Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days

Posted by Soulskill on from the of-pots-and-kettles dept.

mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.

21 of 111 comments (clear)

  1. also applies to flash and acrobat by slashdice · · Score: 5, Insightful

    how's them apples?

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    1. Re:also applies to flash and acrobat by i+kan+reed · · Score: 3, Funny

      That's why we all have flashblock, right?

    2. Re:also applies to flash and acrobat by tepples · · Score: 3, Interesting

      To run Chromium without the proprietary extras that come with Google Chrome, Google's solution is "compile it yourself", as far as I can find. Many GNU/Linux distributors provide Chromium, but the "Beta or Dev channel" link on Google's "getting involved" page points at Google Chrome including proprietary extras. Or are Windows and OS X "big brother operating systems" that defeat the purpose of running open source Chromium?

    3. Re:also applies to flash and acrobat by Sigma+7 · · Score: 2

      Click to play is built into Chrome these days.

      Users shouldn't have to hunt for a specific browser just to keep safe. Likewise, they shouldn't have to hunt for a specific extension to keep safe either, as those features should be built-in to the browser.

      Also, the main security flaw is automatically executing anything that gets fed into the browser - and JavaScript security issues had remained unchecked for 10+ years, and still are as demonstrated by visitng a random webpage only to be directed to "Your java is outdated, please update". (Did they learn nothing from the Boot-Sector Virus era?)

    4. Re:also applies to flash and acrobat by bill_mcgonigle · · Score: 4, Interesting

      That's why we all have flashblock, right?

      This is actually a problem. I've been running Flashblock, then NoScript, for probably 8 if not 10 years. The problem was well-known then, and Google and Netscape (and Safari?) did something about it a year or two ago.

      I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps. For all that time, the Internet was much, much less safe for their cowardice.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:also applies to flash and acrobat by Anonymous Coward · · Score: 4, Insightful

      I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps.

      That's crazy talk. Browser vendors *are* innovating. Why just yesterday my computer automatically upgraded to Firefox ESR 31. I was surprised to discover in this new version that Mozilla has rearranged the browser display and hidden more options and buttons behind a single menu button. If you thought it was easy to get to a button with a single click, just wait until you have to make several more clicks to do the same thing. Now that's innovation and forward thinking!

      And I can't forget to mention that the browser tabs now have rounded edges. Browser vendors are at the cutting edge of innovation, bringing the public the things they need most. You just weren't paying attention.

  2. Pot, This is Kettle by Anonymous Coward · · Score: 5, Insightful

    Adobe isn't exactly in the best position to be lobbing stones at others' houses of security.

    1. Re:Pot, This is Kettle by rnturn · · Score: 2

      ``Adobe isn't exactly in the best position to be lobbing stones...''

      I cannot recall a single vulnerability assessment meeting at work where an Adobe product didn't come up.

      --
      CUR ALLOC 20195.....5804M
  3. Hindsight... by MCROnline · · Score: 4, Funny

    ...is such a beautiful thing.

  4. Click-to-Play Would Improve Flash, Too by Lilith's+Heart-shape · · Score: 5, Interesting

    Click-to-Play makes flash videos better by making them less useful as advertisements. Content like Flash and Java should always, always require the user's consent before running. There's no excuse for doing otherwise. Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.

    --

    I write sci-fi for metalheads

    1. Re:Click-to-Play Would Improve Flash, Too by countach · · Score: 2, Funny

      You realise the web site you are typing into now uses Javascript, and therefore you have just classified it as malware, right?

    2. Re:Click-to-Play Would Improve Flash, Too by Anonymous Coward · · Score: 5, Insightful

      If you think Java is JavaScript then you're wrong. And on the other hand, if you think JavaScript on Slashdot is "code that doesn't await the user's consent before running", I'd say you give consent for Slashdot to run JavaScript when you visit the site. Any third party JavaScript, however, is quite often pretty close to spyware/malware, but there are tools such as NoScript and Ghostery to limit when and how these scripts are run if they're even run at all.

    3. Re:Click-to-Play Would Improve Flash, Too by countach · · Score: 2

      I know Java isn't Javascript, but no web site awaits consent before running Javascript. Slashdot basically wouldn't work en-toto without javascript. Back in the old days it would have, but not now.

      The problem with this article is that I'm sure Oracle wanted Java to be more like the web's javascript, running by default and running everywhere. Unfortunately it was just a bit too bloated (and as it turns out, buggy) for the world to accept this proposal, and yet the world is perfectly happy to run javascript code without special permission.

    4. Re:Click-to-Play Would Improve Flash, Too by tepples · · Score: 2

      Content like Flash and Java should always, always require the user's consent before running

      You realise the web site you are typing into now uses Javascript

      If you think Java is JavaScript then you're wrong.

      JavaScript is "like Flash and Java" to the same extent that Java is "like Flash".

      I'd say you give consent for Slashdot to run JavaScript when you visit the site.

      If visiting a web site implies JavaScript consent, then why doesn't it imply SWF or JVM consent?

    5. Re:Click-to-Play Would Improve Flash, Too by Wootery · · Score: 2

      Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.

      That's overly broad. I run NoScript, and I like the idea of a world without JavaScript-based ads (or any unjustified use of JavaScript, ideally) but I'd hardly call such adverts 'malware'.

  5. Re:LOL Users are going to click obliviously by Anonymous Coward · · Score: 2, Funny

    Do you really think I'm going to click on that link?

  6. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  7. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  8. Re:Breakage by drinkypoo · · Score: 2

    whitelisting

    a wasp stung my hand so my posts are short today but that says it all

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. Re:Breakage by gstoddart · · Score: 2

    No, that's the problem of the companies who own these apps. But it's not my problem.

    But making the overall internet less secure to account for the people who own these apps? Like I said, dumb.

    Make the default click-to-play. If people or corporations want to override that, then they can assume the risk.

    Making it insecure by default to accommodate corporations is stupid. There's already settings on my work IE that I can't change myself, so this is a solved problem. Corporations already manage those settings.

    Of course, this doesn't fix the fact that Java and Flash are still security holes waiting to happen. Flash has been dangerous to run for over a decade. And since Flash isn't click to play by default, for Adobe to be saying this is a bit of a joke.

    And Java? I honestly haven't seen any site outside of corporate apps which have used that in a very long time. I'm sure some still exist, but embedded Java in web pages seems to have almost gone away.

    It's time to stop treating browsers as things we trust to just say "oh, sure, you've got some code for me to run? Awesome, I'll get on that!". Since everybody uses them, someone is always going to try to exploit them -- and so far Flash and Java seem to be pretty rich targets.

    --
    Lost at C:>. Found at C.
  10. Your use of "inherent" confuses me by tepples · · Score: 2

    Flash and Java are inherently more insecure than JavaScript.

    In what sense do you mean "inherently"? Do you mean that it would be theoretically impossible to interpret .swf and .jar files in JavaScript? The existence of a PC emulator written in JavaScript defeats that. So you must mean "inherently" in another sense.

    Running arbitrary code on a user's computer using JavaScript is rather difficult on any modern browser.

    What "inherent" advantage of JavaScript over SWF and JVM makes this the case?

    Also, JavaScript is very widely adopted and a core function in today's web design whereas Flash and Java are slowly being phased out from web applications.

    How would one go about phasing Flash out of, say, Newgrounds or Albino Blacksheep or Weebl's Stuff?