On 2/15/13 3:11 PM, Brian Smith wrote: >>From >>http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/ > > 'Facebook officials said they recently discovered that computers belonging to > several of its engineers had been hacked using a zero-day Java attack that > installed a collection of previously unseen malware. > > [...] > > The attack was injected into the site's HTML, so any engineer who visited the > site and had Java enabled in their browser would have been affected," > Sullivan told Ars, "regardless of how patched their machine was."' > > Cheers, > Brian
The worse part of this is that most users don't have security engineers detecting the compromise. People's machines will just get owned and these users will probably not know it. I know CTP is a step forward on blocking many of these plugins. But I think we all know that this approach can probably be worked around by click-jacking. There are ways to improve or reduce the likelihood of this (see bug 832481). Considering this, maybe it is time to not just click-to-play, but require users to go to some menu item (maybe "View / Enable Legacy Mode") to enabled Java, and other less useful and typically more vulnerable, NPAPI plugins. Just a thought. Doug _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
