Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Click-to-play plugins: rollup of current status and work
13 views
Skip to first unread message
Andrew Joakimsen
Feb 16, 2013, 2:54:20 AM2/16/13
to Doug Turner, Brian Smith, dev-tech-plugins, dev-se...@lists.mozilla.org, mozilla.dev.planning group, dev-apps-firefox List
I would like to see an example of how click-to-play could be "clickjacked."
Sent from my iPhone
On Feb 15, 2013, at 11:45 PM, Doug Turner <doug....@gmail.com> wrote:
> On 2/15/13 3:11 PM, Brian Smith wrote:
>>> From http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
>>
>> 'Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware.
>>
>> [...]
>>
>> The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."'
>>
>> Cheers,
>> Brian
>
>
> The worse part of this is that most users don't have security engineers
> detecting the compromise. People's machines will just get owned and
> these users will probably not know it.
>
> I know CTP is a step forward on blocking many of these plugins. But I
> think we all know that this approach can probably be worked around by
> click-jacking. There are ways to improve or reduce the likelihood of
> this (see bug 832481).
>
> Considering this, maybe it is time to not just click-to-play, but
> require users to go to some menu item (maybe "View / Enable Legacy
> Mode") to enabled Java, and other less useful and typically more
> vulnerable, NPAPI plugins.
>
> Just a thought.
> Doug
>
>
> _______________________________________________
> dev-apps-firefox mailing list
> dev-apps...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-firefox
Sent from my iPhone
On Feb 15, 2013, at 11:45 PM, Doug Turner <doug....@gmail.com> wrote:
> On 2/15/13 3:11 PM, Brian Smith wrote:
>>> From http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
>>
>> 'Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware.
>>
>> [...]
>>
>> The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."'
>>
>> Cheers,
>> Brian
>
>
> The worse part of this is that most users don't have security engineers
> detecting the compromise. People's machines will just get owned and
> these users will probably not know it.
>
> I know CTP is a step forward on blocking many of these plugins. But I
> think we all know that this approach can probably be worked around by
> click-jacking. There are ways to improve or reduce the likelihood of
> this (see bug 832481).
>
> Considering this, maybe it is time to not just click-to-play, but
> require users to go to some menu item (maybe "View / Enable Legacy
> Mode") to enabled Java, and other less useful and typically more
> vulnerable, NPAPI plugins.
>
> Just a thought.
> Doug
>
>
> _______________________________________________
> dev-apps-firefox mailing list
> dev-apps...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-firefox
Martin Husemann
Feb 16, 2013, 5:07:14 AM2/16/13
to Doug Turner, Brian Smith, dev-tech-plugins, dev-se...@lists.mozilla.org, mozilla.dev.planning group, dev-apps-firefox List
Doug Turner wrote:
> Considering this, maybe it is time to not just click-to-play, but
> require users to go to some menu item (maybe "View / Enable Legacy
> Mode") to enabled Java, and other less useful and typically more
> vulnerable, NPAPI plugins. Just a thought.
I have a problem with the classification "less usefull an typically more
> Considering this, maybe it is time to not just click-to-play, but
> require users to go to some menu item (maybe "View / Enable Legacy
> Mode") to enabled Java, and other less useful and typically more
> vulnerable, NPAPI plugins. Just a thought.
vulnerable".
There is an obvious first level distinction: turing complete controlls
like java and flash will always be more vulnerable. They are also prime
candidate for Ben's slogan "make it possible to surf the web without
plugins" (sorry if I might have rephrased that badly from memory).
Other plugins may be less popular, less good screened (in some cases),
but also less interesting as an attack vector but still offer high value
to certain users. They are not always easy to replace with plugin-less
techniques. They usually will not cause much wrong blame for Firefox, as
their users will typically recognize them and know which hotline to call
if something crashes.
(At least I'm pretty sure noone ever attributed a crash in my 3D plugin
to firefox)
Martin
0 new messages