Blog: Keep Threats at Bay With ‘Click-to-Play’ (Chrome, Firefox, Opera, Safari)

[menotu]

Brian Krebs  11-Mar-2013 (krebsonsecurity)

Help Keep Threats at Bay With ‘Click-to-Play’

Muzzling buggy and insecure Web browser plugins like Java and Flash goes a long way toward blocking attacks from drive-by downloads and hacked or malicious Web sites. But leaving them entirely unplugged from the browser is not always practical, particularly with Flash, which is used on a majority of sites. Fortunately for many users, there is a relatively simple and effective alternative: Click-to-Play.

Click-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari) that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them.

To enable click-to-play on Chrome: From the main menu, click Settings, then in the search box type “click to play,” and click the highlighted box labeled “content settings.” In content settings, scroll down to the “plug-ins” section, and change the default from “run automatically” to “click to play”. To enable exceptions so that certain sites (krebsonsecurity.com?) are allowed to load Flash and other content by default, click the “manage exceptions” box. Alternatively, this can be done in Chrome through the address bar: when you browse to a site that has content blocked by the click-to-play feature, an icon will appear on the far right side of the address bar that allows you to add an exception for the current site.

To enable click-to-play in Firefox: Open a browser window and type “about:config” without the quotes. In the search box at the top of the resulting window, paste the follow “plugins.click_to_play”, again without the quotes. Double click the entry that shows up so that its setting under the “value” column changes from “false” to “true” (hat tip to F-Secure.com for this advice). To enable per-site exceptions, look for the blue lego-like icon in the lefthand portion of the URL bar, and click it; click the “activate” button to enable plugins just for that session, or to make it permanent for that site, click the down arrow next to “activate all plugins” and select the “always activate plugins for this site” option.

Opera users interested in this feature can enable Opera Turbo, a page speed improvement feature which blocks plugin content by default unless clicked. From the Opera main menu, click Settings, Preferences, then Webpages, and select “On” from the Opera Turbo pulldown menu.

Safari users can get a click-to-play like experience using either the ClicktoFlash extension – which, as its name suggests blocks Flash content – or the more comprehensive ClickToPlugin extension.

Getting a click-to-play like feature working in Microsoft‘s Internet Explorer seems to be a bit more complicated. Internet Explorer 10, which includes its own version of Flash, uses a Microsoft-provided whitelist of websites that are allowed to play Flash content by default. IE10 users on Windows 8 can add any site they like to the whitelist, but the steps for doing so are hardly straightforward. See this writeup  for more information on how to do that (if someone knows of an easier way with IE10, please leave a comment below). PCMech.com explains  how to sort of get click-to-play working in IE9, but this option may produce incessant pop-up prompts.

I mentioned at the outset of this post that some of these approaches can be used to block Java content from running by default, but a far safer approach with Java is simply to unplug it from the browser until and unless you need it (or uninstall it completely). If you need an idea of why I recommend this, have a gander at just a few of the most recent posts on Java.

One final note for those who decide to keep Java; unplugging it from the browser is a good idea, but keep in mind that Oracle’s Java installer re-enables the plug-in when the program is updated (shakes fist at Oracle).

https://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

[menotu]

heise Security - 12 March 2013

Microsoft enables Flash by default in Internet Explorer

Microsoft is shipping an update for Internet Explorer (IE) 10 for Windows 8 and RT today that will change the browser's behaviour to display more Flash content by default. The Windows 8 desktop version of IE will show all Flash content whereas the desktop and "Metro" versions on Windows RT will show a large percentage of it; only approximately four per cent of web sites with Flash content will be blocked by Microsoft on these versions.

With the decision, Microsoft is further softening its position on Flash support in Internet Explorer. Originally, the company had planned to release the browser completely without Flash support but moved away from this stance prior to the launch of Windows 8 and enabled Flash content in the browser based on a whitelist of "Metro" compatible sites.

The company says that a large amount of sites using Flash are now compatible with Windows 8 and are usable with touch interaction.

According to Microsoft, less than four per cent "of the thousands of domains" it has tested for Flash compatibility are incompatible with what the company terms the "Windows experience". This is mostly due to the fact that the sites in question are using other plugins aside from Flash, says Microsoft. Developers who find their sites blocked on Windows RT after the patch to Internet Explorer may want to read Microsoft's developer guidance document on the topic.

http://www.h-online.com/security/news/item/Microsoft-enables-Flash-by-default-in-Internet-Explorer-1821366.html