Slashdot Mirror
Insecure Plugins Ding IE, Safari, Chrome, Opera
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.
Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.
I was just about to ask the same thing, especially when the summary lists FF.
I like Firefox, it's my primary browser, but not listing it in the headline is just lying by omission.
--Hi, I'm Bob--
Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.
It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.
No. "Sandboxing", as done by browsers, is generally nothing more than a buzzword.
First, you have to assume that the sandboxing has been done correctly. More often than not this is just not the case. Holes get poked in the sandbox walls for what are benign and legitimate actions, but soon enough somebody will figure out a way to exploit that hole, and then you've got a huge security flaw affecting millions of users.
Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users.
Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.
The browser was never meant to be a fucking operating system, like some people today treat it as. It was meant for displaying documents, and linking between them. It's just plain stupid to try and build complex applications in the browser, especially with the Internet being so hostile.
It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.
I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.
kdawson strikes again...