I would like to see an example of how click-to-play could be "clickjacked."
Sent from my iPhone On Feb 15, 2013, at 11:45 PM, Doug Turner <doug.tur...@gmail.com> wrote: > On 2/15/13 3:11 PM, Brian Smith wrote: >>> From >>> http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/ >> >> 'Facebook officials said they recently discovered that computers belonging >> to several of its engineers had been hacked using a zero-day Java attack >> that installed a collection of previously unseen malware. >> >> [...] >> >> The attack was injected into the site's HTML, so any engineer who visited >> the site and had Java enabled in their browser would have been affected," >> Sullivan told Ars, "regardless of how patched their machine was."' >> >> Cheers, >> Brian > > > The worse part of this is that most users don't have security engineers > detecting the compromise. People's machines will just get owned and > these users will probably not know it. > > I know CTP is a step forward on blocking many of these plugins. But I > think we all know that this approach can probably be worked around by > click-jacking. There are ways to improve or reduce the likelihood of > this (see bug 832481). > > Considering this, maybe it is time to not just click-to-play, but > require users to go to some menu item (maybe "View / Enable Legacy > Mode") to enabled Java, and other less useful and typically more > vulnerable, NPAPI plugins. > > Just a thought. > Doug > > > _______________________________________________ > dev-apps-firefox mailing list > dev-apps-fire...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-apps-firefox _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
