>From >http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
'Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware. [...] The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."' Cheers, Brian Brian Smith wrote: > Benjamin Smedberg wrote: > > Talking about click-to-play has been complicated, because we have > > several parallel goals and efforts: > > > > * Make users more secure by blocking known-unsafe version of > > plugins > > * Give users control by having them opt in to "new" plugins that > > are > > found on their machine > > * Make Firefox faster and less crashy by reducing the number of > > plugin instances that users see > > Generally, I agree with these points but it depends on what you > consider a known-unsafe plugin. For example, I consider *all* > versions of Java, even ones without known exploits, to be > known-unsafe, based on the historical track record. But, also, Java > and Flash make the news the most because of their huge marketshares, > but that doesn't mean that they are less safe than other plugins. > Consequently, I don't think "known-unsafe" is the right distinction > to make. > > In particular, I am concerned about the distinction between time > between when a plugin begins to be exploited vs. the time we find > out that the plugin is being exploited vs. the time when we actually > secure the user. If we look at bug 829111, we can see that we filed > the bug to CtP Java on 2013-01-10 and the blocklist update was made > the next day, which means that most users probably received the > blocklist update within 48 hours of us becoming aware of it (if they > were using Firefox during that time period). I think that is > actually as good of a response time as we reasonably expect with our > current procedures. But, the big unknown is always "was this > vulnerability being exploited before we knew about it, and if so for > how long?" And, we really don't have any way of answering that > question. In these cases of very longstanding bugs, we should assume > that the people exploiting them have known about them long before we > do. Thus, it is important to protect users as much as possib > le BEFORE we even definitely know there is a problem. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
