Slashdot Mirror
Insecure Plugins Ding IE, Safari, Chrome, Opera
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
Firefox plugins still use NPAPI. Extensions use javascript/XUL.
Quick options toggle menu -> enable/disable plugins.
(with whitelisting and blacklisting of particular sites available of course)
One that hath name thou can not otter
Doesn't matter, most people don't care about the security of their computer they rightfully care about the security of their data which no OS blocks effectively, ie if I can modify my data so can any program running in my context.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).
I'm guessing because plugins in firefox are written using javascript and XUL
No. Addons use XUL & JavaScript, plugins are native.
What's the difference? Flash, Java, etc are plugins, AdBlock Plus, Firebug, etc are addons
It's official. Most of you are morons.
http://queue.acm.org/detail.cfm?id=1556050
"...Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the user's webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."
I'd imagine that since Chrome doesn't sandbox, the other browsers would have a hard time sandboxing those plugins as well.
That's absolutely correct and was solved back in Windows Vista / IE 7. As of then, "Internet zone" sites are automatically running with LESS privilege than a standard user. Bascially they can't write anything outside of temporary internet files and an untrusted "low" zone in the registry. Of course Windows 7 and IE 8 continues this. You can use Process Explorer to see the integrity level at which applications are running. Medium is standard user, Low is for things like the Internet Zone, and High is anything running with system or administrative privileges. This is one of the reasons that many of these exploits don't work correctly against anything but Windows XP.
Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx
-]Phreak Out[-
VMWare for example uses a virtual I/O-port (just google 0x564D5868)in the VM to communicate with the process running the VM.
If you can communicate with the VM there stands to reason you probably can break out of it.
The only way to be sure your computer is safe is to unplug it.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
Great! You got +5 insightful for an unenlightened post.
So you have a process, the browser. And within that process, is a security hole. And in the context of the browser, there's this scripting language called "javascript" which (tadum!) executes code. Code which might take advantage of aforementioned security hole.
In this example, the Operating System isn't even involved - it's all happening within the browser. Yet, your security is still hosed. There's still a keylogger running inside browser space, and when you go to your bank, they still get your access credentials.
How would you expect the operating system to protect you here? In this space, the Operating System is barely relevant at all!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It's because people see FireFox as the savior of the Internet, something infallible.
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx
It's important to note that sandboxing (a.k.a. Protected Mode) requires both IE7 or IE8 and Windows Vista or Windows 7. Sandboxing will not work on Windows XP at all !
Additionally, User Account Control (UAC) must be enabled. Vista users trying to avoid privilege elevation prompts by turning off UAC will unwittingly disable Protected Mode.
See "Protected Mode" at:
http://en.wikipedia.org/wiki/Internet_Explorer_7#Privacy_and_security
http://en.wikipedia.org/wiki/User_Account_Control