Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days

Posted by Soulskill on from the of-pots-and-kettles dept.

mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.

10 of 111 comments (clear)

  1. also applies to flash and acrobat by slashdice · · Score: 5, Insightful

    how's them apples?

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    1. Re:also applies to flash and acrobat by i+kan+reed · · Score: 3, Funny

      That's why we all have flashblock, right?

    2. Re:also applies to flash and acrobat by tepples · · Score: 3, Interesting

      To run Chromium without the proprietary extras that come with Google Chrome, Google's solution is "compile it yourself", as far as I can find. Many GNU/Linux distributors provide Chromium, but the "Beta or Dev channel" link on Google's "getting involved" page points at Google Chrome including proprietary extras. Or are Windows and OS X "big brother operating systems" that defeat the purpose of running open source Chromium?

    3. Re:also applies to flash and acrobat by bill_mcgonigle · · Score: 4, Interesting

      That's why we all have flashblock, right?

      This is actually a problem. I've been running Flashblock, then NoScript, for probably 8 if not 10 years. The problem was well-known then, and Google and Netscape (and Safari?) did something about it a year or two ago.

      I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps. For all that time, the Internet was much, much less safe for their cowardice.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:also applies to flash and acrobat by Anonymous Coward · · Score: 4, Insightful

      I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps.

      That's crazy talk. Browser vendors *are* innovating. Why just yesterday my computer automatically upgraded to Firefox ESR 31. I was surprised to discover in this new version that Mozilla has rearranged the browser display and hidden more options and buttons behind a single menu button. If you thought it was easy to get to a button with a single click, just wait until you have to make several more clicks to do the same thing. Now that's innovation and forward thinking!

      And I can't forget to mention that the browser tabs now have rounded edges. Browser vendors are at the cutting edge of innovation, bringing the public the things they need most. You just weren't paying attention.

  2. Pot, This is Kettle by Anonymous Coward · · Score: 5, Insightful

    Adobe isn't exactly in the best position to be lobbing stones at others' houses of security.

  3. Hindsight... by MCROnline · · Score: 4, Funny

    ...is such a beautiful thing.

  4. Click-to-Play Would Improve Flash, Too by Lilith's+Heart-shape · · Score: 5, Interesting

    Click-to-Play makes flash videos better by making them less useful as advertisements. Content like Flash and Java should always, always require the user's consent before running. There's no excuse for doing otherwise. Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.

    --

    I write sci-fi for metalheads

    1. Re:Click-to-Play Would Improve Flash, Too by Anonymous Coward · · Score: 5, Insightful

      If you think Java is JavaScript then you're wrong. And on the other hand, if you think JavaScript on Slashdot is "code that doesn't await the user's consent before running", I'd say you give consent for Slashdot to run JavaScript when you visit the site. Any third party JavaScript, however, is quite often pretty close to spyware/malware, but there are tools such as NoScript and Ghostery to limit when and how these scripts are run if they're even run at all.

  5. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion