Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Internet Explorer Mozilla IT

Insecure Plugins Ding IE, Safari, Chrome, Opera 141

Posted by kdawson
from the black-powder-in-the-sandbox dept.
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
This discussion has been archived. No new comments can be posted.

Insecure Plugins Ding IE, Safari, Chrome, Opera

Comments Filter:
  • But doesnt sandboxing these plugins make these browsers secure?
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      I don't think any of them sandbox plugins, by default.

      Chrome has a --safe-plugins option which appears to do it, but I imagine it breaks a lot of plugins, which is why it wouldn't be default.

      • Re:Sandboxing? (Score:5, Informative)

        by TrancePhreak (576593) on Monday January 25, 2010 @07:44PM (#30898658)
        Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx [microsoft.com]
        • by AHuxley (892839)
          Locking the kitchen window with a buzzword window lock, with the rest of the house wide open is a bit of a joke.
          MS sees plugins as competitors to be contained until MS has the functionality via buy out or "innovation'
          • Re: (Score:3, Interesting)

            by sopssa (1498795) *

            Having a house with windows and doors locked is a bit silly, especially when you could just as well build a bunker around your house.
            MS sees bunkers as competitors to be contained until MS has the functionality via buy out or "innovation'

        • Re: (Score:3, Informative)

          by Anonymous Coward

          Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx [microsoft.com]

          It's important to note that sandboxing (a.k.a. Protected Mode) requires both IE7 or IE8 and Windows Vista or Windows 7. Sandboxing will not work on Windows XP at all !

          Additionally, User Account Control (UAC) must be enabled. Vista users trying to avoid privilege elevation prompts by turning off UAC will unwittingly disable Protected Mode.

          See "Protected Mode" at:
          http://en.wikipedia.org/wiki/Internet_Explorer_7#Privacy_and_security [wikipedia.org]
          http://en.wikipedia.org/wiki/User_Account_Control [wikipedia.org]

          • Re:Sandboxing? (Score:4, Insightful)

            by ElSupreme (1217088) on Tuesday January 26, 2010 @08:54AM (#30903384)
            Well maybe you should stop bitching about an 8 year old OS not doing what you want.
            And maybe you should stop bitching about an 8 year old Browser not doing what you want.

            Because people don't use some functionality, or have (in computing lifetimes) ANCIENT software. Don't blame the modern product. It was IMPOSSIBLE to sandbox Safari when XP and IE6 came out. Because no version was released! Same goes for Firefox (Firebird too), and Chrome.

            Congratulations you just compared IE6 on an 8+ year old OS, to browser LINES that didn't exist when EITHER XP OR IE6 came out. Opera did exist.

            It is time to face it IE8 is a good browser. Worthy of comparison to Firefox. IE7 and IE6 were horrible. In fact when IE6 came out, I stayed with IE5, until I used mozilla, then Firebird, well before it became Firefox.


            Soures: (non-primary)
            http://en.wikipedia.org/wiki/Win_XP [wikipedia.org]
            http://en.wikipedia.org/wiki/Internet_Explorer_6 [wikipedia.org]
            http://en.wikipedia.org/wiki/Safari_(browser) [wikipedia.org]
            http://en.wikipedia.org/wiki/Firebird_(browser) [wikipedia.org]
            http://en.wikipedia.org/wiki/Opera_(browser) [wikipedia.org]
            • by Rutulian (171771)

              Ok, first of all, being old has nothing to do with anything. Plenty of old products can be used perfectly fine and are in use in many places. Equating "secure and usable" with "newest shiny" is exactly what marketing PHBs want from you so they can always sell you their newest products. And, in fact, what you are calling old is still in common use today. While IE7 has been out for a while now, Windows 7 has not. A lot of people are still using XP because they refused to upgrade to Vista.

              Second, the point the

              • Yes plenty of old products can be used. They just are not capable of handling problems as updated devices. A 1979 Mustang will still drive, but it won't stop as quickly, it doesn't have airbags, and well you are WAY more likely to die in it than a modern Mustang.

                Saying it is a common configuration doesn't change the fact that it is OLD, and outdated. There are OBVIOUSLY new SECURITY and USABLE options that come with Windows VISTA. Like being able to sandbox the browser.

                If I were bitching about OSX 10.0
                • by Rutulian (171771)

                  Yes, of course IE6 is outdated and I agree nobody should running it. IE6 is riddled with security problems and there is no reason to not run something better. I disagree about XP and UAC, though. Vista was a terrible upgrade option for a lot of people. It broke hardware compatibility, software compatibility, it was slow, it had a lot of bugs. I haven't met anybody who has liked Vista, and a lot of OEMs had the option of keeping XP instead of getting Vista with a new computer. If we were talking about Win98,

          • by Ant P. (974313)

            You can still sandbox IE on XP - just put Windows itself in the sandbox, where it belongs.

          • Both of those things are not the defaults. This is a discussion about defaults.
    • Re:Sandboxing? (Score:4, Insightful)

      by Anonymous Coward on Monday January 25, 2010 @06:56PM (#30898078)

      No. "Sandboxing", as done by browsers, is generally nothing more than a buzzword.

      First, you have to assume that the sandboxing has been done correctly. More often than not this is just not the case. Holes get poked in the sandbox walls for what are benign and legitimate actions, but soon enough somebody will figure out a way to exploit that hole, and then you've got a huge security flaw affecting millions of users.

      Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users.

      Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.

      The browser was never meant to be a fucking operating system, like some people today treat it as. It was meant for displaying documents, and linking between them. It's just plain stupid to try and build complex applications in the browser, especially with the Internet being so hostile.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The computer wasn't meant to be multi function. It was meant to do intensive calculations for researchers. Computers weren't meant to be hooked up to one another, they were meant to be stand alone. Blah blah blah. Yeah because nothing ever evolves. Everything should stay static. I understand your point about flawed designed but like it or not, things are progressing for better or worse, like they always have. You know you can always use Dillo or Lynx if you want to view documents and do your basic browsers.

        • by sopssa (1498795) *

          It's funny he has been even modded up. It's complete piece of crap.

          He is blaming sandboxing in IE with the fact it could not be done all correctly and because more often its not done correctly? That's a niece piece of FUD to throw around. What are the sources for this? Sandboxie has been quite successful in sandboxing any app. Then he goes on with his rant saying that if theres a security flaw in the sandboxing it affects millions of users. Guess what, without sandboxing those users would had been directly

          • by Stooshie (993666)
            Although I agree that Windows/IE bugs are probably less now, Flash wasn't even mentioned in the article! It was java and Adobe reader that were mentioned as the main culprits
        • The computer wasn't meant to be multi function. It was meant to do intensive calculations for researchers. Computers weren't meant to be hooked up to one another, they were meant to be stand alone.

          Yup. That was *indeed* the case. But while some kept this broken model well into the information age (no restrictions MS-DOS -> no restriction Windows 9x -> "everyone is admin by default" in Windows XP even though the NT family could theoretically have user access control, etc...) other have aknowledged that the initial model was broken and have tried different and better approaches (like Unix systems with some access control)

          I understand your point about flawed designed but like it or not, things are progressing for better or worse, like they always have.

          On the other hand if they are flaws, we shouldn't insist absolutely on usin

      • Re:Sandboxing? (Score:4, Insightful)

        by Your.Master (1088569) on Monday January 25, 2010 @08:35PM (#30899106)

        "Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users."

        True, and that's often lost on people, but irrelevant to the subject at hand. We were talking about whether a browser could do anything to mitigate insecure plugins as an attack vector short of disabling plugins.

        "Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place."

        Explain.

      • I sort of have to agree that the browser as a one stop shop is getting sort of untenable. Frankly, I have no desire to do my online banking with the same piece of software I explore random information on all day with computers around the world run by people I don't even know. But whats the solution, two browsers? Were things any better in the 90s when I would download random exe's to do small little tasks now handled by rich web apps? At some level the only solution to this is to use separate, incompatible
        • Re: (Score:3, Interesting)

          by sowth (748135) *

          How about two users? That is what I do. I have one user for insecure internet access, and another for financial transactions. The home directory of the account for financial transactions is chmod 700.

          Really, I use several user accounts --one for the X server, one for multimedia / video games, one for my real work / valuable files, etc. It isn't any hassle to use the insecure internet or video game accounts because I have them set up so I don't need a password when I su from the X server account. Makes it

      • I wish I had mod points for you.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      From page 30 of the Chrome Comic (http://www.google.com/googlebooks/chrome/small_30.html)

      "Plugins have capabilities that aren't public standards, so we can't sandbox these yet."
      "Though with some small changes on the part of the plugin makers, we can get them to run at a lower privilege which would be much safer."

    • Re:Sandboxing? (Score:4, Informative)

      by tonywong (96839) on Monday January 25, 2010 @07:11PM (#30898296) Homepage
      http://queue.acm.org/detail.cfm?id=1556050

      "...Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the user's webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."

      I'd imagine that since Chrome doesn't sandbox, the other browsers would have a hard time sandboxing those plugins as well.
      • Re:Sandboxing? (Score:5, Interesting)

        by jpmorgan (517966) on Monday January 25, 2010 @07:39PM (#30898602) Homepage

        IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.

        The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.

        • Why doesn't IE warn when a plugin "breaks the sandbox", and asks the user to confirm? It would seem reasonable, and push plugin writers towards proper sandboxing.

          • So grandma gets another dialog that she doesn't understand, every time flash\acrobat\whatever loads? She'll just hit any random button to make the dialog go away. She has stuff to do.

            Plugin makers won't want to change their legacy behavior, as it will break their code. If they do, It'll take a long time to get through the testing phase even in a best case scenario. Basically, we're looking at the UAC debacle for legacy apps all over again. I don't see how this helps anything.

            • Plugin makers won't want to change their legacy behavior, as it will break their code. If they do, It'll take a long time to get through the testing phase even in a best case scenario.

              You can't get there until you start. Yes, it would take a while - just as is took a while for applications to start properly running under Vista (i.e. not requiring admin).

              Basically, we're looking at the UAC debacle for legacy apps all over again. I don't see how this helps anything.

              I'm looking at long-term effects, not immediate ones. Yes, just like Vista and UAC - annoying short-term, legacy apps rewritten long term.

          • by cbhacking (979169)

            It does. However, since some plug-ins do so extremely often (FlashPlayer being one of them) Adobe automatically adds an exception in the registry for "Don't prompt when this program tries to break out of the sandbox." This *might* be justifiable if Adobe's security record wasn't so terrible, but as it is, it's a decent reason to browse with the Flash ActiveX control disabled on sites where you don't need it (technically IE only allows you to disable it on a per-process basis, but since IE8 runs each tab in

      • Why (philosophically, rather than bounded by spaghetti-code-kernel-reality) should a plugin that would like full screen video output and audio/video input also be able to download executables and get the OS to run them on boot up with full system rights?
  • Headline? (Score:3, Interesting)

    by Anonymous Coward on Monday January 25, 2010 @06:49PM (#30897976)

    Why doesn't the headline list Firefox, too?

  • by MrCrassic (994046) <deprecated&ema,il> on Monday January 25, 2010 @06:53PM (#30898032) Journal

    It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.

    Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.

    • Re: (Score:1, Interesting)

      by Anonymous Coward
      I really cannot imagine why you think that a car analogy is going to make more sense to the slashdot crowd than the base problem, which is computer security.
    • If there was one unanimously labelled "BEST" browser, everyone would be using it.

      Wait... you aren't using Netscape 4.7?!
    • In the risk of appearing trollish, I would say that this is why "integrists" of FOSS like the debian group are useful even in a world where the Ubuntu compromise had such a success.
  • The model (Score:5, Insightful)

    by Anonymous Coward on Monday January 25, 2010 @06:55PM (#30898056)

    Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.

    It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.

    • Re: (Score:2, Interesting)

      Not really. With the multicore, gigabytes of ram type, systems becoming norm, think ThinApp [vmware.com] + VMWare [vmware.com] you can start having applications running in a completely disposable virtual machine and it would work just like a regular application, only it can't ACTUALLY access your system.
    • by rolfwind (528248) on Monday January 25, 2010 @08:03PM (#30898852)

      Insecure huh?

      Is that why my browser kept asking if it looked fat maximized in my widescreen monitor.

    • Re: (Score:3, Insightful)

      by vtcodger (957785)

      ***Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.***

      That'd be my opinion as well, but apparently you and I are Luddite idiots.

      My guess is that if you are right, it will take at least two decades and perhaps one or more complete breakdowns of e-Commerce and/or web services to bring an

    • by Temporal (96070)

      No, what's broken is the model that by default gives all your authority to every piece of code you run. There is absolutely nothing wrong with running untrusted arbitrary code as long as you don't give it the ability to access any sensitive resources. The Adobe Reader plugin has *no* reason to be granted access to do anything except read the PDF you downloaded and render it to the screen -- no hard drive access (other than its own installed files), no network access, etc. But by default we assume that in

  • by sznupi (719324) on Monday January 25, 2010 @06:57PM (#30898094) Homepage

    Quick options toggle menu -> enable/disable plugins.

    (with whitelisting and blacklisting of particular sites available of course)

  • The problem isn't browsers, it's the operating system they're running on. Any operating system that allows normal users to execute privileged code without entering some sort of authentication before allowing those privileges is inherently broken.

    • by afidel (530433) on Monday January 25, 2010 @07:07PM (#30898244)
      Doesn't matter, most people don't care about the security of their computer they rightfully care about the security of their data which no OS blocks effectively, ie if I can modify my data so can any program running in my context.
    • by MrEricSir (398214)

      Unfortunately, every OS that I'm aware of allows a browser plugin to download and execute arbitrary code.

      Whether it can run as root or not isn't really relevant, since even running as a normal user it can access the entire user's home folder.

    • by GIL_Dude (850471) on Monday January 25, 2010 @07:14PM (#30898314) Homepage
      That's absolutely correct and was solved back in Windows Vista / IE 7. As of then, "Internet zone" sites are automatically running with LESS privilege than a standard user. Bascially they can't write anything outside of temporary internet files and an untrusted "low" zone in the registry. Of course Windows 7 and IE 8 continues this. You can use Process Explorer to see the integrity level at which applications are running. Medium is standard user, Low is for things like the Internet Zone, and High is anything running with system or administrative privileges. This is one of the reasons that many of these exploits don't work correctly against anything but Windows XP.
      • by Kalriath (849904) on Monday January 25, 2010 @07:37PM (#30898566)

        Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".

        • by cbhacking (979169)

          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\ (on 64-bit systems, HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\) is the registry key that controls access to that proker process (it's called something like Flash10Util.exe - look through the GUIDs until you find the correct one). Then, you can set its Policy value as you like. I've knocked it back to 2 for now, but then, prompts don't annoy me much.

          0 - Disable calling this program from IE (the only d

    • The problem isn't browsers, it's the operating system they're running on. Any operating system that allows normal users to execute privileged code without entering some sort of authentication before allowing those privileges is inherently broken.

      No modern desktop OS (with a very stretched definition of "modern" - e.g. WinXP and even 2K conforms, too) does not allow normal users to execute privileged code with no confirmation. The problem with XP and earlier was that the default user with a fresh install was admin - not exactly a "normal user". This is fixed in Vista and above.

      The problem is that you don't need to run privileged code to do harm. Even trojaning the system is trivial without it, since the binary can simply be deployed in user's home d

    • Re: (Score:3, Informative)

      by mcrbids (148650)

      Great! You got +5 insightful for an unenlightened post.

      So you have a process, the browser. And within that process, is a security hole. And in the context of the browser, there's this scripting language called "javascript" which (tadum!) executes code. Code which might take advantage of aforementioned security hole.

      In this example, the Operating System isn't even involved - it's all happening within the browser. Yet, your security is still hosed. There's still a keylogger running inside browser space, and w

    • You don't need to run *privileged* code to exploit a vulnerability in an application. A normal user or even a browser running in a chrooted jail can still be used to launch attacks on other computers, take part in a botnet, and so on. Not to mentioon that if your browser's compromised it's sitting there waiting to steal your passwords and attack your bank accounts.

      And "let me do something stupid" dialogs are little protection, because if they're used often enough to be effective they just train people to le

  • Adobe reader plugin? (Score:2, Interesting)

    by shitzu (931108)

    I never acutally understood the reason for a PDF plugin. Why can't i just download the bloody file and look at it? On second thought, that's what i usually do. Can someone give me one good reason to have a plugin for PDF files? Paedophiles?

    • by _Sprocket_ (42527)

      Can someone give me one good reason to have a plugin for PDF files? Paedophiles?

      Adobe had this dream of the World Wide Web consisting of PDFs for as far as the browser to see.

    • by Trepidity (597) <delirium-slashdotNO@SPAMhackish.org> on Monday January 25, 2010 @07:26PM (#30898460)

      If you're just reading the occasional journal article or something, that's reasonable, yeah. The original idea of the PDF plugin was that PDFs would be more widespread, as part of websites, so it'd be a hassle to download/view every time you ran across a PDF. That's thankfully not as common as Adobe had hoped, but for some kinds of sites it's still a bit of a hassle if you have no plugin--- restaurant sites that seem to find it necessary to put their lunch/dinner/drinks menus into three separate PDFs come to mind.

      • by Gerzel (240421) *

        For restaurants it is usually because the menus are sent to the printers in PDF format and they don't have the time/money to change the format for the site.

      • The plugin still downloads the whole PDF file before rendering it from the /tmp directory. On Linux, the PDF plugin is decidedly more clunky to use especially when you have to view multiple files as in your example.
  • Firefox? (Score:2, Interesting)

    by guamman (527778)
    I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?
    • Re:Firefox? (Score:5, Funny)

      by Anonymous Coward on Monday January 25, 2010 @10:19PM (#30899766)

      I don't know what you are talking about.

      My browser's title says "Slashdot IT Story | Insecure Plugins Ding IE, Safari, Chrome, Opera - Mozilla Firefox"

    • Re:Firefox? (Score:4, Insightful)

      by onefriedrice (1171917) on Monday January 25, 2010 @11:07PM (#30900092)

      I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?

      Probably not so much anti-IE as pro-Firefox, seeing as how that was pretty much the only browser missing from the list in the title, which should have read "Insecure Plugins a Problem for Browsers."

  • easy solution (Score:3, Informative)

    by Tumbleweed (3706) * on Monday January 25, 2010 @07:08PM (#30898262)

    Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).

    • by Again (1351325)

      Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).

      Except that Java is used by Facebook for their photo uploader so any Facebook user that uploads photos from in their browser needs Java.

      • Re: (Score:3, Insightful)

        by Tumbleweed (3706) *

        Except that Java is used by Facebook for their photo uploader so any Facebook user that uploads photos from in their browser needs Java.

        Great, another reason to loathe Facebook. Like I needed another. *shrug*

      • by Inda (580031)

        Except that Java is used by Facebook for their photo uploader so any Facebook user that uploads photos from in their browser needs Java.

        Not strictly true. I don't use that POS Facebook but the family does, but I've seen that photo uploader because it needed a higher version of Java than I had installed and the family don't have admin permissions...

        There is an alternative plain HTML photo uploader.

    • by cbhacking (979169)

      While Foxit has been much less targeted than Acrobat, it has had security vulnerabilities in the past, and it does support at least some JavaScript (which seems to be a commonly vulnerable part of the viewer). I don't have the Foxit plugin disabled, but I do have it set to prompt me before loading, which is almost as good - among other things, if I deny the plugin permission to load, it goes to my download manager instead for offline viewing.

  • I had a friend at university named Eleonora . You've just besmirched her name by referencing an article about 'Eleonore'. :(
  • Reading this headline quickly, for a second I thought there was a new browser out named "Ding".

    Or I guess, this being 2010 and all, it would have to be named "ding". The lower-case names apparently show extra coolness or something.

    • by Again (1351325)
      They should have called iding because we want to know who is doing the dinging.
  • I used to have to go through and find that damn plugin and actually remove the plugin dll every time I installed acrobat, because there was NO WAY to tell Adobe "no, thanks, I do NOT want to hang my computer for five minutes while your plugin munches on a huge PDF every time I forget to alt-click on a pdf link".

    • by mathfeel (937008)
      Have you tried the FireFox add-on pdfdownload? Let you pause and decide what to do.
      • by argent (18001)

        Since I always want to download, and never want to open a PDF in the browser, it was always more convenient and more secure to remove the damn plugin. And these days I use Preview.app to read PDFs.

  • My gosh, Apple has taken so much crap for not including Flash on the iPhone and not supporting Adobe in their desire to have the Flash plugin run on the iPhone (never mind most flash content already sucks, try it without a mouse(!) onHover event). I use ClickToFlash for Safari, and, all my Firefoxen gets flashblock. I load Flash when I want to load it, not when some ad server or asswipe with an art degree (uh, that's me!) thinks their website menus would be really neato in Flash.
  • by Smurf (7981) on Monday January 25, 2010 @10:11PM (#30899708)

    It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.

    I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.

    kdawson strikes again...

  • When IE had 90%+ marketshare it was easy to target a huge number of users at once with a single exploit, now that the browser market is more competitive it's harder for malware authors to attack. They could still write an exploit for a single browser, but that would target only a percentage of users...

    As a result, malware authors look for something new which is as widespread as possible... Most browsers have flash and pdf plugins, and the alternatives in these markets are still extremely rare so they're a g

  • What I did was use AppArmor to basically restrict firefox from writing to anything but its own config files, as well as a single directory for downloads. It also can't read from any of my user files ( like my mail or documents). I even stopped it from executing external programs like PDF readers or OpenOffice seeing that I prefer to download the files and open them manually anyway.

    I disabled Java, installed no-script (surfing slashdot is way smoother without javascript btw ) and set firefox to clear all coo

If you're not careful, you're going to catch something.

Working...