The pitfalls of plug-ins

Google's planned extension mechanism for Chrome highlights the changing nature of Web-based threats.

Google's Chrome browser may not have market share to compete with Firefox or Internet Explorer, but it's moving forward nonetheless. Soon it will even have the one feature that was requested by more beta testers than any other: an extension mechanism.

According to a page on Google's site, a future version of Chrome will support a variety of extensions; it's just not clear how they will be implemented yet. Among the goals cited are support for download managers, mash-up extensions, and my own personal favorite, ad blockers. Even industry-standard NPAPI plug-ins will be supported, if all goes according to plan.

But if you believe Eric Lawrence, the security program manager for Microsoft's Internet Explorer, that might not necessarily be a good thing. According to Lawrence, as Web browser software matures and the browser market broadens, the browser itself becomes a more difficult target for malware authors. It's too hard to reach a mass audience if you go that route. Instead, Lawrence says, today's attackers are targeting plug-ins.

Kettle, learn from pot
Initial reactions to Lawrence's comments during a Black Hat Webcast ranged from skepticism to outright derision. After all, who should have less to say about security vulnerabilities in browser components than Microsoft? ActiveX is arguably the most egregious security flaw ever to be intentionally introduced into a piece of software. Why should attackers go to the trouble of breaking a window when they can just walk in the front door?

But the intense scrutiny and criticism that ActiveX has weathered over the years has actually done the technology some good. ActiveX attacks persist, but they mostly rely on older versions of Internet Explorer that lack security improvements introduced in IE7. Meanwhile, other, less obvious targets have become the victims of more recent exploits.

For example, in 2007 security researchers demonstrated how sending a malformed PDF file to the Adobe Reader plug-in could cause a browser to execute mandatory JavaScript code. Another Adobe Reader flaw left browsers open to cross-site scripting attacks, and a similar vulnerability plagued the Adobe Flash plug-in earlier this year.

The changing face of exploits
All of these vulnerabilities have since been patched, but it's worth recognizing that they are all strong indicators of the changing nature of network-based attacks. At one time, the primary goal of malware authors was to subvert systems software to gain control of the user's PC. But today, as traditional desktop software gives way to networked applications delivered via the Web, access to the communication channels between client and server systems is becoming a much more attractive prize.

Attacking plug-ins also gives criminals access to a much wider audience than traditional malware does. Because they are system-level software, traditional viruses and Trojan horse programs must target a single operating environment (typically Windows). But an exploit that targets the Flash plug-in can actually be cross-platform, affecting not just Windows but also Mac OS X and even Linux systems.

Consider, also, that a program written in a systems programming language like C can only be exploited for its own vulnerabilities. If it has bugs, they are there because of the programmers' own mistakes. But a browser that has a plug-in installed is vulnerable to exploits that target not just the applications that run in the plug-in, but the plug-in itself. Web developers have no control -- and typically no knowledge -- of such vulnerabilities.

The changing face of apps
Nonetheless, browser plug-ins are becoming ever more richly capable. At its recent Max 2008 conference in San Francisco, Adobe announced a new software project aimed at bridging the gap between its Flash technologies and Microsoft's .Net platform. It also unveiled a tool that can cross-compile C/C++ code into ActionScript that runs in the Flash plug-in. In a sense, even as Microsoft works to secure ActiveX, plug-ins such as Flash are moving ever closer to the rich programmability of the original ActiveX model.

If this trend continues, security should be foremost on Web developers' minds. Google is leading the way here. The compartmentalized, multi-process design of the Chrome browser is a significant improvement over the security models of past browsers. But until the promised extension model appears, it's too early to declare a victory in the war against plug-in vulnerabilities.

More importantly, the rest of the industry must follow Google's lead. As the amount and the complexity of code designed to run within browser plug-ins increases, Web developers should demand that security should be a top priority for the leading browser vendors and plug-in developers alike.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies