Browser Plugins – One of the Biggest Security Problems on the Web Today [Opinion]

Chris Hoffman 01-06-2012

Web browsers have become much more secure and hardened against attack over the years. Google even offers cash prizes to people that report security holes. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser – I mean those plugins that any web page can take advantage of, like Adobe Flash, Adobe Reader, and Oracle’s Java.


Some readers found my comments encouraging people to uninstall Java if they don’t use it The Top 6 Things To Consider When You Install Java Software Oracle’s Java runtime software is required to run Java applets on websites and desktop software written in the Java programming language. When installing Java, there are a few things you should consider, especially regarding security.... Read More controversial. I stand by them, and I’ll tell you why. I’ll also tell you what you can do to help protect yourself.

Attack Surface

The Flashback trojan infected over 600,000 Macs. How’d it infect them? It called the Java plugin from a web page and loaded a special Java applet that exploited a Java bug, gaining access to the system. Having Java installed increases your attack surface. Now picture a browser with multiple plugins – Java, Flash, PDF reader, QuickTime 5 Useful Apple QuickTime Tips for Windows Read More , Silverlight What Is Microsoft Silverlight? [Geeks Weigh In] Read More , Unity Web Player Unity - Great 3D Games On Multiple Platforms & Browsers Read More , RealPlayer (I’m sure some people still have that installed), and more – and you’ll see just how much plugins increase your attack surface. Each plugin must be updated separately using its own update manager. While browser vendors are under heavy scrutiny to write secure code, plugin developers don’t seem to have the same fire in their bellies, and many of them have atrocious security records.

The great thing about compromising a plugin is that you can compromise multiple platforms at once. Find a security hole in Flash and you’re able to compromise nearly every browser on the planet – Internet Explorer on Windows, Safari on a Mac, Firefox on Linux – you can run wild.

Automatic Updates?

Plugins are far behind browsers when it comes to security practices, particularly automatic updates. Google Chrome, Mozilla Firefox, and even Internet Explorer now automatically update by default. In comparison, Oracle’s Java plugin checks for updates once a month by default. And, instead of automatically updating, it shows a little system tray icon that many inexperienced users will ignore. Sure, you can increase the update-checking frequency, but this is not the behavior of a company that cares about security. It’s no wonder that Chrome blocks Java from running by default and instructs users to only run it on websites they trust.

browser plugin security


Instead, browsers have had to pick up the plugin-developers’ slack and blacklist older plugin versions to prevent them from running. Adobe Flash has recently hopped aboard the automatic-updating bandwagon, but they should have started years ago.


You don’t have to go far to find studies about how big a problem browser plugins are. We’ve already established that browser plugins should be updated frequently, but:

  • A May 2011 study found that 40% of Java plugins in the wild were unpatched. (Source)
  • A November 2011 study found that 94% of Adobe Shockwave, 70% of Java, 65% of Adobe Reader, and 42% of QuickTime installations in the enterprise were out-of-date. (Source)

The Future is Plugin-less

Browser plugins are on their way out. Once upon a time, browser plugins were necessary – you’d need special video-playing plugins just to play videos on web pages. Adobe Flash added a lot of features to the web when Microsoft halted development on Internet Explorer and left Internet Explorer 6 to rot and stagnate. IE 6 is still a problem to this day If You're Still Using IE6 You Are A Problem [Opinion] IE6 was the best of the best when it came freshly squeezed out of Microsoft's software factory. Because of that it was able to achieve the record 95% browser market share at the height of... Read More .

browser plugin security


Now, HTML5 10 Websites to See What HTML5 Is All About Read More and accelerating browser development are on the verge of obsoleting plugins completely. New platforms like iOS, Windows Phone, and the Metro environment on Windows 8 don’t support Flash. Android supports Flash, but Adobe has ended development on Flash for mobile Adobe Stops Development Of Flash Plugin For Mobile [News] In a surprising move (or not so surprising), Adobe is discontinuing its development of Flash plugin for mobile browsers. According to Adobe’s official announcement, they will now focus their efforts on HTML5 instead, as it... Read More . It’s only a matter of time before they end development of Flash for desktops and focus on developing authoring tools that output to HTML5.

What You Can Do

First thing’s first: uninstall plugins you don’t use to reduce your attack surface. You can see what plugins you have installed from your browser’s plugin manager. Type about:plugins into the address bar on Chrome, open the Add-ons window and select Plugins in Firefox, or select Manage Add-ons in Internet Explorer’s Tools menu. To actually uninstall the plugins, use the Control Panel A Spring Cleaning Checklist For Your PC Part 2: Delete Junk & Free Wasted Space [Windows] Regular PC maintenance is often neglected, leading to lost hard drive space and a bloated operating system that runs increasingly slower. To avoid a dreaded Windows re-installation, you should perform a thorough cleanup at least... Read More .

browser plugin security

If you use a plugin and keep it installed, you’ll need to keep it updated. Mozilla offers a useful page that scans your plugins and checks if they’re up-to-date – it works with all browsers, not just Firefox.


browser plugin security

You can also enable “click-to-play” support in Chrome or install an add-on like Flashblock for Firefox How To Keep Firefox From Getting Unbearably Slow I don’t like Firefox. I think it is a monolithic, huge, heavy browser, and its XPI-based architecture feels slow and dated. Firefox is more flexible than other browsers like Chrome but it also gradually slows... Read More . To enable click-to-play in Chrome, click the wrench menu, select Settings, click Show advanced settings, click the Content Settings button, and enable Click to Play under Plug-ins. This will prevent plugins from running on web pages until you explicitly allow them.

browser plugin security

What do you think of browser plugins and the security issues surrounding them? Leave a comment and let us know.


Related topics: Google Chrome, Java, Mozilla Firefox, Safari Browser.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. John Carmichael
    June 8, 2018 at 5:51 am

    HTML5 sucks. Google is cramming it down every ones throat because they invested a lot of money in their Chrome browser and use scare tactics to promote it. i see they have you on the bandwagon.

  2. Andy
    June 3, 2012 at 11:26 am

    is it really about plugins? whilst I find myself agreeing with your view, it is clear that the Attack Surface, as you describe it, increases naturally as the Internet content gets richer and more diverse... and that it is this depth and diversity that creates the basic problem!

    • Chris Hoffman
      June 4, 2012 at 8:01 am

      That's a good point. I tend to trust Mozilla, Google -- even Apple and Microsoft -- to write more secure code than Adobe.

      Another problem with plug-ins is that it's a monoculture. If you write an exploit that targets Chrome, other browser are safe. If you write an exploit that targets Flash -- well, you've exploited every browser. (Chrome and maybe other browsers are running plugins with reduced privileged for this reason now, but still)

  3. Prakash Senapati
    June 3, 2012 at 6:33 am

    way to go html 5

    • Chris Hoffman
      June 3, 2012 at 6:45 am

      Give it a few years and it'll be everywhere! (hopefully)

  4. David Commini
    June 2, 2012 at 7:19 am

    Good article with some great advice! I hate Java, like I really hate Java, but unfortunately I have to use it for work related issues.

    • Chris Hoffman
      June 3, 2012 at 3:10 am

      Right -- I have Java installed too. Still, I try to keep plug-ins down to a minimum. I don't have Quicktime instealled because I don't use it.

      Readers don't have to run out and uninstall ever plug-in, but it's good to be smart about the ones you choose and keep an eye on updates.

      • Laga Mahesa
        June 3, 2012 at 4:05 am

        Talking of which, why is Quicktime seperated into 7 or so modules?

        • Chris Hoffman
          June 3, 2012 at 6:45 am

          Beats me -- if I recall, correctly there's a specific plugin for each type of media file. But I haven't used it in a while.

        • Douglas Mutay
          November 20, 2012 at 10:10 am

          I really think Quicktime should just not be used.

  5. Laga Mahesa
    June 2, 2012 at 12:51 am

    "about:plugins" in the address bar also works for Opera, except that it redirects to the proper internal "opera:plugins". Here you can disable, but not uninstall individual plugins - ticking the "Details" box shows what mimetype each plugin is responsible for.

    I just disabled my flash plugin. I'm going flash-less for the weekend as an experiment. I doubt I'll notice much difference.

    • Scutterman
      June 2, 2012 at 12:15 pm

      About:Plugins also works in Firefox, but that gives more detail, and links to plugincheck, than the one in about:addons

    • Chris Hoffman
      June 3, 2012 at 3:11 am

      If you watch stuff on YouTube, you'll notice. YouTube offers HTML5 versions of lots of videos, but anything with advertising has to be served as flash. Sadly, I and many other people still need flash -- for now.

      • Laga Mahesa
        June 3, 2012 at 4:03 am

        Interesting. The only advert-laden videos I remember seeing for a long time were trailers on Vimeo and others. I just browsed the front page of youtube and watched a couple tagged MakeUseOf and all worked fine, in HTML5.

        I wonder though if my good fortune lies in the fact that I'm in Indonesia, and a lot of those adverts are region-specific?

        • Chris Hoffman
          June 3, 2012 at 6:45 am

          This is definitely possible -- I'm not sure if YouTube shows less ads in some regions.