There is one specific step that everyone can take to eliminate approx 90-95%+ of drive-by-zero-day-exploits without really impacting your web browsing habits that much:
Disable Plugins on your primary browser.
Whether that be Opera/Safari/IE/Firefox - just disable the plugins. Then, all of these Java 0days, PDF 0days, Flash 0days won't impact you.
Keep a backup browser, that is not your primary, and use that for your SSL VPN (frequently Java), or Crappy Enteprise Apps like timesheets and Remedy (frequently Flash).
Yes, browsers have 0days as well, but they occur much less frequently (approximately 1/10th) than plugin vulnerabilities, and get repaired much more quickly.
For the really security conscious, of course, browsing from a separated/virtualized thin-client is even better, particularly if you can live with the hassle of refreshing your cookies every so often after a reset.
One of the unique features of Opera that other browsers should add is ability whitelist/blacklist most annoyances and vulnerability points for a website. I usually default to everything off and whitelist as I go.
- Kill 3rd party cookies + remove all cookies on browser close
- No plugins enabled (and permanently disable all unneeded ones like Java). Plugins can be reenabled per site.
- kill javascript on really bad sites that abuse it and work without it
- Use private tabs and windows for shady sites
- kill animated gifs and html5 video autoplay on sites that abuse them
Since Opera has a built in way to whitelist sites for each of the above items (or blacklist depending on how you do it), I add trusted sites back with plugins on demand and save cookies for a few sites where not having them will be annoying (banks, etc).
This is good advice, but I'd amend it to say this:
For your Facebook-viewing browser, disable all plugins. For the most part, you won't be viewing anything that can't be viewed without HTML5 and Javascript anyway. The added advantage to sequestering FB activity to a browser is that you won't be tracked by sites that use FB widgets.
Another added advantage of putting FB in its own browser, and YMMV, but it's easier to prevent impulsively checking FB in the middle of your normal work-related internet browsing, as it requires opening a new browser to do so.
I've been running Chrome (on Windows) with adblock, https everywhere, and ghostery. With the adblocking HOSTS file. And javascript, flash, and java are disabled unless whitelisted. Also each web service has a different 30+ char random password, stored in a password manager.
I have 2 problems:
-My gaming friends have pulled me into Farmville, which won't run on my above configuration - it crashes when trying to post to my wall. I've began using vanilla Firefox for these games only. (Yes, I told them of the evils of Zynga, they don't care so long as the game is fun)
-My friends laugh at me and call me paranoid. I don't have a workaround for this.
You start running out of browsers quickly, and seperate browser users gets tedious fast. I really wish there was easy same browser sandboxing that can save cookies and so on. Double click the gmail icon, and gmail comes up in a browser user devoted to just gmail, and shows up as a separate process and separate app. All of the 'make a webpage an app' apps that I've tried still share browser state amongst the main browser user.
It launches it in app mode (no tabs, no URL bar). I'm not sure if that's the same thing as launching the FB app.
In windows you copy the chrome shortcut and then edit the shortcut to add the command-line arguments. Then you add the shortcut to your launcher bar.
Alternatively, you could create a batch file for each site that you want to isolate somewhere in PATH and launch it from the Start -> Run menu. In other words, you'd press the start key, then type "facebook", then press enter.
(Please correct me if my instructions are incorrect, I haven't used windows regularly for a long time.)
You can create profiles in Firefox and run them all at the same time by creating links like "firefox.exe -p ProfileName --no-remote". Now that there's a Firefox Marketplace you can even have full window webapps in their own little sandboxes.
This happened last month, so it was 0-day THEN, not NOW.
The hole in question was patched in the February 1st Java release, plus the way the Java plugin works now (and how most browsers handle Java now) even if there are still holes remaining in Java, the user will have to click through at least one, probably two warnings before they can run the dangerous applet.
So far the latest fixes (in browsers and in Java) seem to have been effective.
> This happened last month, so it was 0-day THEN, not NOW.
Yes - Facebook made it clear they were exploited prior to the patch getting out.
== SNIP ==
The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. ...
After analyzing the compromised website where the attack originated, we found it was using a "zero-day" (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.
== SNIP ==
The difference between zero-day and not, is that if you are attacked by an exploit that your vendor hasn't seen (and presumably has no patch available for) - you are particularly vulnerable. Once a CVE has been assigned, then your platform/software vendors are now more "on the hook" for any exploits that occur after that date.
Two indications of a security conscious company:
1. They have a very short period of time before the CVE identification and their patch (hopefully automatically) rolled out.
2. They announce security vulnerabilities inline with a patch - thereby reducing the number of zero day exploits.
Microsoft, in particular, has been very aggressive in announcing security exploits, and rolling out patches in the last 12-18 months - Adobe and Oracle could learn a lot from them.
> So far the latest fixes (in browsers and in Java) seem to have been effective.
Unless you have a very specific reason (SSL VPN, Enterprise App, perhaps a youtube video, or specific application) - you should no longer be running plugins in your browser. I've been running with Safari and all plugins disabled for about 14 months, switching to Chrome for youtube videos has been about the the only inconvenience. The last exploit in flash/java/pdf/xxx may have been fixed, but you can certain there will be more in the next few months.
> ... even if there are still holes remaining in Java, ...
Heh
> ... the user will have to click through at least one, probably two warnings before they can run the dangerous applet ...
Unfortunately, there are still way too many users who will happily click through those warnings (unsigned code, invalid certificates, UAC, and so on) in order to {look at stupid pictures|play retarded games|win a free iPad|...}
And it's worth noting that even less technical users aren't so likely to click through all of the warnings when they're not expecting some kind of interactive game to play. That also reduces the risk.
There will always be some people who click the links in their spam or open the fishy attachments, who give permission to anything and everything, and whose computers are so overloaded with malware, trojans, backdoors, etc. that they collapse under the weight.
The main trick is to be sure that savvy users can keep themselves safe, and making sure people doing important things on their computers are savvy.
I think Java is finally in a state now where it's safe for savvy users.
Disable Plugins on your primary browser.
Whether that be Opera/Safari/IE/Firefox - just disable the plugins. Then, all of these Java 0days, PDF 0days, Flash 0days won't impact you.
Keep a backup browser, that is not your primary, and use that for your SSL VPN (frequently Java), or Crappy Enteprise Apps like timesheets and Remedy (frequently Flash).
Yes, browsers have 0days as well, but they occur much less frequently (approximately 1/10th) than plugin vulnerabilities, and get repaired much more quickly.
For the really security conscious, of course, browsing from a separated/virtualized thin-client is even better, particularly if you can live with the hassle of refreshing your cookies every so often after a reset.