Insecure Plugins Ding IE, Safari, Chrome, Opera 141
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
Headline? (Score:3, Interesting)
Why doesn't the headline list Firefox, too?
Re:Sandboxing? (Score:3, Interesting)
From page 30 of the Chrome Comic (http://www.google.com/googlebooks/chrome/small_30.html)
"Plugins have capabilities that aren't public standards, so we can't sandbox these yet."
"Though with some small changes on the part of the plugin makers, we can get them to run at a lower privilege which would be much safer."
Adobe reader plugin? (Score:2, Interesting)
I never acutally understood the reason for a PDF plugin. Why can't i just download the bloody file and look at it? On second thought, that's what i usually do. Can someone give me one good reason to have a plugin for PDF files? Paedophiles?
Firefox? (Score:2, Interesting)
Re:In other news, water is wet. (Score:1, Interesting)
Oh cmon, kdawson! (Score:1, Interesting)
Why was firefox left out of the article name?
Re:The model (Score:2, Interesting)
Re:The problem isn't browsers. (Score:1, Interesting)
Your browser wants to download a picture. Cancel/Allow?
Your browser wants to download a plugin. Cancel/Allow?
Your browser wants to show you what you just clicked on. Cancel/Allow? Allow: owned.
That doesn't work either.
Re:Sandboxing? (Score:5, Interesting)
IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.
The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.
Re:Wrong. Extensions can use native code. (Score:4, Interesting)
Even pure Javascript extensions aren't "secure". They can access all the usual XPCOM interfaces to do nasty things like overwrite all your files, and in later versions, they can use the Javascript foreign function interface [mozilla.org] to call any code C++ could.
It is essential to look at Javascript extensions as having the same security properties as native code ones.
However, plugins can be safer because their more clearly delineated NPAPI interface allows them to be run out of process [mozdev.org], where in principle, they can be sandboxed [lwn.net].
Re:Sandboxing? (Score:1, Interesting)
Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.
That's amusing because it goes completely contrary to what the winners of the Pwn2Own contest showed. In fact the browsers running on Windows (whether it be Firefox or Safari) were shown to be more immune to attack on that OS than on Linux or OS X.
Re:Two Browsers? (Score:3, Interesting)
How about two users? That is what I do. I have one user for insecure internet access, and another for financial transactions. The home directory of the account for financial transactions is chmod 700.
Really, I use several user accounts --one for the X server, one for multimedia / video games, one for my real work / valuable files, etc. It isn't any hassle to use the insecure internet or video game accounts because I have them set up so I don't need a password when I su from the X server account. Makes it very easy to drop privs.
Yes, this doesn't protect from the insecure account running malware, or that malware breaking through a local root exploit, so an eye has to be kept on it still, but it is better to make life more difficult for malware writers, and if they stay trapped in the one account, cleanup is relatively easy.
Re:Sandboxing? (Score:3, Interesting)
Having a house with windows and doors locked is a bit silly, especially when you could just as well build a bunker around your house.
MS sees bunkers as competitors to be contained until MS has the functionality via buy out or "innovation'