Browsers Security

Think Flash Is the Only Insecure Plugin? Think Again

Dann Albright 27-01-2016

People always point the finger at Flash like it’s the only insecure plugin out there. And it certainly is a big risk Why Flash Needs to Die (And How You Can Get Rid of It) The Internet's relationship with Flash has been rocky for a while. Once, it was a universal standard on the web. Now, it looks like it may be headed to the chopping block. What changed? Read More . But it’s not the only plugin you should be aware of – there are plenty of others that have been used as attack vectors for delivering malware. Fortunately, many of them can be disabled with few ill effects.


Here are three that you probably have installed in your browser right now, as well as a few more that might be hiding out somewhere.

The Threat from Java


According to a blog post from Cisco, Java was a preferred attack vector as recently as 2013. It had a lot of security vulnerabilities, and it was easy to exploit. Even earlier this year, Apple reported a piece of malware called Flashback that was attacking Macs through a vulnerability in Java. And in December 2015, the BBC reported that Oracle was getting ready to report a security flaw that they’d been aware of since at least 2010.

Fortunately, Cisco has also reported that Java’s popularity as an attack vector is declining, in part due to increased effort by Oracle to step up the security of the plug-in. Newer versions of Java automatically apply patches and have stronger security measures in place – it’s also becoming the case that older versions of Java are being blocked from running, reducing the chances that old security vulnerabilities can be taken advantage of.

The best way to stay safe from Java vulnerabilities is to disable Java in your browser Is Java Unsafe & Should You Disable It? Oracle’s Java plug-in has become less and less common on the Web, but it’s become more and more common in the news. Whether Java is allowing over 600,000 Macs to be infected or Oracle is... Read More . If a website wants to run it, you can manually re-enable it, but it’s best to do it only if you really need it. You can disable Java system-wide on OS X Disable Java on Mac OS X for a Secure System Macs are generally secure, but Java has been causing security problems for years. It's finally time to get rid of Java on your Mac; here's how. Read More to increase your security, too. If you decide to let Java keep running, make sure you update it often (though be aware that fake Java security updates are often used to get you to download malware).


Silverlight – More Dangerous than it Sounds


Now that Netflix uses HTML5 What Is HTML5, And How Does It Change The Way I Browse? [MakeUseOf Explains] Over the past few years, you may have heard the term HTML5 every once in a while. Whether you know anything about web development or not, the concept can be somewhat nebulous and confusing. Obviously,... Read More instead of Silverlight, this plugin is seeing a lot less use. Still, anyone who has a Netflix subscription Is Netflix Worth The Money? There are more people who don't subscribe to Netflix as those who do, and that swathe of the population wants to know if they're missing out on anything. Is Netflix worth the money? Read More likely has it installed on their computer, where it could pose a threat. Silverlight has served as an attack vector in the past, and despite its decline, could serve as one in the future, especially if an old version is running.

The Angler exploit kit This Is How They Hack You: The Murky World of Exploit Kits Scammers can use software suites to exploit vulnerabilities and create malware. But what are these exploit kits? Where do they come from? And how can they be stopped? Read More can target Silverlight, and it was used in malvertising attacks Meet Kyle And Stan, A New Malvertising Nightmare Read More within the past couple years, so it’s still a threat. As with Java, fake update notifications are used by malware distributors to get you to download malicious software, so make sure that your updates are coming directly from Microsoft. Then again, you can almost certainly just uninstall it, as websites using it are becoming more rare by the day.

PDF Readers



To read PDF files in your browser, you’ll need to use a PDF reader plugin. Chrome comes with its own PDF reader, but many other browsers likely still use Adobe’s Acrobat Reader plugin, the Foxit Reader plugin, or others to deal with PDF files.

This can be a security vulnerability in your browsing. PDF files have been used to distribute malware via email How to Spot Unsafe Email Attachments: 6 Red Flags Reading an email should be safe, but attachments can be harmful. Look for these red flags to spot unsafe email attachments. Read More for quite a while, and the same techniques are used in browsers.

Malware Tracker calls PDF exploits “one of the most prevalent method[s] for remote exploitation,” and it’s a good idea to be suspicious of any PDF your browser tries to open. If it’s not from a site that you trust, or a link that you clicked brought you to an unexpected PDF file, you probably shouldn’t open it. Make sure you’re using click to play in Chrome How to Stop Auto-Playing Flash and HTML5 Videos in Chrome Auto-playing videos can be obnoxious. Here's how you can stop auto-playing Flash and HTML5 videos in Chrome. Read More , Firefox How To Stop Auto-playing Flash And HTML5 Videos In Firefox Does auto-play video drive you mad? We'll talk you through the best ways to stop auto-playing videos in your Firefox browser. Read More , Safari ClickToPlugin Blocks Flash in Safari, Lets You Watch Videos Anyway Stop Flash and other plugins from automatically loading in Safari. ClickToPlugin doesn't just block Flash: it also lets you play videos without it, or even play them using AirPlay. Read More , or any other browser to keep PDF files from opening automatically.

Older Media Plugins



Java, Silverlight, and PDF readers are likely the most dangerous plugins you’re using right now, but that doesn’t mean there aren’t other threats. Most of those threats, though, come from older plugins that either aren’t receiving security updates or aren’t being made a priority by their developers. As browser technology has progressed, many of these plugins have become obsolete or a lot less common, but they’re possibly still installed on your computer, and could pose a threat.

Media players, like Apple’s QuickTime, RealPlayer, Windows Media Player, and Adobe’s Shockwave, are all good examples of plugins that you probably don’t use anymore, but could still have installed. And while your browser and antivirus software might be able to protect you from threats to these plugins, it’s still possible that an update notification or another ploy could trick you into downloading malicious software.

For the vast majority of people, uninstalling these plugins will be totally fine. Unless you knowingly use one of them on a regular basis, you should just get rid of them all. There’s almost no chance that you’ll need to use them anytime soon, and if you do, you can just reinstall them.

Other Dangerous Plugins?

Plugins are slowly dying, with fewer and fewer being used, and most of them being replaced by more secure alternatives (a quick check of my own browser revealed four plugins, all that came bundled with Chrome). Still, they can pose a significant threat to your privacy and security. By disabling or uninstalling the plugins above, you’ll make a significant improvement to your browser’s – and your computer’s – safety.


Are there other dangerous plugins out there? Which plugins do you use on a regular basis? Which have you safely uninstalled? Share your experiences below!

Image credits: Broken Padlock by IvanC7 via Shutterstock, IhorZigor via,

Related topics: Adobe Flash, Java, Microsoft Silverlight.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    January 28, 2016 at 2:41 am

    I haven't added any plugin's of my own, so the four I have came with the Chrome installation itself:

    1. Native Client
    2. Widevine Content Decryption
    3. Chrome PDF
    4. Adobe Flash

    I've recently disabled #1 and haven't noticed any difference. I will likely disable #2 as well and see if anything weird should happen (I don't use Netflix).

    Browser PDF, I do use. Finally, I look forward to the day when Adobe Flash dies. Will it?

    • Dann Albright
      January 28, 2016 at 7:31 pm

      I don't really know what Native Client or Widevine do . . . if you disable Widevine, let us know how it goes! See if there are any noticeable effects.

      I don't think Flash will totally disappear, but I think it'll become less and less common. You can get away with only using it very rarely right now.