Web browsers have become much more secure and hardened against attack over the years. Google even offers cash prizes to people that report security holes. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser – I mean those plugins that any web page can take advantage of, like Adobe Flash, Adobe Reader, and Oracle’s Java.
Some readers found my comments encouraging people to uninstall Java if they don’t use it controversial. I stand by them, and I’ll tell you why. I’ll also tell you what you can do to help protect yourself.
The Flashback trojan infected over 600,000 Macs. How’d it infect them? It called the Java plugin from a web page and loaded a special Java applet that exploited a Java bug, gaining access to the system. Having Java installed increases your attack surface. Now picture a browser with multiple plugins – Java, Flash, PDF reader, QuickTime, Silverlight, Unity Web Player, RealPlayer (I’m sure some people still have that installed), and more – and you’ll see just how much plugins increase your attack surface. Each plugin must be updated separately using its own update manager. While browser vendors are under heavy scrutiny to write secure code, plugin developers don’t seem to have the same fire in their bellies, and many of them have atrocious security records.
The great thing about compromising a plugin is that you can compromise multiple platforms at once. Find a security hole in Flash and you’re able to compromise nearly every browser on the planet – Internet Explorer on Windows, Safari on a Mac, Firefox on Linux – you can run wild.
Plugins are far behind browsers when it comes to security practices, particularly automatic updates. Google Chrome, Mozilla Firefox, and even Internet Explorer now automatically update by default. In comparison, Oracle’s Java plugin checks for updates once a month by default. And, instead of automatically updating, it shows a little system tray icon that many inexperienced users will ignore. Sure, you can increase the update-checking frequency, but this is not the behavior of a company that cares about security. It’s no wonder that Chrome blocks Java from running by default and instructs users to only run it on websites they trust.
Instead, browsers have had to pick up the plugin-developers’ slack and blacklist older plugin versions to prevent them from running. Adobe Flash has recently hopped aboard the automatic-updating bandwagon, but they should have started years ago.
You don’t have to go far to find studies about how big a problem browser plugins are. We’ve already established that browser plugins should be updated frequently, but:
- A May 2011 study found that 40% of Java plugins in the wild were unpatched. (Source)
- A November 2011 study found that 94% of Adobe Shockwave, 70% of Java, 65% of Adobe Reader, and 42% of QuickTime installations in the enterprise were out-of-date. (Source)
The Future is Plugin-less
Browser plugins are on their way out. Once upon a time, browser plugins were necessary – you’d need special video-playing plugins just to play videos on web pages. Adobe Flash added a lot of features to the web when Microsoft halted development on Internet Explorer and left Internet Explorer 6 to rot and stagnate. IE 6 is still a problem to this day.
Now, HTML5 and accelerating browser development are on the verge of obsoleting plugins completely. New platforms like iOS, Windows Phone, and the Metro environment on Windows 8 don’t support Flash. Android supports Flash, but Adobe has ended development on Flash for mobile. It’s only a matter of time before they end development of Flash for desktops and focus on developing authoring tools that output to HTML5.
What You Can Do
First thing’s first: uninstall plugins you don’t use to reduce your attack surface. You can see what plugins you have installed from your browser’s plugin manager. Type about:plugins into the address bar on Chrome, open the Add-ons window and select Plugins in Firefox, or select Manage Add-ons in Internet Explorer’s Tools menu. To actually uninstall the plugins, use the Control Panel.
If you use a plugin and keep it installed, you’ll need to keep it updated. Mozilla offers a useful page that scans your plugins and checks if they’re up-to-date – it works with all browsers, not just Firefox.
You can also enable “click-to-play” support in Chrome or install an add-on like Flashblock for Firefox. To enable click-to-play in Chrome, click the wrench menu, select Settings, click Show advanced settings, click the Content Settings button, and enable Click to Play under Plug-ins. This will prevent plugins from running on web pages until you explicitly allow them.
What do you think of browser plugins and the security issues surrounding them? Leave a comment and let us know.