Slashdot Mirror
Insecure Plugins Ding IE, Safari, Chrome, Opera
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
Why doesn't the headline list Firefox, too?
It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.
Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.
Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.
It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.
No. "Sandboxing", as done by browsers, is generally nothing more than a buzzword.
First, you have to assume that the sandboxing has been done correctly. More often than not this is just not the case. Holes get poked in the sandbox walls for what are benign and legitimate actions, but soon enough somebody will figure out a way to exploit that hole, and then you've got a huge security flaw affecting millions of users.
Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users.
Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.
The browser was never meant to be a fucking operating system, like some people today treat it as. It was meant for displaying documents, and linking between them. It's just plain stupid to try and build complex applications in the browser, especially with the Internet being so hostile.
Quick options toggle menu -> enable/disable plugins.
(with whitelisting and blacklisting of particular sites available of course)
One that hath name thou can not otter
From page 30 of the Chrome Comic (http://www.google.com/googlebooks/chrome/small_30.html)
"Plugins have capabilities that aren't public standards, so we can't sandbox these yet."
"Though with some small changes on the part of the plugin makers, we can get them to run at a lower privilege which would be much safer."
I never acutally understood the reason for a PDF plugin. Why can't i just download the bloody file and look at it? On second thought, that's what i usually do. Can someone give me one good reason to have a plugin for PDF files? Paedophiles?
I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?
Doesn't matter, most people don't care about the security of their computer they rightfully care about the security of their data which no OS blocks effectively, ie if I can modify my data so can any program running in my context.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).
http://queue.acm.org/detail.cfm?id=1556050
"...Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the user's webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."
I'd imagine that since Chrome doesn't sandbox, the other browsers would have a hard time sandboxing those plugins as well.
That's absolutely correct and was solved back in Windows Vista / IE 7. As of then, "Internet zone" sites are automatically running with LESS privilege than a standard user. Bascially they can't write anything outside of temporary internet files and an untrusted "low" zone in the registry. Of course Windows 7 and IE 8 continues this. You can use Process Explorer to see the integrity level at which applications are running. Medium is standard user, Low is for things like the Internet Zone, and High is anything running with system or administrative privileges. This is one of the reasons that many of these exploits don't work correctly against anything but Windows XP.
The computer wasn't meant to be multi function. It was meant to do intensive calculations for researchers. Computers weren't meant to be hooked up to one another, they were meant to be stand alone. Blah blah blah. Yeah because nothing ever evolves. Everything should stay static. I understand your point about flawed designed but like it or not, things are progressing for better or worse, like they always have. You know you can always use Dillo or Lynx if you want to view documents and do your basic browsers.
Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.
The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx
-]Phreak Out[-
Even pure Javascript extensions aren't "secure". They can access all the usual XPCOM interfaces to do nasty things like overwrite all your files, and in later versions, they can use the Javascript foreign function interface to call any code C++ could.
It is essential to look at Javascript extensions as having the same security properties as native code ones.
However, plugins can be safer because their more clearly delineated NPAPI interface allows them to be run out of process, where in principle, they can be sandboxed.
"Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users."
True, and that's often lost on people, but irrelevant to the subject at hand. We were talking about whether a browser could do anything to mitigate insecure plugins as an attack vector short of disabling plugins.
"Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place."
Explain.
Great! You got +5 insightful for an unenlightened post.
So you have a process, the browser. And within that process, is a security hole. And in the context of the browser, there's this scripting language called "javascript" which (tadum!) executes code. Code which might take advantage of aforementioned security hole.
In this example, the Operating System isn't even involved - it's all happening within the browser. Yet, your security is still hosed. There's still a keylogger running inside browser space, and when you go to your bank, they still get your access credentials.
How would you expect the operating system to protect you here? In this space, the Operating System is barely relevant at all!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I used to have to go through and find that damn plugin and actually remove the plugin dll every time I installed acrobat, because there was NO WAY to tell Adobe "no, thanks, I do NOT want to hang my computer for five minutes while your plugin munches on a huge PDF every time I forget to alt-click on a pdf link".
My gosh, Apple has taken so much crap for not including Flash on the iPhone and not supporting Adobe in their desire to have the Flash plugin run on the iPhone (never mind most flash content already sucks, try it without a mouse(!) onHover event). I use ClickToFlash for Safari, and, all my Firefoxen gets flashblock. I load Flash when I want to load it, not when some ad server or asswipe with an art degree (uh, that's me!) thinks their website menus would be really neato in Flash.
It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.
I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.
kdawson strikes again...
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx
It's important to note that sandboxing (a.k.a. Protected Mode) requires both IE7 or IE8 and Windows Vista or Windows 7. Sandboxing will not work on Windows XP at all !
Additionally, User Account Control (UAC) must be enabled. Vista users trying to avoid privilege elevation prompts by turning off UAC will unwittingly disable Protected Mode.
See "Protected Mode" at:
http://en.wikipedia.org/wiki/Internet_Explorer_7#Privacy_and_security
http://en.wikipedia.org/wiki/User_Account_Control
How about two users? That is what I do. I have one user for insecure internet access, and another for financial transactions. The home directory of the account for financial transactions is chmod 700.
Really, I use several user accounts --one for the X server, one for multimedia / video games, one for my real work / valuable files, etc. It isn't any hassle to use the insecure internet or video game accounts because I have them set up so I don't need a password when I su from the X server account. Makes it very easy to drop privs.
Yes, this doesn't protect from the insecure account running malware, or that malware breaking through a local root exploit, so an eye has to be kept on it still, but it is better to make life more difficult for malware writers, and if they stay trapped in the one account, cleanup is relatively easy.
Having a house with windows and doors locked is a bit silly, especially when you could just as well build a bunker around your house.
MS sees bunkers as competitors to be contained until MS has the functionality via buy out or "innovation'
Well maybe you should stop bitching about an 8 year old OS not doing what you want.
And maybe you should stop bitching about an 8 year old Browser not doing what you want.
Because people don't use some functionality, or have (in computing lifetimes) ANCIENT software. Don't blame the modern product. It was IMPOSSIBLE to sandbox Safari when XP and IE6 came out. Because no version was released! Same goes for Firefox (Firebird too), and Chrome.
Congratulations you just compared IE6 on an 8+ year old OS, to browser LINES that didn't exist when EITHER XP OR IE6 came out. Opera did exist.
It is time to face it IE8 is a good browser. Worthy of comparison to Firefox. IE7 and IE6 were horrible. In fact when IE6 came out, I stayed with IE5, until I used mozilla, then Firebird, well before it became Firefox.
Soures: (non-primary)
http://en.wikipedia.org/wiki/Win_XP
http://en.wikipedia.org/wiki/Internet_Explorer_6
http://en.wikipedia.org/wiki/Safari_(browser)
http://en.wikipedia.org/wiki/Firebird_(browser)
http://en.wikipedia.org/wiki/Opera_(browser)
My addiction: Arguing with idiots. AKA Slashdot!