Insecure Plugins Ding IE, Safari, Chrome, Opera 141
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
Re:Headline? (Score:4, Informative)
Firefox plugins still use NPAPI. Extensions use javascript/XUL.
Simple solution built into Opera... (Score:3, Informative)
Quick options toggle menu -> enable/disable plugins.
(with whitelisting and blacklisting of particular sites available of course)
Re:The problem isn't browsers. (Score:4, Informative)
easy solution (Score:3, Informative)
Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).
Re:Headline? (Score:5, Informative)
I'm guessing because plugins in firefox are written using javascript and XUL
No. Addons use XUL & JavaScript, plugins are native.
What's the difference? Flash, Java, etc are plugins, AdBlock Plus, Firebug, etc are addons
Re:Sandboxing? (Score:4, Informative)
"...Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the user's webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."
I'd imagine that since Chrome doesn't sandbox, the other browsers would have a hard time sandboxing those plugins as well.
Re:The problem isn't browsers. (Score:4, Informative)
Re:The problem isn't browsers. (Score:5, Informative)
Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".
Re:Sandboxing? (Score:5, Informative)
Re:The model (Score:2, Informative)
VMWare for example uses a virtual I/O-port (just google 0x564D5868)in the VM to communicate with the process running the VM.
If you can communicate with the VM there stands to reason you probably can break out of it.
The only way to be sure your computer is safe is to unplug it.
Re:The problem isn't browsers. (Score:3, Informative)
Great! You got +5 insightful for an unenlightened post.
So you have a process, the browser. And within that process, is a security hole. And in the context of the browser, there's this scripting language called "javascript" which (tadum!) executes code. Code which might take advantage of aforementioned security hole.
In this example, the Operating System isn't even involved - it's all happening within the browser. Yet, your security is still hosed. There's still a keylogger running inside browser space, and when you go to your bank, they still get your access credentials.
How would you expect the operating system to protect you here? In this space, the Operating System is barely relevant at all!
Addons Modified Without Author Consent (Torbutton) (Score:1, Informative)
Especially when there's unauthorized modifications to addons/plugins BEHIND the backs of the addon authors!
Imagine.. you've gone through all the trouble to properly configure Tor and the Proxy of your choice, only to have the possibility of the plugin itself (Torbutton) modified by someone other than the author and such access could easily provide a vector of attack where a trojan can easily be inserted.
Torbutton is a very popular Firefox addon which makes Tor usage easy.
Read here where the Torbutton author mentions how his Torbutton .xpi release was modified without his consent (and you, the users, download what's been modified AFTER he last modified it!):
http://archives.seul.org/or/talk/Jan-2010/msg00189.html [seul.org]
"Thus spake Paolo Palmieri (palmaway@xxxxxx):
> Sorry, but I have to point out that none of the proposed solution really .xpi's on it (correct me if I'm wrong .asc file. .xpi's .asc signature files on the TorButton website?
> works, and both are actually quite bad from the security point of view.
>
> "Fetch it over SSL" doesn't give the user any guarantee about the
> authenticity of the file. Actually it does little about security. It
> only verifies that the user is connected to the real Tor website, but if
> the file is corrupt or, worse, has been maliciously replaced by some
> malware version of it, you have no means of finding out. Since we are
> talking in this very thread about Tor servers being attacked, I consider
> this as a serious threat.
>
> "Check the git/gpg sig" is a little better, but from a quick look at the
> git repository I couldn't find the
> here). This means that only the sources are signed, thus requiring the
> user to recompile the package at every new release. This is time
> consuming, but it also add some additional requirements on the user,
> like having the right compilation environment on the box, having it
> properly configured etc. All this for no security benefit. Finally,
> checking the git's signature is not as easy as checking a simple
>
> So, I have to join Jim's plea. Mike, could you please put the
>
You're right. I was considering addons.mozilla.org as the canonical
source of the xpi, but still, that can be owned too. In fact, I just
got a message from them informing me that they modified my torbutton
1.2.3 xpi to prevent it from being listed as compatible with FF3.6. So
they see fit to randomly modify the xpis too. Wonder what would happen
if I did have a code signing cert..
I've posted the gpg sigs for 1.2.2, 1.2.3 and 1.2.4 at:
https://www.torproject.org/torbutton/releases/ [torproject.org]
> P.S. Are git connection to the Tor git's repository protected by TLS
> against a valid certificate?
No. The git:// protocol is not protected. You need to rely on the tag
signatures.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs"
Re:Headline? (Score:3, Informative)
It's because people see FireFox as the savior of the Internet, something infallible.
Re:Sandboxing? (Score:3, Informative)
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx [microsoft.com]
It's important to note that sandboxing (a.k.a. Protected Mode) requires both IE7 or IE8 and Windows Vista or Windows 7. Sandboxing will not work on Windows XP at all !
Additionally, User Account Control (UAC) must be enabled. Vista users trying to avoid privilege elevation prompts by turning off UAC will unwittingly disable Protected Mode.
See "Protected Mode" at:
http://en.wikipedia.org/wiki/Internet_Explorer_7#Privacy_and_security [wikipedia.org]
http://en.wikipedia.org/wiki/User_Account_Control [wikipedia.org]