People always point the finger at Flash like it’s the only insecure plugin out there. And it certainly is a big risk. But it’s not the only plugin you should be aware of – there are plenty of others that have been used as attack vectors for delivering malware. Fortunately, many of them can be disabled with few ill effects.
Here are three that you probably have installed in your browser right now, as well as a few more that might be hiding out somewhere.
The Threat from Java
According to a blog post from Cisco, Java was a preferred attack vector as recently as 2013. It had a lot of security vulnerabilities, and it was easy to exploit. Even earlier this year, Apple reported a piece of malware called Flashback that was attacking Macs through a vulnerability in Java. And in December 2015, the BBC reported that Oracle was getting ready to report a security flaw that they’d been aware of since at least 2010.
Fortunately, Cisco has also reported that Java’s popularity as an attack vector is declining, in part due to increased effort by Oracle to step up the security of the plug-in. Newer versions of Java automatically apply patches and have stronger security measures in place – it’s also becoming the case that older versions of Java are being blocked from running, reducing the chances that old security vulnerabilities can be taken advantage of.
The best way to stay safe from Java vulnerabilities is to disable Java in your browser. If a website wants to run it, you can manually re-enable it, but it’s best to do it only if you really need it. You can disable Java system-wide on OS X to increase your security, too. If you decide to let Java keep running, make sure you update it often (though be aware that fake Java security updates are often used to get you to download malware).
Silverlight – More Dangerous than it Sounds
Now that Netflix uses HTML5 instead of Silverlight, this plugin is seeing a lot less use. Still, anyone who has a Netflix subscription likely has it installed on their computer, where it could pose a threat. Silverlight has served as an attack vector in the past, and despite its decline, could serve as one in the future, especially if an old version is running.
The Angler exploit kit can target Silverlight, and it was used in malvertising attacks within the past couple years, so it’s still a threat. As with Java, fake update notifications are used by malware distributors to get you to download malicious software, so make sure that your updates are coming directly from Microsoft. Then again, you can almost certainly just uninstall it, as websites using it are becoming more rare by the day.
To read PDF files in your browser, you’ll need to use a PDF reader plugin. Chrome comes with its own PDF reader, but many other browsers likely still use Adobe’s Acrobat Reader plugin, the Foxit Reader plugin, or others to deal with PDF files.
This can be a security vulnerability in your browsing. PDF files have been used to distribute malware via email for quite a while, and the same techniques are used in browsers.
Malware Tracker calls PDF exploits “one of the most prevalent method[s] for remote exploitation,” and it’s a good idea to be suspicious of any PDF your browser tries to open. If it’s not from a site that you trust, or a link that you clicked brought you to an unexpected PDF file, you probably shouldn’t open it. Make sure you’re using click to play in Chrome, Firefox, Safari, or any other browser to keep PDF files from opening automatically.
Older Media Plugins
Java, Silverlight, and PDF readers are likely the most dangerous plugins you’re using right now, but that doesn’t mean there aren’t other threats. Most of those threats, though, come from older plugins that either aren’t receiving security updates or aren’t being made a priority by their developers. As browser technology has progressed, many of these plugins have become obsolete or a lot less common, but they’re possibly still installed on your computer, and could pose a threat.
Media players, like Apple’s QuickTime, RealPlayer, Windows Media Player, and Adobe’s Shockwave, are all good examples of plugins that you probably don’t use anymore, but could still have installed. And while your browser and antivirus software might be able to protect you from threats to these plugins, it’s still possible that an update notification or another ploy could trick you into downloading malicious software.
For the vast majority of people, uninstalling these plugins will be totally fine. Unless you knowingly use one of them on a regular basis, you should just get rid of them all. There’s almost no chance that you’ll need to use them anytime soon, and if you do, you can just reinstall them.
Other Dangerous Plugins?
Plugins are slowly dying, with fewer and fewer being used, and most of them being replaced by more secure alternatives (a quick check of my own browser revealed four plugins, all that came bundled with Chrome). Still, they can pose a significant threat to your privacy and security. By disabling or uninstalling the plugins above, you’ll make a significant improvement to your browser’s – and your computer’s – safety.
Are there other dangerous plugins out there? Which plugins do you use on a regular basis? Which have you safely uninstalled? Share your experiences below!