Settings->Show Advanced Settings->Content Settings->Plug-Ins->Click to play
Settings->Show Advanced Settings->Content Settings->Plug-Ins->Manage Exceptions->[*.]youtube.com->Allow->Ok
You're now fairly safe from MOST drive-by attacks. Except those that impact Chrome directly.
The masses would have moved off Windows and IE already in the days of the ActiveX holes if they cared, but instead Microsoft kept customers happy by keeping it on for years and years.
If OS X ships with a built-in PDF viewer then it probably presents the bigger attack surface, thus could be less secure than Adobe's products in that case. But as an individual (non-enterprise) user, statistically you'd still be better off with some niche third-party offering.
The CanSecWest slides I found had him fuzzing standalone "PDF applications". This whole problem is because of handing random stuff from the internet to third party native code! Nowadays the browsers are in a class of their own wrt security.
Anyway, on my Windows computer I uninstalled it last week and installed Foxit. Too bad so many Websites still need Flash.
Plenty more to come I reckon.
I just tried out every single open source or adobe-reader alternative for my wife to read university issued material in PDF.
the only one that could render the documents correctly was adobe reader. So, that's what she is using, with all the vulnerabilities.
every hour adobe acrobat will add some garbage or do something different with the files it output, that you can only read them in adobe reader.
Only printers should have to read PDFs. if even...
What, besides their own sense of ethics, stops the original exploit discoverer from selling the exploit to someone else, who will then resell it back to the US government? That seems like a lot easier way to get more money from your exploit than, say, developing contacts with a second government.
The only way I can think of for the US government to effectively prevent you from reselling your exploits is to monitor your communications and finances for anything shady - whenever the exploit is independently discovered, they would have to do some research into your behavior to make sure it was actually independently discovered. Hell, why wouldn't they do this monitoring all along to make sure you're not trying to sell it to a foreign government?
I'm probably just paranoid, but being one of the few people who know something the US government would like to keep a secret doesn't sound like a good position to be in. I'd want to be rather well paid.
This is an attempt at dry humor. Or more accurately in this case, dark humor.