Tip: use a secondary browser for Java, Flash and other plugins

[Batu69]

While most browser makers plan to drop support for Java, Flash and other plugins such as Silverlight or Quicktime, or have stopped supporting these technologies already, there are still a lot of sites and services out there that can only be accessed if certain plugins are installed in the browser.

 

If you take Google Chrome for instance you will quickly notice that it supports Flash thanks to a native integration of the technology but no other plugin. This means that Chrome users cannot access content on the Internet that require Silverlight, Java or other plugins.

 

Microsoft created Edge in Windows 10 without support for these plugins as well, and it too supports only Flash thanks to a native integration but not other plugin.

Mozilla Firefox on the other hand supports plugins but Mozilla plans to drop support eventually (in 2017 likely).

 

You are probably wondering why browser makes drop support for these plugins considering that some services and sites still require them. The answer is because it is beneficial to security and stability of the browser.

 

If you check the crash stats of Firefox 45.0.2 that Mozilla collected over the course of seven days, you will notice that four of the top ten crashes are attributed to plugins (positions 2,4,5 and 9).

What you can do about it

Internet users, at least those on desktop machines, face two issues:

1. Deal with stability and security issues when plugins are used/installed on the system.
2. Make sure content that requires plugins can be accessed.

While you can simply run a browser that supports plugins and be done with it, I suggest you use a secondary browser for that instead.

This is also the only option if your main browser does not support plugins anymore.

 

Additionally, separating plugin content from everything else deals with the first issue mentioned above if your main browser supports plugins.

 

Since you only use it to connect to sites requiring plugins, say a video streaming site or online banking site, your main browser won't suffer from stability issues nor run into the risk of falling victim to attacks targeting plugins.

 

The browser

 

 

A couple of browsers cannot be used for this because of missing support for plugins. This includes Google Chrome and other Chromium-based browsers such as Vivaldi or Opera, and Microsoft Edge.

 

This leaves Mozilla Firefox (or a Firefox-based browser) or Internet Explorer, and while both should work fine, I'd suggest you select Firefox for that as you can install a second copy of the browser easily, or use another profile instead exclusively for plugin related content.

 

My suggestion would be Firefox ESR, an extended support release of the browser. The reason for the suggestion is that ESR is regularly updated with security updates and bug fixes, but only every eight release cycle with major feature updates.

 

This should give you even more time in regards to plugin support than regular versions of the browser. Also, you don't have to deal with changes made to the browser whenever new versions are released.

 

Alternatively, you may also download a portable version of Firefox to run it completely independent of any installed copies of the browser.

 

Setup

 

 

Download and install Firefox ESR from the official website. Make sure you download and use the 32-bit version as many plugins are not available as 64-bit versions.

If your main browser is not Firefox, skip the following step.

 

You cannot run Firefox ESR if another copy of Firefox is already running. To get around this, do the following:

1. Close all versions of Firefox.
2. Run Firefox ESR with the parameters  -p -no-remote. If you have placed a desktop icon during installation, you may right-click on it and append the parameters to the end of the target line.
3. The profile selection screen should appear.
4. Select create profile and follow the instructions. I suggest you pick a descriptive name for the profile, e.g. Firefox Plugins Enabled.
5. Once done, close the browser and edit the shortcut to -p "Firefox Plugins Enabled" -no-remote. This ensures that you can run the browser using the newly created profile directly without having to use the profile manager each time first.

Now that Firefox has been set up, it is time to install plugins on the system.

 

Plugin download links

Below is a selection of download links for popular plugins:

1. Adobe Flash (make sure you uncheck the third-party offers on the download page)
2. Java
3. Microsoft Silverlight (make sure you uncheck Make Bing my Search Engine and Make MSN my homepage during installation).

Installation and configuration

 

 

Install the plugins on the system that you require. Once done, it may be necessary to block these plugins in other browsers so that they are only enabled when you run your Firefox ESR version.

 

If you are using another Firefox version, load about:addons in the browser, switch to plugins, and set all plugins you find on the page to "never activate".

In Internet Explorer, tap on the Alt-key, and select Tools > Manage Add-ons. Locate any plugin installed and set it to disabled on the page to make sure it is not used.

 

 

I suggest you do so even if you are not using a browser at all.

 

Usage

All that is left now is to make sure you use the plugin supporting browser whenever you need to access content on the Internet that requires plugins, and another browser for the remaining activity.

 

Article source

[CODYQX4]

.

[straycat19]

4 hours ago, CODYQX4 said:

If you're doing this for security purposes you need a VM that can't access the host filesystem. Owned is owned no matter which browser you used so when Fash Exploit #9001 this month hits your portable Firefox and gets root, you're still screwed.

 

The isolation here is an illusion of security since most of the Flash exploits take the whole system, not just steal cookies.

 

Using a VM for just a browser is overkill.  This is where Sandboxie or Shadow Defender were designed to be used.  Tools, like wrenches, come in different sizes and for different uses and, like a wrench, you use the tool best designed for the job.  

[steven36]

5 hours ago, straycat19 said:

 

Using a VM for just a browser is overkill.  This is where Sandboxie or Shadow Defender were designed to be used.  Tools, like wrenches, come in different sizes and for different uses and, like a wrench, you use the tool best designed for the job.  

once Java 9 comes out its already  in beta it dont have a browser plugin . Why do people still use this crap  in there browser?  when the company  that makes it is going to stop supporting  it soon and advise against  it.,  if you got to use sandboxie  or SD is overkill to me.. I dont use none of this in many years and the only reason i know about these programs or tested them was because I visited warez sites.  and i never been infected  . I think the last time I caught  a Java virus was  before xp sp2 came out but why would I need to turn Java plugin on in my  browser?  you would have too Google  down sites  that still use it ,no thanks.

https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free 

 

Then you have all these schools who are  vulnerable to SamSam ransomware because  they use out dated JBoss witch is written in Java, and implements the Java Platform.

 

No schools or normal  users  use sandboxie  or SD stop thinking like a geek!

 

Vulnerability in Java Reflection Library Still Present after 30 Months

https://www.infoq.com/news/2016/04/java-reflection-vulnerability

 

It not really safe to use outside you're browser ether because there not fixing bugs like they should ! I only have Java in Linux  were  the apps that use it dont run as root .

 

Google dont have the plugin  in there browser but they have apps made out of Java  that are vulnerable

Quote

 

When the issue resurfaced in March 2016, the latest available version at the time, 8u74, proved to be vulnerable. Since then, Oracle has released three updates for Java, namelt 8u77, 8u91 and 8u92. However, judging by their release notes, none of those seems to have addressed the problem. In addition, although the vulnerability was initially thought to affect only sandboxed Java Web Start applications and sandboxed web applets, it has been proven to affect server configurations and Google App Engine for Java as well.