Insecure Plugins Ding IE, Safari, Chrome, Opera

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

Re:Headline?

Firefox plugins still use NPAPI. Extensions use javascript/XUL.

Re:The problem isn't browsers.

[afidel]

Doesn't matter, most people don't care about the security of their computer they rightfully care about the security of their data which no OS blocks effectively, ie if I can modify my data so can any program running in my context.

Re:Headline?

[Tim+C]

I'm guessing because plugins in firefox are written using javascript and XUL

No. Addons use XUL & JavaScript, plugins are native.

What's the difference? Flash, Java, etc are plugins, AdBlock Plus, Firebug, etc are addons

Re:Sandboxing?

[tonywong]

http://queue.acm.org/detail.cfm?id=1556050

"...Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the user's webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."

I'd imagine that since Chrome doesn't sandbox, the other browsers would have a hard time sandboxing those plugins as well.

Re:The problem isn't browsers.

[GIL_Dude]

That's absolutely correct and was solved back in Windows Vista / IE 7. As of then, "Internet zone" sites are automatically running with LESS privilege than a standard user. Bascially they can't write anything outside of temporary internet files and an untrusted "low" zone in the registry. Of course Windows 7 and IE 8 continues this. You can use Process Explorer to see the integrity level at which applications are running. Medium is standard user, Low is for things like the Internet Zone, and High is anything running with system or administrative privileges. This is one of the reasons that many of these exploits don't work correctly against anything but Windows XP.

Re:The problem isn't browsers.

[Kalriath]

Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".

Re:Sandboxing?

[TrancePhreak]

Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx

Re:Sandboxing?

Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx

It's important to note that sandboxing (a.k.a. Protected Mode) requires both IE7 or IE8 and Windows Vista or Windows 7. Sandboxing will not work on Windows XP at all !

Additionally, User Account Control (UAC) must be enabled. Vista users trying to avoid privilege elevation prompts by turning off UAC will unwittingly disable Protected Mode.

See "Protected Mode" at:
  http://en.wikipedia.org/wiki/Internet_Explorer_7#Privacy_and_security
  http://en.wikipedia.org/wiki/User_Account_Control