Slashdot Mirror
Insecure Plugins Ding IE, Safari, Chrome, Opera
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
Why doesn't the headline list Firefox, too?
It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.
Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.
Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.
It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.
No. "Sandboxing", as done by browsers, is generally nothing more than a buzzword.
First, you have to assume that the sandboxing has been done correctly. More often than not this is just not the case. Holes get poked in the sandbox walls for what are benign and legitimate actions, but soon enough somebody will figure out a way to exploit that hole, and then you've got a huge security flaw affecting millions of users.
Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users.
Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.
The browser was never meant to be a fucking operating system, like some people today treat it as. It was meant for displaying documents, and linking between them. It's just plain stupid to try and build complex applications in the browser, especially with the Internet being so hostile.
From page 30 of the Chrome Comic (http://www.google.com/googlebooks/chrome/small_30.html)
"Plugins have capabilities that aren't public standards, so we can't sandbox these yet."
"Though with some small changes on the part of the plugin makers, we can get them to run at a lower privilege which would be much safer."
Doesn't matter, most people don't care about the security of their computer they rightfully care about the security of their data which no OS blocks effectively, ie if I can modify my data so can any program running in my context.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
http://queue.acm.org/detail.cfm?id=1556050
"...Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the user's webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."
I'd imagine that since Chrome doesn't sandbox, the other browsers would have a hard time sandboxing those plugins as well.
That's absolutely correct and was solved back in Windows Vista / IE 7. As of then, "Internet zone" sites are automatically running with LESS privilege than a standard user. Bascially they can't write anything outside of temporary internet files and an untrusted "low" zone in the registry. Of course Windows 7 and IE 8 continues this. You can use Process Explorer to see the integrity level at which applications are running. Medium is standard user, Low is for things like the Internet Zone, and High is anything running with system or administrative privileges. This is one of the reasons that many of these exploits don't work correctly against anything but Windows XP.
If you're just reading the occasional journal article or something, that's reasonable, yeah. The original idea of the PDF plugin was that PDFs would be more widespread, as part of websites, so it'd be a hassle to download/view every time you ran across a PDF. That's thankfully not as common as Adobe had hoped, but for some kinds of sites it's still a bit of a hassle if you have no plugin--- restaurant sites that seem to find it necessary to put their lunch/dinner/drinks menus into three separate PDFs come to mind.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.
The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx
-]Phreak Out[-
Even pure Javascript extensions aren't "secure". They can access all the usual XPCOM interfaces to do nasty things like overwrite all your files, and in later versions, they can use the Javascript foreign function interface to call any code C++ could.
It is essential to look at Javascript extensions as having the same security properties as native code ones.
However, plugins can be safer because their more clearly delineated NPAPI interface allows them to be run out of process, where in principle, they can be sandboxed.
"Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users."
True, and that's often lost on people, but irrelevant to the subject at hand. We were talking about whether a browser could do anything to mitigate insecure plugins as an attack vector short of disabling plugins.
"Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place."
Explain.
It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.
I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.
kdawson strikes again...
I don't know what you are talking about.
My browser's title says "Slashdot IT Story | Insecure Plugins Ding IE, Safari, Chrome, Opera - Mozilla Firefox"
I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?
Probably not so much anti-IE as pro-Firefox, seeing as how that was pretty much the only browser missing from the list in the title, which should have read "Insecure Plugins a Problem for Browsers."
This author takes full ownership and responsibility for the unpopular opinions outlined above.
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx
It's important to note that sandboxing (a.k.a. Protected Mode) requires both IE7 or IE8 and Windows Vista or Windows 7. Sandboxing will not work on Windows XP at all !
Additionally, User Account Control (UAC) must be enabled. Vista users trying to avoid privilege elevation prompts by turning off UAC will unwittingly disable Protected Mode.
See "Protected Mode" at:
http://en.wikipedia.org/wiki/Internet_Explorer_7#Privacy_and_security
http://en.wikipedia.org/wiki/User_Account_Control
Well maybe you should stop bitching about an 8 year old OS not doing what you want.
And maybe you should stop bitching about an 8 year old Browser not doing what you want.
Because people don't use some functionality, or have (in computing lifetimes) ANCIENT software. Don't blame the modern product. It was IMPOSSIBLE to sandbox Safari when XP and IE6 came out. Because no version was released! Same goes for Firefox (Firebird too), and Chrome.
Congratulations you just compared IE6 on an 8+ year old OS, to browser LINES that didn't exist when EITHER XP OR IE6 came out. Opera did exist.
It is time to face it IE8 is a good browser. Worthy of comparison to Firefox. IE7 and IE6 were horrible. In fact when IE6 came out, I stayed with IE5, until I used mozilla, then Firebird, well before it became Firefox.
Soures: (non-primary)
http://en.wikipedia.org/wiki/Win_XP
http://en.wikipedia.org/wiki/Internet_Explorer_6
http://en.wikipedia.org/wiki/Safari_(browser)
http://en.wikipedia.org/wiki/Firebird_(browser)
http://en.wikipedia.org/wiki/Opera_(browser)
My addiction: Arguing with idiots. AKA Slashdot!