BrowserPluginSecurity

Overview

In the past and the present browser plugins - especially Java and Flash - were subject to severe software bugs. Those bugs can often be used by attackers to run malicious code with a user's privileges on a computer on which that user has a webbrowser running. This can happen unnoticed by the user.

To make malicious code run on a system that has a vulnerable browser or respective plugins all that is necessary for the attacker is to make browser open a prepared website. To lure the browser/the user to visit such a website, means like convincing a user to surf to such a website with a nicely prepared e-mail are often used.

Moreover sometimes popular websites are compromised to include malicious code, thus even a careful user can be a victim to malicious activity.

Therefore it is recommended to disable plugins like Flash or Java in your webbrowser. However this decreases user experience since some web content is only available with activated Java and/or Flash plugins. It is currently not possible to enable Java only for selected websites from within the Java plugin, but one could set up a secondary browser profile and use only that to visit websites requiring Java/Flash. Another way to avoid automatically running Java applets by default is making use of the NoScript plugin for Iceweasel/Firefox.

How to disable Java plugins in Iceweasel/Firefox

In your Iceweasel main window click on Tools > Add-Ons > Plug-Ins. Then click on Disable for Java and/or Flash.

Using Java/Flash only with certain websites

To still be able to get a rich user experience for Java/Flash based webcontent while at the same time decreasing the risk of accidentally stumbling across a malicious website, one could set up a secondary browser profile:

  • start up a terminal
  • run iceweasel -ProfileManager -new-instance
  • Uncheck the "Don't ask at startup" box
  • Click on "Create Profile"
  • Click on "Next" and then enter a suitable name for the new profile, e.g. "Java", "Flash" or "JavaAndFlash"
  • Click on "Finish"

Now each time you fire up Iceweasel for day to day surfing choose the default profile, in which you have deactivated Java and Flash like described above.

If you want to visit a trusted site on which you need Java or Flash, open a terminal and run iceweasel -ProfileManager -new-instance and choose your secondary profile, in which you can enable Flash or Java again. Once you are done with the Java/Flash content with the trusted site, close that Iceweasel instance and continue day to day browsing with the Iceweasel windows that was started with the default profile.

Using NoScript

TODO

-- BastianNeuburger - 11 Jan 2013
Topic revision: r1 - 2013-01-11, BastianNeuburger