.

Tags:

According to Albus Dumbledore:

“You see, we have not been able to keep a Defence Against the Dark Arts professor for more than a year since I refused the post to Lord Voldemort.”

There have been various recent events which showed how dangerous it is to pass the control to a proprietary binary, especially the one with a rather disastrous security track record. Zero-day Flash exploit was used to attack the big security firm, RSA. At the last Pwn2own, Chrome was exploited likely through the included Flash plugin, even with Chrome having its plugin sandboxed. Faux billing email from Vodafone was circulating, mostly targeting the Germans, with the attached malicious PDF which leverages Adobe Reader exploit to automatically download the real trojan payload. A huge number of Mac systems were lately infected by the Flashback botnet, originally started as a fake Flash installer and now taking advantage of Java vulnerabilities. While this was still hot, SabPub malware surfaced, this time using Word security hole to trigger a backdoor.

Security in the browsers needs to be hardened, otherwise the users will be left in the open. It’s no wonder that the future version of Firefox may have built-in support for plugins opt-in, also popular as click-to-play. For the current version of Firefox, a solution is to use Flashlock add-on, Flash content in the web page will be blocked and not played immediately, rather an explicit click from the user is needed to activate it. For those with Safari, there are ClickToPlugin and ClickToFlash which have the similar functionality.

As for Google Chrome, the opt-in feature is available built-in. Go to the Wrench menu, Settings. From the settings interface, choose Under the Hood, scroll to the Plug-Ins section, and simply choose Click to play instead of Run automatically. From now on, Flash and other plugins will be forced to stop. Only if you think it’s legitimate and click on it, then the plug-in will run.

As a bonus, using this opt-in feature somehow improves the browsing experience because all those annoying Flash ads cease to disrupt the actual business of information consumption.

  • http://philipoakley.myopenid.com/ Philip Oakley

    On Chrome, the plug-ins are now under the Privacy section under the Content Settings.. button