Insecure Plugins Ding IE, Safari, Chrome, Opera

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

Re:Sandboxing?

[Anonymous Coward]

I don't think any of them sandbox plugins, by default.

Chrome has a --safe-plugins option which appears to do it, but I imagine it breaks a lot of plugins, which is why it wouldn't be default.

In other news, water is wet.

[MrCrassic]

It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.

Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.

Re:Headline?

[plasmator]

I was just about to ask the same thing, especially when the summary lists FF.

I like Firefox, it's my primary browser, but not listing it in the headline is just lying by omission.

The model

[Anonymous Coward]

Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.

It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.

Re:Sandboxing?

[Anonymous Coward]

No. "Sandboxing", as done by browsers, is generally nothing more than a buzzword.

First, you have to assume that the sandboxing has been done correctly. More often than not this is just not the case. Holes get poked in the sandbox walls for what are benign and legitimate actions, but soon enough somebody will figure out a way to exploit that hole, and then you've got a huge security flaw affecting millions of users.

Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users.

Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.

The browser was never meant to be a fucking operating system, like some people today treat it as. It was meant for displaying documents, and linking between them. It's just plain stupid to try and build complex applications in the browser, especially with the Internet being so hostile.

Re:Adobe reader plugin?

[Trepidity]

If you're just reading the occasional journal article or something, that's reasonable, yeah. The original idea of the PDF plugin was that PDFs would be more widespread, as part of websites, so it'd be a hassle to download/view every time you ran across a PDF. That's thankfully not as common as Adobe had hoped, but for some kinds of sites it's still a bit of a hassle if you have no plugin--- restaurant sites that seem to find it necessary to put their lunch/dinner/drinks menus into three separate PDFs come to mind.

Re:Sandboxing?

[Anonymous Coward]

The computer wasn't meant to be multi function. It was meant to do intensive calculations for researchers. Computers weren't meant to be hooked up to one another, they were meant to be stand alone. Blah blah blah. Yeah because nothing ever evolves. Everything should stay static. I understand your point about flawed designed but like it or not, things are progressing for better or worse, like they always have. You know you can always use Dillo or Lynx if you want to view documents and do your basic browsers.

Re:Sandboxing?

[Your.Master]

"Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users."

True, and that's often lost on people, but irrelevant to the subject at hand. We were talking about whether a browser could do anything to mitigate insecure plugins as an attack vector short of disabling plugins.

"Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place."

Explain.

Re:The model

[vtcodger]

***Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.***

That'd be my opinion as well, but apparently you and I are Luddite idiots.

My guess is that if you are right, it will take at least two decades and perhaps one or more complete breakdowns of e-Commerce and/or web services to bring any significant number of folks around to your point of view.

Acrobat plugin has been my nemesis for years.

[argent]

I used to have to go through and find that damn plugin and actually remove the plugin dll every time I installed acrobat, because there was NO WAY to tell Adobe "no, thanks, I do NOT want to hang my computer for five minutes while your plugin munches on a huge PDF every time I forget to alt-click on a pdf link".

And people WANT Flash on their phone...

[rinoid]

My gosh, Apple has taken so much crap for not including Flash on the iPhone and not supporting Adobe in their desire to have the Flash plugin run on the iPhone (never mind most flash content already sucks, try it without a mouse(!) onHover event). I use ClickToFlash for Safari, and, all my Firefoxen gets flashblock. I load Flash when I want to load it, not when some ad server or asswipe with an art degree (uh, that's me!) thinks their website menus would be really neato in Flash.

kdawson manipulated the title of the summary

[Smurf]

It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.

I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.

kdawson strikes again...

Re:Firefox?

[onefriedrice]

I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?

Probably not so much anti-IE as pro-Firefox, seeing as how that was pretty much the only browser missing from the list in the title, which should have read "Insecure Plugins a Problem for Browsers."

Re:easy solution

[Tumbleweed]

Except that Java is used by Facebook for their photo uploader so any Facebook user that uploads photos from in their browser needs Java.

Great, another reason to loathe Facebook. Like I needed another. *shrug*

Re:Headline?

[Anonymous Coward]

And Linux.

Re:Sandboxing?

[ElSupreme]

Well maybe you should stop bitching about an 8 year old OS not doing what you want.
And maybe you should stop bitching about an 8 year old Browser not doing what you want.

Because people don't use some functionality, or have (in computing lifetimes) ANCIENT software. Don't blame the modern product. It was IMPOSSIBLE to sandbox Safari when XP and IE6 came out. Because no version was released! Same goes for Firefox (Firebird too), and Chrome.

Congratulations you just compared IE6 on an 8+ year old OS, to browser LINES that didn't exist when EITHER XP OR IE6 came out. Opera did exist.

It is time to face it IE8 is a good browser. Worthy of comparison to Firefox. IE7 and IE6 were horrible. In fact when IE6 came out, I stayed with IE5, until I used mozilla, then Firebird, well before it became Firefox.


Soures: (non-primary)
http://en.wikipedia.org/wiki/Win_XP [wikipedia.org]
http://en.wikipedia.org/wiki/Internet_Explorer_6 [wikipedia.org]
http://en.wikipedia.org/wiki/Safari_(browser) [wikipedia.org]
http://en.wikipedia.org/wiki/Firebird_(browser) [wikipedia.org]
http://en.wikipedia.org/wiki/Opera_(browser) [wikipedia.org]