back to article Adobe CSO offers Oracle security lesson: Go click-to-play

Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a …

  1. frank ly

    Reactive instead of proactive?

    ""Finding and fixing bugs isn't the way to go, ..."

    " ... organisations should follow suit and stop "patching every vulnerability" ..."

    Then, later:

    "That strategy has .... , and sped the time to patch from 10 weeks ....... to a recent record of 36 hours"

    Apart from the apparent logical disconnect, this seems to say we should wait until somebody bad finds a weakness, then defend as hard as we can. Don't bother fixing any faults, flaws or weaknesses; just wait until the bad guys find it then work hard and claim rapid success.

  2. David Austin

    I make flash run as Click to play

    Less for security, but it saves so much memory and processor resources in Firefox's Plugin container - a much nicer web experience all around.

    1. Dan 55 Silver badge

      Re: I make flash run as Click to play

      Flashblock downloads then hides the Flash, so it's not as secure as you think it is.

      Firefox has its own proper click-to-play now, in Tools > Add-ons > Plugins and set Flash as 'Ask to activate'.

    2. Gene Cash Silver badge

      Re: I make flash run as Click to play

      You don't need an add-on in the latest couple versions of Firefox. I have both Flash & Java set.

      When you visit a domain you haven't hit before, you get a bar at the top asking if you want to continue blocking this site. What's interesting are the sites that don't have flash visible anywhere, but get this bar. They have tiny 1x1 flash windows. I assume they're trying to end-run adblock and set a persistent cookie.

    3. MrRtd

      Re: I make flash run as Click to play

      Rather than using flashblock, I just changed the settings for the Flash plugin to Ask to Activate. You will also get prompted to activate Flash on sites that have no reason for using flash except for those secret Flash cookies.

  3. Anonymous Coward
    Anonymous Coward


    The day I take security advice from anyone associated with Adobe is the day I retire.

    They have a LOOONG way to go before any security advice they can offer is credible.

  4. Anonymous Coward
    Anonymous Coward

    There's an even better way

    Remove Flash. Not very practical, but it works well from a security perspective. And if you don't want to watch video or play games, works 99.5% of the time.

  5. Anonymous Coward
    Anonymous Coward

    Jealous much?

    "Adobe suspected one recent attack was the product of a team of a dozen engineers complete with a product manager"

    So 12 times the amount of resources you put into security then.

  6. RobZee

    Elite Entry

    "Arkin suspected every attack against Reader and Flash were created by nation-states and later co-opted by the criminal underground rabble."

    So, it's only talented, well-funded, nation sponsored entities that can pick holes in Adobe code then?!! That must mean it's all so well written because only the ultra elite can get in!


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like