.25%, Safari 5.25%. Everything else is noise. Safari jumps to 11.2% if you also include tablets, showing the importance of the iPad, and everything else edges down.

Pot, This is Kettle

Adobe isn't exactly in the best position to be lobbing stones at others' houses of security.

Re:Pot, This is Kettle

My software is more secure than yours, especially when it is not run by users. *facepalm*

Re:Pot, This is Kettle

[rnturn]

``Adobe isn't exactly in the best position to be lobbing stones...''

I cannot recall a single vulnerability assessment meeting at work where an Adobe product didn't come up.

Re:Pot, This is Kettle

[sootman]

People who live in flash houses.... :-)

Hindsight...

[MCROnline]

...is such a beautiful thing.

Re:Hindsight...

[amicusNYCL]

This is a job for Adobe "security boss" Brad Arkin!

Click-to-Play Would Improve Flash, Too

[Lilith's+Heart-shape]

Click-to-Play makes flash videos better by making them less useful as advertisements. Content like Flash and Java should always, always require the user's consent before running. There's no excuse for doing otherwise. Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.

Re:Click-to-Play Would Improve Flash, Too

[DigitalSorceress]

I totally agree...

That's why the browser I use for regular surfing doesn't have Flash, Java, Shockwave, or Silverlight.. and I browse with all scripting turned off and only enable the scripting needed to make the page work IF I trust the site.

If I run into content I want - Netflix, a Youtube video, or some other similar thing, I switch to Chrome where I have those installed.

Re:Click-to-Play Would Improve Flash, Too

[countach]

You realise the web site you are typing into now uses Javascript, and therefore you have just classified it as malware, right?

Re:Click-to-Play Would Improve Flash, Too

If you think Java is JavaScript then you're wrong. And on the other hand, if you think JavaScript on Slashdot is "code that doesn't await the user's consent before running", I'd say you give consent for Slashdot to run JavaScript when you visit the site. Any third party JavaScript, however, is quite often pretty close to spyware/malware, but there are tools such as NoScript and Ghostery to limit when and how these scripts are run if they're even run at all.

Re:Click-to-Play Would Improve Flash, Too

[gstoddart]

And you do realize that javascript is not the same as either Java or Flash in this regard, right?

As to javascript, well, by now I'm sure many of us are only allowing after we whitelisted. My browsers reject it by default and have to have it enabled.

But letting Java plugins and Flash plugins run without prompting has been a security hole for a very long time by now. it's not like people haven't known about it .. it's right up there with the stupidity of Windows doing an autorun of "hey, you put in a device, let me run the first bit of code I can see". What could possibly go wrong?

I've treated flash like a security hole since it existed ... and I have almost never found myself giving a damn about the fact that I have it disabled (or not even installed).

But letting an object hosted on a site but delivered by a 3rd party just execute arbitrary code? Hell, no. No way I'd trust that.

Re:Click-to-Play Would Improve Flash, Too

[countach]

I know Java isn't Javascript, but no web site awaits consent before running Javascript. Slashdot basically wouldn't work en-toto without javascript. Back in the old days it would have, but not now.

The problem with this article is that I'm sure Oracle wanted Java to be more like the web's javascript, running by default and running everywhere. Unfortunately it was just a bit too bloated (and as it turns out, buggy) for the world to accept this proposal, and yet the world is perfectly happy to run javascript code without special permission.

Re:Click-to-Play Would Improve Flash, Too

[countach]

In 2014 you are a very unusual person who bothers to whitelist for javascript. You may be the last man standing to do that.

Re:Click-to-Play Would Improve Flash, Too

In 2014 you are a very unusual person who bothers to whitelist for javascript. You may be the last man standing to do that.

You obviously have forgotten about NoScript's userbase.

If we're talking about first party javascript, you may have a point.

Re:Click-to-Play Would Improve Flash, Too

[tepples]

Content like Flash and Java should always, always require the user's consent before running

You realise the web site you are typing into now uses Javascript

If you think Java is JavaScript then you're wrong.

JavaScript is "like Flash and Java" to the same extent that Java is "like Flash".

I'd say you give consent for Slashdot to run JavaScript when you visit the site.

If visiting a web site implies JavaScript consent, then why doesn't it imply SWF or JVM consent?

Re:Click-to-Play Would Improve Flash, Too

[tepples]

I think the point is that NoScript's userbase is "very unusual" among the entire WWW client population.

Re:Click-to-Play Would Improve Flash, Too

[Wootery]

Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.

That's overly broad. I run NoScript, and I like the idea of a world without JavaScript-based ads (or any unjustified use of JavaScript, ideally) but I'd hardly call such adverts 'malware'.

Re:Click-to-Play Would Improve Flash, Too

[Sigma+7]

If visiting a web site implies JavaScript consent, then why doesn't it imply SWF or JVM consent?

Plugins such as SWF, JVM or ActiveX imply having better access to the system (e.g. clipboard, save files to disk, etc.) than regular JavaScript (which is supposed to be limited to the browser). Plugins wouldn't have been necessary if JavaScript can do anything the plugin could. The situation may changed since the introduction of plugins and Javascript, but the implication remains the same.

That, and because I said so.

Re:Click-to-Play Would Improve Flash, Too

[cowwoc2001]

Why stop there? How about click-to-play for Javascript?

My point is that Javascript, Java and Flash are meant to run in a sandbox. They are all equally vulnerable to such bugs.

Re:Click-to-Play Would Improve Flash, Too

[tepples]

Plugins such as SWF, JVM or ActiveX imply having better access to the system (e.g. clipboard, save files to disk, etc.) than regular JavaScript

The system integration exposed to JavaScript programs by the HTML DOM has increased dramatically in the HTML5 era. It now has clipboard manipulation *cough*Tynt*cough*, an API to read and write user-selected files, etc.

Re:Click-to-Play Would Improve Flash, Too

[Lilith's+Heart-shape]

We already have click-to-play for JS on Firefox. It's called NoScript. The Flash equivalent is FlashBlock. :)

Re:Click-to-Play Would Improve Flash, Too

[Ksevio]

Any third party JavaScript, however, is quite often pretty close to spyware/malware,

Many sites use third-party javascript libraries such as jquery or will host javascript files on a CDN. That doesn't make them close to malware.

Re:Click-to-Play Would Improve Flash, Too

[Lilith's+Heart-shape]

Then we DDOS ad servers.

Re:Click-to-Play Would Improve Flash, Too

[david_thornley]

The original idea of Java in the browser was that it would be sandboxed, that applets would run only in the browser, and therefore that it was safe. I suspect Flash had the same intentions behind it. ActiveX was just stupid, back when what Microsoft knew about security was that it was towards the back of the dictionary. There's no fundamental difference in security between Java, Flash, and Javascript.

Moreover, plugins and Javascript have different purposes. Plugins are what I install in my browser to do various things. Javascript in web pages is what other people want me to run.

Re:Click-to-Play Would Improve Flash, Too

[david_thornley]

You may be technically correct. I'm sitting in my chair right now, so I'm not standing.

Re:LOL Users are going to click obliviously

Do you really think I'm going to click on that link?

Re:Soooo true

[jedidiah]

Yes. Not automatically running untrusted code is MUCH MORE secure than just sticking your fingers in your ears and assuming the problem will be handled.

Modern webpages are a rats nest of external scripts coming from who knows where. Browsers should not be enablers of this.

LOL Users are going to click obliviously

Is there a reason not to link to the SMBC comic, itself?
http://www.smbc-comics.com/?id=3497#comic

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Introduced into browsers over the last year?!!!

Konqueror already had this when I started using it in 2006.

Re:April Fools?

[canadiannomad]

Maybe, and I mean this as a real MAYBE, they learned something from those vulnerabilities...

Re:April Fools?

[Charliemopps]

No, those were just Photoshopped in.

 

Re:April Fools?

Flash is not Adobe's fault, it's Macromedia's mess

By buying Macromedia, they by default are a party to the blame. If they wanted, they could re-write the whole plugin; nah too much work...

Re:LOL Users are going to click obliviously

Good call. From the URL that looks like an ad-wrapper around imgur, so tried punching the same ID into imgur itself, and voila!.

Breakage

[brunes69]

Click to Play is great for the public web but it is important to remember that there is a huge darknet of private intranet sites as well. Click to play breaks a lot of Java intranet applications that assumed that the applet would load at page load time without any user interaction.

Re:Breakage

[gstoddart]

Click to Play is great for the public web but it is important to remember that there is a huge darknet of private intranet sites as well. Click to play breaks a lot of Java intranet applications that assumed that the applet would load at page load time without any user interaction.

Know whose problem that is? The owners of those private intranets and applications.

Make the default click to play. If companies have stuff which is broken by that, change the setting and accept the general security risk when your users hit other websites and get hosed as a result of it.

But deciding everyone else should be less secure because it might break the internal applications of companies ... well, that's just dumb.

Of course, I've never agreed with Java and Flash on most websites ... in my experience, neither are actually used on any site I need to use or add anything of value. And both of them have historically been the source of more nuisance than benefit.

Especially since Flash seems to be primarily used for advertising, and badly implemented site navigation. I'm not sure I've even seen any embedded java in any page I've seen for years.

Re:Breakage

[brunes69]

Sounds great. So are you going to volunteer the 10 million dollars to re-write the applications?

Re:Breakage

[drinkypoo]

whitelisting

a wasp stung my hand so my posts are short today but that says it all

Re:Breakage

[gstoddart]

No, that's the problem of the companies who own these apps. But it's not my problem.

But making the overall internet less secure to account for the people who own these apps? Like I said, dumb.

Make the default click-to-play. If people or corporations want to override that, then they can assume the risk.

Making it insecure by default to accommodate corporations is stupid. There's already settings on my work IE that I can't change myself, so this is a solved problem. Corporations already manage those settings.

Of course, this doesn't fix the fact that Java and Flash are still security holes waiting to happen. Flash has been dangerous to run for over a decade. And since Flash isn't click to play by default, for Adobe to be saying this is a bit of a joke.

And Java? I honestly haven't seen any site outside of corporate apps which have used that in a very long time. I'm sure some still exist, but embedded Java in web pages seems to have almost gone away.

It's time to stop treating browsers as things we trust to just say "oh, sure, you've got some code for me to run? Awesome, I'll get on that!". Since everybody uses them, someone is always going to try to exploit them -- and so far Flash and Java seem to be pretty rich targets.

Letting code run without a prompt has been dumb

[omfglearntoplay]

I hate the powers that be who decided to get paid for advertising by infesting the world with malware. No doubt some people are making money and others are losing it in huge quantities.

advice from people who are wrong might be wrong

[dominux]

a zero day vulnerability http://en.wikipedia.org/wiki/Z... does not become less zero dayish because you need to click to execute it. This is some executive who has misunderstood what his underlings actually do, and what they mean when they say they are dealing with a zero day issue.
He ends up being right, for all the wrong reasons, and he is just saying words he doesn't fully comprehend.

Re:advice from people who are wrong might be wrong

[cshark]

This is why software companies should never be run by business guys.

What about in house applets?

[ErichTheRed]

The reality of the Java situation is that it's not just consumers hosing their machine by visiting a website hosting an exploit. There are tons and tons of crappy internal Java applications running in businesses everywhere. A lot of them are poorly documented, or the developer isn't there anymore, or the consulting company who wrote it wants a million bucks every time you want a change. Like it or not, Java is the language of large business...I'm sure we're going to be talking about J2EE in 40 years the same way we talk about COBOL. Most of the "mainframe modernization projects" large businesses go through consist of hiring the lowest-bidder consulting body shop to rewrite all the business logic in J2EE running on WebSphere or WebLogic. The consulting shop chooses Java because they can get a bunch of fresh CS grads who have exposure to the language, and it's reasonably portable.

I deal with this all the time. Java introduced the "expiration date" in version 1.7, and it took them months to add in a very poorly documented way to disable the dire warnings that our users get when running internal code. Microsoft made it worse by expiring the Java ActiveX controls that weren't on the absolute latest versions as of August. At least they provided a policy to shut it off right from the start.

Re:What about in house applets?

[countach]

You seem to be confusing some very different issues: Java code running in J2EE on servers, and users running Java applications on their client machines.

For sure Oracle totally screwed up their client machine warnings to users, and I'm still not convinced they have got it right, its nearly impossible to understand Oracle's documentation or make it work as advertised.

On the other hand, servers aren't particularly vulnerable to most of these exploits because they assume you already have the ability to run the code in question. J2EE servers don't let just anyone run code.

Re:What about in house applets?

[ErichTheRed]

The thing about J2EE was to illustrate that Java is everywhere. Most of those J2EE systems have a Java applet-based front end provided by the same consulting company that wrote the back end. Hence, million-dollar change orders to get it to support something other than JRE 1.6.51 running on IE 6 (as an example.)

Pot calling kettle black?

[janoc]

Enough said ...

Re:Pot calling kettle black?

[cshark]

Translation: I'm upset that people are still using Java, when Flash is clearly a superior platform.

Re:April Fools?

[higuita]

Yeh right, then all the security problems with Acrobat reader plugin were my imagination!!
I still don't understand why a READ-ONLY print format needs a programming language and interactivity (hint: it doesn't! and that is why almost all other pdf reader ignore that)

Re:LOL Users are going to click obliviously

[Crashmarik]

Yes laziness
Apparently the SMBC site doesn't tag it's comics well enough for google to find them or put them anywhere near the top of it's rankings

Only so much effort that I am willing to make to point out the ridiculousness of this story. There are still corporate intraweb sites running on IE 6 because developers and users just didn't give a crap. Users of course are the ultimate culprits and will turn off security settings faster than you can say i can haz cheezburger. Enabling click to play isn't even a speedbump.

Click to play is only small roadblock

[Stan92057]

Click to play is only small roadblock, its no different then click to install and we all know how well that roadblock has worked. Users must be far better educated "Nothing is safe" should be the theme of the internet and all computer programs. And we cant count on Microsoft or Adobe or Google to tell us the truth. And each of theses have been fined triple digit millions of dollars for breaking the customers trust or in one way or another.

Your use of "inherent" confuses me

[tepples]

Flash and Java are inherently more insecure than JavaScript.

In what sense do you mean "inherently"? Do you mean that it would be theoretically impossible to interpret .swf and .jar files in JavaScript? The existence of a PC emulator written in JavaScript defeats that. So you must mean "inherently" in another sense.

Running arbitrary code on a user's computer using JavaScript is rather difficult on any modern browser.

What "inherent" advantage of JavaScript over SWF and JVM makes this the case?

Also, JavaScript is very widely adopted and a core function in today's web design whereas Flash and Java are slowly being phased out from web applications.

How would one go about phasing Flash out of, say, Newgrounds or Albino Blacksheep or Weebl's Stuff?