Insecure Plugins Ding IE, Safari, Chrome, Opera

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

Headline?

Why doesn't the headline list Firefox, too?

Re:Sandboxing?

From page 30 of the Chrome Comic (http://www.google.com/googlebooks/chrome/small_30.html)

"Plugins have capabilities that aren't public standards, so we can't sandbox these yet."
"Though with some small changes on the part of the plugin makers, we can get them to run at a lower privilege which would be much safer."

Adobe reader plugin?

[shitzu]

I never acutally understood the reason for a PDF plugin. Why can't i just download the bloody file and look at it? On second thought, that's what i usually do. Can someone give me one good reason to have a plugin for PDF files? Paedophiles?

Firefox?

[guamman]

I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?

Re:Sandboxing?

[jpmorgan]

IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.

The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.

Re:Wrong. Extensions can use native code.

[QuoteMstr]

Even pure Javascript extensions aren't "secure". They can access all the usual XPCOM interfaces to do nasty things like overwrite all your files, and in later versions, they can use the Javascript foreign function interface to call any code C++ could.

It is essential to look at Javascript extensions as having the same security properties as native code ones.

However, plugins can be safer because their more clearly delineated NPAPI interface allows them to be run out of process, where in principle, they can be sandboxed.

Re:Two Browsers?

[sowth]

How about two users? That is what I do. I have one user for insecure internet access, and another for financial transactions. The home directory of the account for financial transactions is chmod 700.

Really, I use several user accounts --one for the X server, one for multimedia / video games, one for my real work / valuable files, etc. It isn't any hassle to use the insecure internet or video game accounts because I have them set up so I don't need a password when I su from the X server account. Makes it very easy to drop privs.

Yes, this doesn't protect from the insecure account running malware, or that malware breaking through a local root exploit, so an eye has to be kept on it still, but it is better to make life more difficult for malware writers, and if they stay trapped in the one account, cleanup is relatively easy.

Re:Sandboxing?

[sopssa]

Having a house with windows and doors locked is a bit silly, especially when you could just as well build a bunker around your house.
MS sees bunkers as competitors to be contained until MS has the functionality via buy out or "innovation'