> Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.
> "The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
It seems it's high time now to start working with two separate profiles in a browser if you're forced to use Java - one internal-only with Java enabled, and the second for browsing the internet, with Java disabled (of course this works as long as your internal apps do not get hacked...).
Rather easy to achieve with Firefox (probably there are command line switches for Chrome as well):
1. Create two profiles, `external` and `internal`, using
`firefox -p`
2. Open external profile and disable Java (will be kept in profile settings)
Then, run first `firefox -p external`, then `firefox -no-remote -p internal`, that way links opened e.g. from email clients will go to the external instance.
Total paranoiacs could try to find/write some extension that will block all the pages other than approved internal ones in the internal profile (perhaps AdBlock Plus will do?).
I think the separate profiles is the better looking tinfoil hat. For everyday browsing Adblock is nice, but I think it falls short. Throw NoScript and RequestPolicy into the mix and it gets a lot better. My friends always laugh when they watch me browse the web because I have to enable javascript for any new site and then use RP to allow that site to make requests to other domains.
I also use that approach, and while it sometimes gets annoying I am really glad for choosing it when I, once again, stumble upon some page that would like to load crap from 20 other domains.
If you use Chrome there is. Go to chrome://chrome/settings/content and look under plug-ins. There is Run automatically (default), Click to play and Block all. You can also set whitelists for sites you are OK with trusting (YouTube comes to mind).
Noscript even let's you block webgl depending on if the site is whitelisted/blacklisted.
The great thing about RP is that you can let some sites make requests to facebook (for instance, nothing special about FB) and not allow all other sites to make requests to facebook.
> "The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
It seems it's high time now to start working with two separate profiles in a browser if you're forced to use Java - one internal-only with Java enabled, and the second for browsing the internet, with Java disabled (of course this works as long as your internal apps do not get hacked...).
Rather easy to achieve with Firefox (probably there are command line switches for Chrome as well):
1. Create two profiles, `external` and `internal`, using `firefox -p`
2. Open external profile and disable Java (will be kept in profile settings)
Then, run first `firefox -p external`, then `firefox -no-remote -p internal`, that way links opened e.g. from email clients will go to the external instance.
To differentiate the two instances, you can install some theme: http://www.getpersonas.com/en-US/
Total paranoiacs could try to find/write some extension that will block all the pages other than approved internal ones in the internal profile (perhaps AdBlock Plus will do?).