Mozilla Security

Another Java Attack

There’s another attack on Java via a new zero day flaw. This is why I don’t keep Java enabled in web browsers anymore. If you still do, I’d suggest turning it off. There’s a good chance you won’t miss it.

I’ve yet to get there with Flash, but the day is coming. After the previous post a few months ago, I think I like the idea of a blacklist/whitelist for plugins in general that allow a user to enable them only for specific hostnames. That would make it a bit more intuitive to use plugins when still needed, but gain the security of not having them available for any hostname you happen to stumble upon. The options would be something like:

Enable [plugin name] on [hostname.tld] for:
(This session only)     (Forever)       (Never)

For certain things like YouTube, you could enable Flash forever since Google is rather trustworthy. For other sites, perhaps just the session. For others, maybe never.

4 replies on “Another Java Attack”

Yes, that *would* be nice. The Flashblock extension does something like that for Flash specifically, but it would be useful to have something similar that affected all content plugins.

That said, I’d also want the ability to whitelist entire domains, not just single hostnames. My day-to-day job involves maintaining a product with an applet-based UI (horrible legacy stuff), and I’d need to allow it for all local servers…

I would think the more useful default would be hostnames, but I couldn’t see how it would be implemented so that a power user feature would be the ability to whitelist with some sort of simple expression like *.yourdomain.tld.

Yes, NoScript does allow that kind of thing, but I’m not a fan of that extension. The idea is good, but I just got sick of having to fiddle with the configuration every time I encountered another site that wasn’t working correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *