Hacker News new | ask | show | jobs
by omh 5035 days ago
Firefox has a separate feature which can completely disable plugins which are known to be malicious or vulnerable. The current list is at https://addons.mozilla.org/en-US/firefox/blocked/

They've definitely used this to block older Java versions, but in those cases there was always a newer version available that you could use instead.
1 comments
justinschuh 5034 days ago
Plugin management is actually a bit complicated, and in the case of Chrome we've had mulitple levels of it for years. The simplest is click-to-play, where the plugin is replaced with a graphic in the page that you can click to run it. This is the most convenient, but is vulnerable to click-jacking or other trickery. Then there's plugin blocking, which doesn't have the click-to-play weaknesses but is less convenient because you need to enable the plugin through a browser control (ie. infobar, page action, or context menu). Finally there's disabling, which just prevents the plugin from running at all.

For out-of-date and perennially vulnerable plugins (like Java) Chrome uses the second mode, which blocks the plugin unless the user accepts it through an infobar. It's not a perfect defense, but we've found it to be extremely effective at preventing exploits because the vast majority of the users don't let the potentially vulnerable plugin run. I'd really like to see this approach catch on more broadly, but other browser makers are understandably cautious about how they should handle plugins.

link
omh 5034 days ago
As a corporate sysadmin, I should say that the Chrome method is much better than the Firefox one.

We often have slightly out of date plugins, simply because it takes a while to get new versions tested and rolled out. When Firefox blocks them it breaks functionality and can cause a few awkward problems. Generally that just means that the user will use IE instead, so the protection is lost.

link
justinschuh 5034 days ago
I wasn't aware the blocking worked that way in Firefox. We considered going that route as well, but in our testing the optional block was nearly as effective as fully disabling.
link
jackalope 5034 days ago
It's interesting that you don't mention uninstalling as a final option. Shouldn't the user have the ability to permanently remove a plugin from the browser?
link
justinschuh 5034 days ago
Sure, but the user handles that through the OS, not the browser.
link