Slashdot Mirror
Insecure Plugins Ding IE, Safari, Chrome, Opera
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
But doesnt sandboxing these plugins make these browsers secure?
Why doesn't the headline list Firefox, too?
It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.
Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.
Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.
It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.
Quick options toggle menu -> enable/disable plugins.
(with whitelisting and blacklisting of particular sites available of course)
One that hath name thou can not otter
The problem isn't browsers, it's the operating system they're running on. Any operating system that allows normal users to execute privileged code without entering some sort of authentication before allowing those privileges is inherently broken.
My blog
I never acutally understood the reason for a PDF plugin. Why can't i just download the bloody file and look at it? On second thought, that's what i usually do. Can someone give me one good reason to have a plugin for PDF files? Paedophiles?
I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?
Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).
I had a friend at university named Eleonora . You've just besmirched her name by referencing an article about 'Eleonore'. :(
Why was firefox left out of the article name?
Reading this headline quickly, for a second I thought there was a new browser out named "Ding".
Or I guess, this being 2010 and all, it would have to be named "ding". The lower-case names apparently show extra coolness or something.
You are welcome on my lawn.
It's certainly possible to create a Firefox extension (Addon) that uses native code. It's even possible to create a "fat xpi" (if you will) that will work across all supported architectures, though the build process is a little hairy.
Plugins also contain native code, but talk to Mozilla using a different API. In theory, this API works across multiple browsers.
Extensions can do everything plugins can, and a whole lot more. The only advantage a plugin has is a stable, cross-browser ABI.
I hope I'm not the only one who noticed that the headline neglected to include Firefox, but that the article makes it clear they are equally at risk.
Especially when there's unauthorized modifications to addons/plugins BEHIND the backs of the addon authors!
Imagine.. you've gone through all the trouble to properly configure Tor and the Proxy of your choice, only to have the possibility of the plugin itself (Torbutton) modified by someone other than the author and such access could easily provide a vector of attack where a trojan can easily be inserted.
Torbutton is a very popular Firefox addon which makes Tor usage easy.
Read here where the Torbutton author mentions how his Torbutton .xpi release was modified without his consent (and you, the users, download what's been modified AFTER he last modified it!):
http://archives.seul.org/or/talk/Jan-2010/msg00189.html
"Thus spake Paolo Palmieri (palmaway@xxxxxx):
> Sorry, but I have to point out that none of the proposed solution really .xpi's on it (correct me if I'm wrong .asc file. .xpi's .asc signature files on the TorButton website?
> works, and both are actually quite bad from the security point of view.
>
> "Fetch it over SSL" doesn't give the user any guarantee about the
> authenticity of the file. Actually it does little about security. It
> only verifies that the user is connected to the real Tor website, but if
> the file is corrupt or, worse, has been maliciously replaced by some
> malware version of it, you have no means of finding out. Since we are
> talking in this very thread about Tor servers being attacked, I consider
> this as a serious threat.
>
> "Check the git/gpg sig" is a little better, but from a quick look at the
> git repository I couldn't find the
> here). This means that only the sources are signed, thus requiring the
> user to recompile the package at every new release. This is time
> consuming, but it also add some additional requirements on the user,
> like having the right compilation environment on the box, having it
> properly configured etc. All this for no security benefit. Finally,
> checking the git's signature is not as easy as checking a simple
>
> So, I have to join Jim's plea. Mike, could you please put the
>
You're right. I was considering addons.mozilla.org as the canonical
source of the xpi, but still, that can be owned too. In fact, I just
got a message from them informing me that they modified my torbutton
1.2.3 xpi to prevent it from being listed as compatible with FF3.6. So
they see fit to randomly modify the xpis too. Wonder what would happen
if I did have a code signing cert..
I've posted the gpg sigs for 1.2.2, 1.2.3 and 1.2.4 at:
https://www.torproject.org/torbutton/releases/
> P.S. Are git connection to the Tor git's repository protected by TLS
> against a valid certificate?
No. The git:// protocol is not protected. You need to rely on the tag
signatures.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs"
I used to have to go through and find that damn plugin and actually remove the plugin dll every time I installed acrobat, because there was NO WAY to tell Adobe "no, thanks, I do NOT want to hang my computer for five minutes while your plugin munches on a huge PDF every time I forget to alt-click on a pdf link".
You don't need to run *privileged* code to exploit a vulnerability in an application. A normal user or even a browser running in a chrooted jail can still be used to launch attacks on other computers, take part in a botnet, and so on. Not to mentioon that if your browser's compromised it's sitting there waiting to steal your passwords and attack your bank accounts.
And "let me do something stupid" dialogs are little protection, because if they're used often enough to be effective they just train people to let the computer do something stupid.
No, once you're penetrated, you're ****ed.
Uhhhhh...Anonymous Dude? We actually have that in Windows too you know, it is just like everything else in Windows in that you need a third party tool. My guess is if MSFT tried to add it natively they would get screams of antitrust! and be accused of playing favorites if it detected Adobe but not Bob's Media Player.
But it works from 98-Windows 7, only takes one click, unless you have it start with Windows then you don't have to click at all unless it finds something out of date. Just use ninite to install the software you need on a clean machine, along with Update checker afterward once a week (or day if you are paranoid) and voila! Easy Peasy Windows.
ACs don't waste your time replying, your posts are never seen by me.
My gosh, Apple has taken so much crap for not including Flash on the iPhone and not supporting Adobe in their desire to have the Flash plugin run on the iPhone (never mind most flash content already sucks, try it without a mouse(!) onHover event). I use ClickToFlash for Safari, and, all my Firefoxen gets flashblock. I load Flash when I want to load it, not when some ad server or asswipe with an art degree (uh, that's me!) thinks their website menus would be really neato in Flash.
I sort of have to agree that the browser as a one stop shop is getting sort of untenable. Frankly, I have no desire to do my online banking with the same piece of software I explore random information on all day with computers around the world run by people I don't even know. But whats the solution, two browsers? Were things any better in the 90s when I would download random exe's to do small little tasks now handled by rich web apps? At some level the only solution to this is to use separate, incompatible systems to do different levels of tasks(even if they reside in the same case). And even then, spoofing for secrets would still be a problem.
It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.
I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.
kdawson strikes again...
So are there Flash plug-in exploits that target Linux? I understand that you could remotely execute code with the UID of the user, but are there exploits in the wild?
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
An app that checks the web to find out if there are updates to 3rd party software you install on Windows is not anywhere as good as a package manager in a distro like Debian. That said, I'm glad there's *something* out there for Windows that searches for upgrades to non-Microsoft software on your machine, even though I assume there's some data-mining involved.
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
Actually as someone who has used both I personally think the package managers suck the big wet titty, no offense. While they are great for nerds, they royally suck for normal folks. Example if you type in Open Office you get this huge list of packages. There should be ONE item, and one item only, and that is Open office as a single installer. Maybe have an "expert mode" that would let you choose individual packages if you like. That is why I think Click N Run is the closest I have ever seen to perfect. Just a simple description, a couple of pictures, and a "install now" button. Can't get easier then that.
As for the Update Checker from what I can tell the only data they send is the software and version numbers, which of course they need to check against their database to see if your software is old or not. But from what I can see testing it on a couple of dozen machines so far, is that they support a truly huge amount of third party software, from the biggies like Flash and Java to the smaller stuff like IMGBurn and RocketDock. If it finds out of date software it gives you a simple one click link for each one it finds out of date so that you can choose whether you want to update or not. Great if you have friends, family members, or in my case customers on Windows.
But from what I have seen package managers in Linux don't support any software that isn't from the repos, which depending on the distro can be out of date, so I really don't see package managers having a big advantage unless you refuse to install any software except from the repos. And of course your package manager won't tell you if your proprietary software is out of date, unlike Update Checker which let me know my WinRAR and Alcohol 120% was behind the times. So all in all I would give Linux a point for having it built in, and FileHippo a point for checking both free and pay software for updates. But if you have any family or friend on Windows I would point them to Ninite and FileHippo Update checker. Ninite lets them install plenty of free software without fear of Toolbars like Java and CCleaner have nowadays, and FileHippo will them keep that software up to date.
ACs don't waste your time replying, your posts are never seen by me.
When IE had 90%+ marketshare it was easy to target a huge number of users at once with a single exploit, now that the browser market is more competitive it's harder for malware authors to attack. They could still write an exploit for a single browser, but that would target only a percentage of users...
As a result, malware authors look for something new which is as widespread as possible... Most browsers have flash and pdf plugins, and the alternatives in these markets are still extremely rare so they're a good start. So while your victims might be running any from a handful of browsers, they will all be running exactly the same flash plugin. Find an exploit in that, and you suddenly have a 90%+ target area again.
Any single source software that becomes too widespread will be a target for attack... Having a competitive market makes things difficult for the attackers.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
In the risk of appearing trollish, I would say that this is why "integrists" of FOSS like the debian group are useful even in a world where the Ubuntu compromise had such a success.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
What I did was use AppArmor to basically restrict firefox from writing to anything but its own config files, as well as a single directory for downloads. It also can't read from any of my user files ( like my mail or documents). I even stopped it from executing external programs like PDF readers or OpenOffice seeing that I prefer to download the files and open them manually anyway.
I disabled Java, installed no-script (surfing slashdot is way smoother without javascript btw ) and set firefox to clear all cookies and other offline data when I close it down. It also doesn't have write permissions to the macromedia directories to stop flash from storing its offline objects nonsense there.
Basically what I figured is that ok maybe the Browser could get compromised, but this way it should not be able to cause much harm to other parts of my system.
The computer wasn't meant to be multi function. It was meant to do intensive calculations for researchers. Computers weren't meant to be hooked up to one another, they were meant to be stand alone.
Yup. That was *indeed* the case. But while some kept this broken model well into the information age (no restrictions MS-DOS -> no restriction Windows 9x -> "everyone is admin by default" in Windows XP even though the NT family could theoretically have user access control, etc...) other have aknowledged that the initial model was broken and have tried different and better approaches (like Unix systems with some access control)
I understand your point about flawed designed but like it or not, things are progressing for better or worse, like they always have.
On the other hand if they are flaws, we shouldn't insist absolutely on using the broken stuff just because "everything evolves" and "nothing should stay static". If something is utterly broken, we should first try to see how to fix.
Current browsers ARE NOT MEANT to be operating systems, THEY ARE only good at displaying static documents. If we want a future full of web application, we should keep the current shit merely because that's what we have now. We should find a model better able to cope with the moderns threats against a browser-as-an-OS.
Google's Chrome with "everything in a sandbox" is a nice step in the correct direction.
And as pointed by parent there are a lot of issue to consider and fix even if it means that we have to rethink how we do some stuff.
---
And, as a separate note, I would to attract the attention onto such security problems with plugins of anyone asking "Why doesn't firefox allow using system 3rd party codec plugins ?!?"
Everything said against plug-ins here is valid against 3rd party codecs (even more so : plug-ins where at least though to work with a browser).
The whole idea of the "video" tag was to get rid of the damn plugin dependency.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Package managers can and do check third party repositories... A lot of third party developers create repositories for the big linux distros and they are easy to add.
The only issue is when a given app isn't in the standard repositories and the publisher of that app hasn't made their own repository for distributing it.
I try to install everything from package repositories if i can, so as to keep the system as clean as possible. Infact, on the several linux machines i maintain i don't think i have anything on them which isn't managed by the package manager.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Come on mods, take your blame. That wasn't flamebait and you all know it.
Space game using normal deck of cards: http://BattleCards.org
But will it tell you if your proprietary software like Crossover Office or VMWare is out of date? I honestly don't know, as I quit using my Xandros Business before my Crossover Office was out of date. But as I said if you stick with the official repos I'm sure it will work out fine, as long as they keep those repos updated.
But ultimately I think that is something that the distros will have to work out. If Linux is to gain acceptance by the masses it will have to support non FLOSS apps, such as games and Photoshop and other proprietary apps, but to provide equal support to such apps will piss off the SCoN! (Source Code or Nothing!) advocates like RMS and the like. So it will be interesting (at least to me) to see how the distros handle mixing FLOSS and proprietary apps while trying to deal with the SCoN!. I already think they are bending too far to the SCoN! crowd by not including the most popular non free drivers by default, but either way it will be interesting to see how things develop.
Until the day arrives that such things are worked out I'm gonna have to only sell Windows though, because ATM playing paperweight roulette at places like Walmart is just too much of a PITA for my customers. If I can't tell what will work simply by looking at the box, how will my customer keep from getting a paperweight? Telling them to research their asses off or trawl some forum before every purchase just don't cut it, and from my own admittedly informal research you are looking at around 35% of the devices sold at Walmart actually supported. I think Linux is a solid OS, and I wish I could sell it to my more clueless users, but until such problems are worked out it simply costs to much in after sale support to carry Linux. It will be interesting to see if Linux can overcome this problem, as the standard "just give us your code and we'll put it in the kernel" is obviously not gonna fly with consumer level devices. How they are gonna fix that problem? Don't have a clue.
ACs don't waste your time replying, your posts are never seen by me.
If the maker of that proprietary software (or a third party) runs a package repository for it then yes.
If there isn't a repository it's usually the fault of the proprietary software maker for not making one available, and having licensing terms which make it impossible for anyone else to do so. This isn't the fault of linux, and other platforms are typically in the same or worse state.
I find less after sales problems with linux (or mac) than windows... Sure there are the risks of arbitrary devices bought from stores not working, but windows has a similar risks - many devices don't advertise windows 7 support yet, and some don't work with it. Similarly some devices are lousy. I find that most people i provide support to, won't go out and buy devices on their own they will typically tell me what kind of device they need and ask for recommendations - whereby i provide appropriate recommendations. And i will go for devices which work out of the box on linux..
Someone either wants your support and respects your technical knowledge, or they don't...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!