Re: Disabling Flash
Anthony G. Atkielski wrote: J. Greenlees writes: I don't install flash plugins. Neither do I. But Opera installed one without asking me, which is why I've pulled Opera off my system (plus the fact that Opera installs adware, even if you pay for it). Once Opera had installed it, Firefox looked for and found it, again without bothering to tell me. there ain't nothing on a site that's contained in a flash file that I NEED to see. ( same with javascript ) Agreed, although poorly designed sites may not work at all without Javascript (mine will, however--with the exception of one page that I haven't figured out how to do with server-side scripting, because it needs to know the monitor size). i dont gettit.. for mozilla suit there wasa plugin that disabled the flash, unleas you clicked on it. why is this avail for FF than ? in that case you could self decide to run the flash ,yes or not.. hmm.. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Moz Rulez writes: i dont gettit.. for mozilla suit there wasa plugin that disabled the flash, unleas you clicked on it. why is this avail for FF than ? That's not the same thing. First, Flash should not be enabled by default, period. Firefox should ask about it during installation. Second, the plug-in that disables it also disables any non-Flash content that might appear in place of the Flash animation. Many sites display an ordinary still image if you don't have Flash installed, but the special plug-in replaces the still image with a fixed icon. Besides, I don't need something that gives me the option to run Flash, because the answer is always no. -- Anthony ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Anthony G. Atkielski [EMAIL PROTECTED] writes: CarlosRivera writes: Actually, I just found out those folks at work installed some software on my box again. So, I had to rip out some more crap. You also need to locate appropriate all.js and remove or comment out the appropriate plugin.scan.XXX line; otherwise, the plugins keeps coming back. What are all.js and plugin.scan.XXX? I assume you're running on a Windoze box, in which case they'll be in \Program Files\Mozilla Firefox\greprefs\. (ObRant: Why can't about:plugins be used to disable these things? It's currently far too difficult to get rid of these things, Mozilla by default tries to enable all manner of dangerous and often unwanted plugins, it shouldn't be necessary to hand-hack config files to fix this behaviour). Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Anthony G. Atkielski wrote: Because it allows code selected by a third party to be executed on the client machine. _Any_ mechanism that allows this is a vector for viruses and other compromises of system security. This is demonstrably not true. JavaScript can execute on a client machine without it necessarily compromising system security. The question is whether the browser places appropriate limits on the capabilities of the executing code. Java, JavaScript and Flash all place such limits. In the JavaScript case, it's our responsibility, in the Java case, it's Sun's, and in the Flash case, it's Macromedia's. If any of these people fail in their duty, then it's possible that system security could be compromised. But if they don't, it isn't. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Gervase Markham writes: This is demonstrably not true. JavaScript can execute on a client machine without it necessarily compromising system security. No, it cannot. Nothing that executes code on the client machine is completely secure. Therefore you must have a way to disable any such code execution. However, since executing code on the client machine is so useful in so many cases, you need to be able to enable it for certain sites while simultaneously disabling it for others. The question is whether the browser places appropriate limits on the capabilities of the executing code. If you have flexibility in configuring security, you don't have to ask that question. And since you don't know the answer to that question until security is breached (at which point it's too late), being able to flexibly configure security is essential. Java, JavaScript and Flash all place such limits. In the JavaScript case, it's our responsibility, in the Java case, it's Sun's, and in the Flash case, it's Macromedia's. No. The responsibility is with the browser author, who must provide ways to disable potentially insecure content from potentially insecure sources. You're making exactly the same argument that Microsoft has made in the past. I saw through it then, and I see through it now. If any of these people fail in their duty, then it's possible that system security could be compromised. But if they don't, it isn't. The problem is that most of us cannot afford to discover such compromises the hard way. There has to be a way of preventing them from ever occurring. -- Anthony ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
This is what I did to disable windows media player plugin. Locate all.js file in your installation and comment out the following line: //pref(plugin.scan.WindowsMediaPlayer, 7.0); // is the comment string for javascript and effectively removed the line from the file. all.js is located in your installation. If you are not sure where it is, search your hard disk for all.js. I think that earlier version sof mozilla use a different name for the file (winprefs.js?). If this was installed by your sysadmin and you don't have write permission on the file, you are screwed. Actually, I was just thinking that if the sysadmin has screwed you, that you could change the minimum version to a really high number. Hopefully, it would not install the plugin. I have not tried this. This is what I did so that windows media player does not show up in about:plugins. Anthony G. Atkielski wrote: CarlosRivera writes: Actually, I just found out those folks at work installed some software on my box again. So, I had to rip out some more crap. You also need to locate appropriate all.js and remove or comment out the appropriate plugin.scan.XXX line; otherwise, the plugins keeps coming back. What are all.js and plugin.scan.XXX? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
On 2005-02-19, Anthony G. Atkielski [EMAIL PROTECTED] wrote: Do my eyes deceive me, or is there no way to disable Flash in Firefox? If there's no way to prevent Flash from being displayed, this is a security breach. Only if there's a security flaw in Flash itself. If you don't trust the Flash plugin, then don't have it installed. I tried disabling everything on the list of plug-ins, but that didn't help. How do I stop the browser from opening Flash content? Remove the Flash plugin. If you're on Windows, then you can do that from Control Panel. Alternatively, you can get an extension which hides Flash content until you click it - http://flashblock.mozdev.org/ -- Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Michael Lefevre writes: Only if there's a security flaw in Flash itself. Security flaws in programs of this type are legion. I don't plan to be a victim. If you don't trust the Flash plugin, then don't have it installed. Firefox never asked me about Flash when I installed it, and I can't find a plugin anywhere that I can deinstall. It just appeared. Remove the Flash plugin. If you're on Windows, then you can do that from Control Panel. No Flash plugin is listed, and there is no directory containing a Flash plugin that I can find on the machine. Where is it? Alternatively, you can get an extension which hides Flash content until you click it - http://flashblock.mozdev.org/ I don't want it hidden, I want it gone, and I don't want Flash support installed unless I'm asked for it and I explicitly approve. -- Anthony ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Anthony G. Atkielski wrote: Firefox never asked me about Flash when I installed it, and I can't find a plugin anywhere that I can deinstall. It just appeared. The way it works is a bar appears that suggests you install it. It's not supposed to install itself. If there is any way that Flash installed itself, without you clicking on the bar to initiate the process, then that's a bug. If you can figure out a few more details about how it installed itself - like a site, or a process or a sequence - I'm sure people will want to see how it happens. Poke around on this page if it helps: https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefoxformat=guided I don't want it hidden, I want it gone, and I don't want Flash support installed unless I'm asked for it and I explicitly approve. This seems to be a known bug - not being able to remove a plugin. Not sure which one, but I saw it fly past on the listings... iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Anthony G. Atkielski wrote: Michael Lefevre writes: If you don't trust the Flash plugin, then don't have it installed. Firefox never asked me about Flash when I installed it, and I can't find a plugin anywhere that I can deinstall. It just appeared. Firefox does not install flash. If flash is not installed and you go to a page with flash content (or other unknown plugin types) the embed space contains a picture of a puzzle piece which you can click to install the handler (if we know about it). Something else installed flash for you. Possibly it was pre-installed on your machine when you got it. No Flash plugin is listed, and there is no directory containing a Flash plugin that I can find on the machine. Where is it? I don't want it hidden, I want it gone, and I don't want Flash support installed unless I'm asked for it and I explicitly approve. In Firefox plugins are either in a plugin subdirectory of the install directory, or there's a pointer in the windows registry under HKLM\SOFTWARE\MozillaPlugins typing about:plugins in the location bar will reveal all loaded plugins. If you flip the pref plugin.expose_full_path to true that page will show the full path of each plugin. If you do turn that on the full path is availabl to any webpage using javascript to iterate over the navigator.plugins object. Turn it back off when you're done. -Dan Veditz ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Daniel Veditz writes: Firefox does not install flash. If flash is not installed and you go to a page with flash content (or other unknown plugin types) the embed space contains a picture of a puzzle piece which you can click to install the handler (if we know about it). Something else installed flash for you. Possibly it was pre-installed on your machine when you got it. I found a folder called Macromed in \WINDOWS\system32 that contains OCX files (ActiveX components, if I'm not mistaken). Unfortunately, the system won't let me delete it, and there's no uninstallation procedure in the Control Panel for it. I think it only applies to MSIE, though, and in MSIE I already have ActiveX turned off. In Firefox plugins are either in a plugin subdirectory of the install directory, or there's a pointer in the windows registry under HKLM\SOFTWARE\MozillaPlugins I found HKLM\Software\Mozilla, but the only reference I could find was a key called plugins which pointed to a path, but nothing else. typing about:plugins in the location bar will reveal all loaded plugins. That showed me a DLL for Flash that turned out to be hiding inside Opera's directory. Opera must have installed it (another nail in the Opera coffin, as far as I'm concerned--I haven't yet found a reason to use Opera). I deinstalled Opera and the DLL went away with the deinstallation. This fixed the problem with Firefox. So apparently Firefox didn't install Flash behind my back, but it did quietly find it and start using it. I'd prefer that it not do anything without my explicit approval. I'll try reinstalling Opera (since I've already paid for it and I have to test with it sometimes) and see if I can tell it not to install Flash. If not, then Opera is too insecure to continue using. -- Anthony ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Actually, I just found out those folks at work installed some software on my box again. So, I had to rip out some more crap. You also need to locate appropriate all.js and remove or comment out the appropriate plugin.scan.XXX line; otherwise, the plugins keeps coming back. CarlosRivera wrote: On windows there is pluginreg.dat. Just rip out all the plugins from about:plugins that you don't like. I notice that my unix version of mozilla does not have this file, but about:plugins says I have no plugins installed. So, I am not sure if the file is the same or not. You should be able to figure out which file it is and just rip it out. Anthony G. Atkielski wrote: Do my eyes deceive me, or is there no way to disable Flash in Firefox? If there's no way to prevent Flash from being displayed, this is a security breach. I tried disabling everything on the list of plug-ins, but that didn't help. How do I stop the browser from opening Flash content? -- Anthony ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Anthony G. Atkielski wrote: Why is Flash a security breach ? Because it allows code selected by a third party to be executed on the client machine. _Any_ mechanism that allows this is a vector for viruses and other compromises of system security. Oh, you mean in general, this is a rights privilege escalation, and there isn't a sandbox of any note. So if you trust the site, then you're ok. If you don't, then you're sunk iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Flash
Ian G writes: Oh, you mean in general, this is a rights privilege escalation, and there isn't a sandbox of any note. So if you trust the site, then you're ok. If you don't, then you're sunk Exactly. So executing Flash content by default is a security breach. And in Firefox, there is apparently no way to turn it off. So much for a secure browser. -- Anthony ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security