Insecure Plugins Ding IE, Safari, Chrome, Opera

Posted by kdawson on Monday January 25, 2010 @11:46AM from the black-powder-in-the-sandbox dept.

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

1 of 141 comments (clear)

Min score:

Reason:

Sort:

Re:Sandboxing? by jpmorgan · 2010-01-25 12:39 · Score: 5, Interesting

IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.
The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.