Insecure Plugins Ding IE, Safari, Chrome, Opera

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

Re:Headline?

Firefox plugins still use NPAPI. Extensions use javascript/XUL.

Re:Headline?

[Tim+C]

I'm guessing because plugins in firefox are written using javascript and XUL

No. Addons use XUL & JavaScript, plugins are native.

What's the difference? Flash, Java, etc are plugins, AdBlock Plus, Firebug, etc are addons

Re:The problem isn't browsers.

[Kalriath]

Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".

Re:Sandboxing?

[TrancePhreak]

Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx