Slashdot Mirror
Insecure Plugins Ding IE, Safari, Chrome, Opera
krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."
It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.
Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.
I was just about to ask the same thing, especially when the summary lists FF.
I like Firefox, it's my primary browser, but not listing it in the headline is just lying by omission.
--Hi, I'm Bob--
Firefox plugins still use NPAPI. Extensions use javascript/XUL.
Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.
It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.
You must be new here. We don't diss Firefox.
</obligatory>
Liberal? Conservative? Compare perspectives at Left-Right
No. "Sandboxing", as done by browsers, is generally nothing more than a buzzword.
First, you have to assume that the sandboxing has been done correctly. More often than not this is just not the case. Holes get poked in the sandbox walls for what are benign and legitimate actions, but soon enough somebody will figure out a way to exploit that hole, and then you've got a huge security flaw affecting millions of users.
Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users.
Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.
The browser was never meant to be a fucking operating system, like some people today treat it as. It was meant for displaying documents, and linking between them. It's just plain stupid to try and build complex applications in the browser, especially with the Internet being so hostile.
I'm guessing because plugins in firefox are written using javascript and XUL
No. Addons use XUL & JavaScript, plugins are native.
What's the difference? Flash, Java, etc are plugins, AdBlock Plus, Firebug, etc are addons
It's official. Most of you are morons.
Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.
The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.
Why doesn't the headline list Firefox, too?
But... when you're running Firefox, it reads:
Slashdot|Insecure Plugins Ding IE, Safari, Chrome, Opera - Mozilla Firefox
so Firefox is part of the headline!
Oh wait...
"She's furniture with a pulse"
Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx
-]Phreak Out[-
It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.
I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.
kdawson strikes again...
I don't know what you are talking about.
My browser's title says "Slashdot IT Story | Insecure Plugins Ding IE, Safari, Chrome, Opera - Mozilla Firefox"