Flash and Java.
Both disabled by default. No site is whitelisted for Flash as even BBC.com has served malware.
Only whitelisted Javascript.
While loads of sites use Flash and Javascript, I can't remember the last time a website wanted actual Java, so it's surprising ANY malware writers bother with it. Flash is the low hanging fruit, followed by hijacking an advertiser's domain and thus getting "reputable" web sites to distribute malware via java script because most people either don't run Noscript or enable whole page rather than whitelisting important bits. Some sites (Twitter, Google, Facebook etc) only get temporarily enabled for session. because of the evil tracking scripts in the buttons/icons people sprinkle on their sites.
It would be better if the icon was static HTML with an argument. But that would not suit the parasites.
If website wants me to see an advert, it's simple. Put a static jpeg + text ON YOUR OWN SERVER you moron!
Otherwise I will block it FOREVER.
Biting the hand that feeds IT
