Sounds a good plan to me, but I can already imagine the wingeing...
"I don't care about all that stuff. I want my lol-cats NOW."
The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run. The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java …
> Sounds a good plan to me, but I can already imagine the wingeing...
"I don't care about all that stuff. I want my lol-cats NOW."
And here is where it will fall down. This may slow down the non-interactive, drive-by exploits, but if Joe Pillock User wants lol-cats, then he (or she) will move heaven and hell to click through, accept, and ignore whatever they deem is standing between them and their funny kitties.
From the article:
> Generally speaking, Mozilla plans to activate click-to-run for all plugins by default, although the Adobe Flash Player plugin has been given a pass so far, owing to the prevalence of Flash content on the web.
Anyone else get a chill and a flashback to the "Click to enable embedded content" hackery from the Eolas patent troll ruling back in 2003?
Maybe I'm different - the very fact I come here, for starters - and have been running FF, with NoScript, AdblockPlus, Ghostery, Cookie Monster, and FlashBlock for many years. It's so long since I've had Java installed it seems like a distant bad dream. Doesn't stop me looking at Lolcats though.
Mary Jane Bogart wrote:
You do seem to be missing one addon though: BetterPrivacy. Even though you have Cookie Monster installed BetterPrivacy prevents (NoScript allowed) Flash from leaving LSOs (so-called "super cookies") on your computer which can be used to track you just like a normal Cookie, only they're more persistent as most (all?) browsers don't have the built-in capacity to delete them and they can be used to re-populate normal cookies. While Ghostery does have the capacity to delete LSOs on exit, it doesn't give you the possibility of keeping some LSO's, and deleting all the rest, like BetterPrivacy does. For example you may actually want to keep YouTubes Flash LSOs, with BetterPrivacy you can choose to do so however Ghostery simply nukes all LSOs.
Given that Flash has more vulnerabilities than Java shouldn't it be even more important to block it exactly because it's so widely used?
But there isn't much point in blocking all these plugins if they aren't going to fix their own problems since the browsers are far less secure than any of the plugins
I can't, off hand, think of a single Java powered lol-cat distribution channel.
Java is getter pretty obscure as web plug-in nowadays. I still see it occasionally powering the odd "enhanced file unloader" and Real VNC optionally serves its own Java based viewer as a web app, but I really can't recall the last time I saw it being used for run of the mill graphic fluff.
Sadly, the same can't be said about Flash.
There are so many plugins to restrict content already, that so many people use, I can only assume that shit 'enhancements' like these come only after advertiser concessions.
What about TLS1.2? Or did that creep in when I wasn't looking ?
Having said that, the HTML5 shit-wave is yet to hit - I imagine the sponsors of Mozilla haven't yet updated their system to fully track that shit yet.
Something is fishy is Firefox world.
If only they would move the Favorite and Refresh buttons to the used LEFT side of the screen we might do something useful.
Yeah especially since security was supposed to be a big part of the original design of the language (at least the vm and bytecode part of the original Java implementation) and one of the big things SUN was touting originally for why its new fangled internet technology was going to take over the world.
Most of the critical CVE allow not only breaking out of java's sandbox but also having a shell with rights of the user who invoked java. To get root on the underlying OS unless someone is stupid enough to run java as root you have to use another OS exploit from there. It may be technically possible to run something in kernel space on some platforms by exploiting a graphical bug as some OSs do put part of the video driver in kernel space for performance reasons which would mean the Java exploit could technically root the OS itself but haven't heard about any defects like this personally. They also would obviously not be cross platform.
This is nice, java is a hog. But what about multiprocess/threading per tab? As we all know chrome has.
At the very least nasty bits of java can be killed with its tab. Just like flash....
I know nothing else, just today I got bitten by the "can't cancel background download without closing whole sodding browser" problem....
I only accept this for Java because the update process could be better, and many morons are too damned lazy to keep the plugin up-to-date, which is /why/ they got pawned!
Flash should be driven off the internet, it is as secure as Active-X was(n't), and can be far even worse to update than Java because Adobe's FUpdate page regularly malfunction now, and they make it /very/ hard to find a plain exe to workaround their FUpdate page!
"UI Design Principle Fail" can get crammed where the Sun does not shine because they clueless; I use Java stuff every day from various sites, and my CCTV cameras, and never got anything because I keep my machines up-to-date and secure.
Mozilla would do better in Thunderbird, and Firefox to proactively smite the social engineering emails with zips attached, probably containing pdfs with that crypto extortion nastiness embedded, because that is a far far worse problem. It is so boring have to manually spot and delete this tricky poison in my IMAP Junk folder.
>Unfair, Flash should be treat worse, it's more dangerous!
Neither are anything but malware vector portals but lately there have been more critical CVEs for Java. Probably due to Oracle still adding features instead of fixing its fundamental flaws. Adobe has largely quit adding features to flash lately.
The difference is that though JAVA does have a security model it is also a fully features programming language with existing class libraries to do almost anything so when you break out of the sandbox you have all the tools available to do anything you want. In addition there is a much larger functional space to look for holes in. On the other hand if the platform has no security model but only generates graphical output you probably need to find a way of inserting new executable code insert to do anything. Add in the poor update handling and java starts to look like an attractive target despite its security model.
You do know flash does a lot more than internet cat videos right? Granted its does not quite have the attack surface of Java but I think you are greatly underestimating its attack surface. Both are for hacks who can't handle their own memory management. Hello world programs should be multi megs in this brave new world.
I think it's time to break out the behavioral science:
- change the pop up to default to denying the plugin
- tell people how many other users have denied the plugin ("233,221,837 users chose 'deny' "). No need to say how many people chose 'allow', of course...
- give people a way to express their desire to have plug-in free operation on the target site. This is a bit unpleasant but sadly it works, as the response rates to the kinds of "call your senator to tell them to lay off medicare" ads shows. But it would certainly focus the minds of the operators still using flash and java.
I feel a grant application coming on.
Go a step further: create a plug-in that checks for the presence of scripts on a site through a third party which verifies that they do what the site owner claims they are there for. If something unexpected shows up, you get a strongly worded warning in much the same way as an invalid certificate might generate. Of course, these are attacked on a regular basis and many site owners can't be bothered to keep theirs up-to-date, but these sites should probably be avoided anyway... There's probably money to be made in third party script validation, so there is some incentive for someone to implement something like this.
Yeah, so why does it also all of the following too:
1) have unrestricted accesses the Internet
2) run applets via the Java plugin
3) is not being change-managed and/or rolled back every evening to a defined state
4) has no further security measures
5) is running windows
Failure does not come from sticker printing.
My version of FF started blocking my old version of Flash a while back requiring me to explicitly allow just like this. I thought it was a great way to browse. I use a lot of Java apps at work and "always allow from this site" would not be a hinderance in any way. Nice one Moz.
This will be so fscking annoying. We use Java apps internally on our corporate network, and Firefox is the mandated browser. This "mozilla knows best" nannying of "we've disabled this plugin for your own good" gets my goat. Every time I'm 30 seconds late installing the latest patch/upgrade everything stops working until I bring my system up to whatever level Mozilla thinks it should be at.
Listen guys IT'S MY FUCKING COMPUTER AND I WILL DECIDE WHAT RUNS ON IT. Now take your plugin blocker crap and BUTT OUT. If I didn't want the plugin I wouldn't have installed it in the first place.
How long until they start hitting AdBlock, etc., since "our suppliers need you to watch the nice ads to pay for their services".
"IT'S MY FUCKING COMPUTER AND I WILL DECIDE WHAT RUNS ON IT."
I'm confused why you're getting angry... surely the whole purpose of this nice little feature in Firefox is to let you do just that? It gives a handy little pop so you can decide what apps you want to allow to run, instead of just allowing all Java apps to run regardless.
Read the comments in the thread at: https://bugzilla.mozilla.org/show_bug.cgi?id=914690#c0
Already, FF simply refuses to run any Java app unless the very latest version of the plugin is installed, and I often don't have the time to drop everything and upgrade Java (which also requires a browser restart, losing all open work).
Now it's going to question me about every Java app I try, with no way to say "Just always run Java, stop asking"?
If I didn't want to run Java , I would uninstall the fucking plugin, I am angry because my computer is a tool, not my Mummy. I tell IT what I want to do, not the other way around.
The Java update procedure for the average end user (think the average home user that doesn't know the difference between a process and a processor) is so user unfriendly that they usually wind up skipping the the Java update, creating most of the vulnerable systems with Java installed on them in the first place.
Oracle needs to fix Java update.
Biting the hand that feeds IT © 1998–2019