Slashdot Mirror
Insecure Plugins Ding IE, Safari, Chrome, Opera
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
But doesnt sandboxing these plugins make these browsers secure?
Why doesn't the headline list Firefox, too?
It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.
Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.
Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.
It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.
Quick options toggle menu -> enable/disable plugins.
(with whitelisting and blacklisting of particular sites available of course)
One that hath name thou can not otter
The problem isn't browsers, it's the operating system they're running on. Any operating system that allows normal users to execute privileged code without entering some sort of authentication before allowing those privileges is inherently broken.
My blog
I never acutally understood the reason for a PDF plugin. Why can't i just download the bloody file and look at it? On second thought, that's what i usually do. Can someone give me one good reason to have a plugin for PDF files? Paedophiles?
I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?
Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).
I had a friend at university named Eleonora . You've just besmirched her name by referencing an article about 'Eleonore'. :(
Why was firefox left out of the article name?
It has been my opinion since I heard of the work being done by Microsoft in Internet Explorer 8.0 and Google in Chrome that the browser companies need to come together and come up with an official set of specifications for loading and hosting plug-ins out of process and under a constrained execution context. The problem is that none of the current plug-ins are designed to function as such and either will not work or require special consideration in the browser to function. The only way to mitigate these issues is to sandbox the plug-ins, but the only way to do that in a manner that doesn't break everything is to make sandboxed plug-ins the norm.
Reading this headline quickly, for a second I thought there was a new browser out named "Ding".
Or I guess, this being 2010 and all, it would have to be named "ding". The lower-case names apparently show extra coolness or something.
You are welcome on my lawn.
It's certainly possible to create a Firefox extension (Addon) that uses native code. It's even possible to create a "fat xpi" (if you will) that will work across all supported architectures, though the build process is a little hairy.
Plugins also contain native code, but talk to Mozilla using a different API. In theory, this API works across multiple browsers.
Extensions can do everything plugins can, and a whole lot more. The only advantage a plugin has is a stable, cross-browser ABI.
In fact, they can even be worse than plugins.
The only way to ensure extensions are safe would be to have a verification process on every one of them.*
An automatic extension tester could be run on every extension before being released.
This will check for any resources it accesses, just in case they tried to be smart and hide code execution from potential scanners.
Then there should be a simple table of what an extension does.
Accesses External URLs, accesses history, accesses cache, accesses bookmarks, local storage, file management probably the main ones. Read / write on all of those.
You should also be allowed to disable access to either the R/W permissions on any of those sections of functionality.
While automatic testing of extensions on submission servers is possible, testing for date triggers might not be as easy to find in decent obfuscated code.
Good luck getting Mozilla, Opera or Google to add this in. "Oh it's too complicated, users don't need to see that" will probably be the general opinion. Pathetic.
* Or go the evil route and ask for personal information and deny any without it.
One reason for me to use linux on my computers is that i know that there is only one plugin which i need to take care about, and that is flash. the rest is updated automatically and that is reflected in the numbers in the article (Firefox versions distributed with ubuntu having a lot of hits, but few exploits). So no, Linux is noch more secure technologically. But the fact that you pay somebody (in my case Dell payed somebody) for keeping *all* your software uppdated by less than a click a day *is* making the more secure. If i look at what windows used have to install manually before the system is approximately as usable as a freshly installed linux, i am scared. I am a lazy ass, and i know that the plugins, *required* for watching the crap (aka documentation) some companies deliver with their products, windows virtual machines i use (for CAD) are not updated frequently. Ah, and i use noscript. A webpage has to be important to get flash turned on.
I hope I'm not the only one who noticed that the headline neglected to include Firefox, but that the article makes it clear they are equally at risk.
Especially when there's unauthorized modifications to addons/plugins BEHIND the backs of the addon authors!
Imagine.. you've gone through all the trouble to properly configure Tor and the Proxy of your choice, only to have the possibility of the plugin itself (Torbutton) modified by someone other than the author and such access could easily provide a vector of attack where a trojan can easily be inserted.
Torbutton is a very popular Firefox addon which makes Tor usage easy.
Read here where the Torbutton author mentions how his Torbutton .xpi release was modified without his consent (and you, the users, download what's been modified AFTER he last modified it!):
http://archives.seul.org/or/talk/Jan-2010/msg00189.html
"Thus spake Paolo Palmieri (palmaway@xxxxxx):
> Sorry, but I have to point out that none of the proposed solution really .xpi's on it (correct me if I'm wrong .asc file. .xpi's .asc signature files on the TorButton website?
> works, and both are actually quite bad from the security point of view.
>
> "Fetch it over SSL" doesn't give the user any guarantee about the
> authenticity of the file. Actually it does little about security. It
> only verifies that the user is connected to the real Tor website, but if
> the file is corrupt or, worse, has been maliciously replaced by some
> malware version of it, you have no means of finding out. Since we are
> talking in this very thread about Tor servers being attacked, I consider
> this as a serious threat.
>
> "Check the git/gpg sig" is a little better, but from a quick look at the
> git repository I couldn't find the
> here). This means that only the sources are signed, thus requiring the
> user to recompile the package at every new release. This is time
> consuming, but it also add some additional requirements on the user,
> like having the right compilation environment on the box, having it
> properly configured etc. All this for no security benefit. Finally,
> checking the git's signature is not as easy as checking a simple
>
> So, I have to join Jim's plea. Mike, could you please put the
>
You're right. I was considering addons.mozilla.org as the canonical
source of the xpi, but still, that can be owned too. In fact, I just
got a message from them informing me that they modified my torbutton
1.2.3 xpi to prevent it from being listed as compatible with FF3.6. So
they see fit to randomly modify the xpis too. Wonder what would happen
if I did have a code signing cert..
I've posted the gpg sigs for 1.2.2, 1.2.3 and 1.2.4 at:
https://www.torproject.org/torbutton/releases/
> P.S. Are git connection to the Tor git's repository protected by TLS
> against a valid certificate?
No. The git:// protocol is not protected. You need to rely on the tag
signatures.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs"
I used to have to go through and find that damn plugin and actually remove the plugin dll every time I installed acrobat, because there was NO WAY to tell Adobe "no, thanks, I do NOT want to hang my computer for five minutes while your plugin munches on a huge PDF every time I forget to alt-click on a pdf link".
You don't need to run *privileged* code to exploit a vulnerability in an application. A normal user or even a browser running in a chrooted jail can still be used to launch attacks on other computers, take part in a botnet, and so on. Not to mentioon that if your browser's compromised it's sitting there waiting to steal your passwords and attack your bank accounts.
And "let me do something stupid" dialogs are little protection, because if they're used often enough to be effective they just train people to let the computer do something stupid.
No, once you're penetrated, you're ****ed.
My gosh, Apple has taken so much crap for not including Flash on the iPhone and not supporting Adobe in their desire to have the Flash plugin run on the iPhone (never mind most flash content already sucks, try it without a mouse(!) onHover event). I use ClickToFlash for Safari, and, all my Firefoxen gets flashblock. I load Flash when I want to load it, not when some ad server or asswipe with an art degree (uh, that's me!) thinks their website menus would be really neato in Flash.
I sort of have to agree that the browser as a one stop shop is getting sort of untenable. Frankly, I have no desire to do my online banking with the same piece of software I explore random information on all day with computers around the world run by people I don't even know. But whats the solution, two browsers? Were things any better in the 90s when I would download random exe's to do small little tasks now handled by rich web apps? At some level the only solution to this is to use separate, incompatible systems to do different levels of tasks(even if they reside in the same case). And even then, spoofing for secrets would still be a problem.
It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.
I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.
kdawson strikes again...
Insecure Plugins DING IE, Safari, Chrome, Opera
http://tech.slashdot.org/comments.pl?sid=1512306&threshold=-1&commentsort=0&mode=thread&cid=30782898
It is common sense to anyone that understands computing. In fact, the third enumerated point there in the link above merely reflects what they say about browser addons to a tee. Pity is that it got he attacked by the fanboys and trolls here as is usual for his posts from what I have seen directed his way.
It would be naive to think that only Acrobat Reader has vulnerabilities. Foxit Reader has some, too.
Anyway, it's probably still a good solution since Acrobat Reader is unnecessarily bloated, and I totally agree to disable Java.
When IE had 90%+ marketshare it was easy to target a huge number of users at once with a single exploit, now that the browser market is more competitive it's harder for malware authors to attack. They could still write an exploit for a single browser, but that would target only a percentage of users...
As a result, malware authors look for something new which is as widespread as possible... Most browsers have flash and pdf plugins, and the alternatives in these markets are still extremely rare so they're a good start. So while your victims might be running any from a handful of browsers, they will all be running exactly the same flash plugin. Find an exploit in that, and you suddenly have a 90%+ target area again.
Any single source software that becomes too widespread will be a target for attack... Having a competitive market makes things difficult for the attackers.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
In the risk of appearing trollish, I would say that this is why "integrists" of FOSS like the debian group are useful even in a world where the Ubuntu compromise had such a success.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
What I did was use AppArmor to basically restrict firefox from writing to anything but its own config files, as well as a single directory for downloads. It also can't read from any of my user files ( like my mail or documents). I even stopped it from executing external programs like PDF readers or OpenOffice seeing that I prefer to download the files and open them manually anyway.
I disabled Java, installed no-script (surfing slashdot is way smoother without javascript btw ) and set firefox to clear all cookies and other offline data when I close it down. It also doesn't have write permissions to the macromedia directories to stop flash from storing its offline objects nonsense there.
Basically what I figured is that ok maybe the Browser could get compromised, but this way it should not be able to cause much harm to other parts of my system.
You're right about that.
I criticized the management of IE and got an immediate +5 moderation: Confused by Microsoft P.R.?, and no comments.
The same day, I criticized the management of Firefox, and got an immediate -1 Troll, with a lot of hostile comments: Firefox development is poorly managed, apparently.
The computer wasn't meant to be multi function. It was meant to do intensive calculations for researchers. Computers weren't meant to be hooked up to one another, they were meant to be stand alone.
Yup. That was *indeed* the case. But while some kept this broken model well into the information age (no restrictions MS-DOS -> no restriction Windows 9x -> "everyone is admin by default" in Windows XP even though the NT family could theoretically have user access control, etc...) other have aknowledged that the initial model was broken and have tried different and better approaches (like Unix systems with some access control)
I understand your point about flawed designed but like it or not, things are progressing for better or worse, like they always have.
On the other hand if they are flaws, we shouldn't insist absolutely on using the broken stuff just because "everything evolves" and "nothing should stay static". If something is utterly broken, we should first try to see how to fix.
Current browsers ARE NOT MEANT to be operating systems, THEY ARE only good at displaying static documents. If we want a future full of web application, we should keep the current shit merely because that's what we have now. We should find a model better able to cope with the moderns threats against a browser-as-an-OS.
Google's Chrome with "everything in a sandbox" is a nice step in the correct direction.
And as pointed by parent there are a lot of issue to consider and fix even if it means that we have to rethink how we do some stuff.
---
And, as a separate note, I would to attract the attention onto such security problems with plugins of anyone asking "Why doesn't firefox allow using system 3rd party codec plugins ?!?"
Everything said against plug-ins here is valid against 3rd party codecs (even more so : plug-ins where at least though to work with a browser).
The whole idea of the "video" tag was to get rid of the damn plugin dependency.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Come on mods, take your blame. That wasn't flamebait and you all know it.
Space game using normal deck of cards: http://BattleCards.org
kdawson, is that you?