Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Insecure Plugins Ding IE, Safari, Chrome, Opera

kdawson posted more than 4 years ago | from the black-powder-in-the-sandbox dept.

Security 141

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

cancel ×

141 comments

Sorry! There are no comments related to the filter you selected.

Sandboxing? (1)

iammani (1392285) | more than 4 years ago | (#30897964)

But doesnt sandboxing these plugins make these browsers secure?

Re:Sandboxing? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30898026)

I don't think any of them sandbox plugins, by default.

Chrome has a --safe-plugins option which appears to do it, but I imagine it breaks a lot of plugins, which is why it wouldn't be default.

Re:Sandboxing? (4, Informative)

TrancePhreak (576593) | more than 4 years ago | (#30898658)

Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx [microsoft.com]

Re:Sandboxing? (1)

AHuxley (892839) | more than 4 years ago | (#30899068)

Locking the kitchen window with a buzzword window lock, with the rest of the house wide open is a bit of a joke.
MS sees plugins as competitors to be contained until MS has the functionality via buy out or "innovation'

Re:Sandboxing? (3, Informative)

Anonymous Coward | more than 4 years ago | (#30900444)

Interesting you should say that... as IE sandboxes plugins by default. http://technet.microsoft.com/en-us/library/dd346862.aspx [microsoft.com]

It's important to note that sandboxing (a.k.a. Protected Mode) requires both IE7 or IE8 and Windows Vista or Windows 7. Sandboxing will not work on Windows XP at all !

Additionally, User Account Control (UAC) must be enabled. Vista users trying to avoid privilege elevation prompts by turning off UAC will unwittingly disable Protected Mode.

See "Protected Mode" at:
  http://en.wikipedia.org/wiki/Internet_Explorer_7#Privacy_and_security [wikipedia.org]
  http://en.wikipedia.org/wiki/User_Account_Control [wikipedia.org]

Re:Sandboxing? (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30898078)

No. "Sandboxing", as done by browsers, is generally nothing more than a buzzword.

First, you have to assume that the sandboxing has been done correctly. More often than not this is just not the case. Holes get poked in the sandbox walls for what are benign and legitimate actions, but soon enough somebody will figure out a way to exploit that hole, and then you've got a huge security flaw affecting millions of users.

Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users.

Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.

The browser was never meant to be a fucking operating system, like some people today treat it as. It was meant for displaying documents, and linking between them. It's just plain stupid to try and build complex applications in the browser, especially with the Internet being so hostile.

Re:Sandboxing? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30898486)

The computer wasn't meant to be multi function. It was meant to do intensive calculations for researchers. Computers weren't meant to be hooked up to one another, they were meant to be stand alone. Blah blah blah. Yeah because nothing ever evolves. Everything should stay static. I understand your point about flawed designed but like it or not, things are progressing for better or worse, like they always have. You know you can always use Dillo or Lynx if you want to view documents and do your basic browsers.

Re:Sandboxing? (1)

Drive42 (444835) | more than 4 years ago | (#30898780)

Amen.

Re:Sandboxing? (3, Insightful)

Your.Master (1088569) | more than 4 years ago | (#30899106)

"Second, sandboxing does absolutely nothing to stop social attacks, which are one of the leading ways that sensitive data is stolen from users."

True, and that's often lost on people, but irrelevant to the subject at hand. We were talking about whether a browser could do anything to mitigate insecure plugins as an attack vector short of disabling plugins.

"Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place."

Explain.

Re:Sandboxing? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30899554)

Third, it doesn't matter how much sandboxing you do when the underlying operating system is Windows, and is already full of holes and incapable of providing a sufficient level of security in the first place.

That's amusing because it goes completely contrary to what the winners of the Pwn2Own contest showed. In fact the browsers running on Windows (whether it be Firefox or Safari) were shown to be more immune to attack on that OS than on Linux or OS X.

Two Browsers? (1)

KibibyteBrain (1455987) | more than 4 years ago | (#30899564)

I sort of have to agree that the browser as a one stop shop is getting sort of untenable. Frankly, I have no desire to do my online banking with the same piece of software I explore random information on all day with computers around the world run by people I don't even know. But whats the solution, two browsers? Were things any better in the 90s when I would download random exe's to do small little tasks now handled by rich web apps? At some level the only solution to this is to use separate, incompatible systems to do different levels of tasks(even if they reside in the same case). And even then, spoofing for secrets would still be a problem.

Re:Two Browsers? (2, Interesting)

sowth (748135) | more than 4 years ago | (#30900622)

How about two users? That is what I do. I have one user for insecure internet access, and another for financial transactions. The home directory of the account for financial transactions is chmod 700.

Really, I use several user accounts --one for the X server, one for multimedia / video games, one for my real work / valuable files, etc. It isn't any hassle to use the insecure internet or video game accounts because I have them set up so I don't need a password when I su from the X server account. Makes it very easy to drop privs.

Yes, this doesn't protect from the insecure account running malware, or that malware breaking through a local root exploit, so an eye has to be kept on it still, but it is better to make life more difficult for malware writers, and if they stay trapped in the one account, cleanup is relatively easy.

Re:Sandboxing? (1)

Foredecker (161844) | more than 4 years ago | (#30900106)

I wish I had mod points for you.

Re:Sandboxing? (3, Interesting)

Anonymous Coward | more than 4 years ago | (#30898118)

From page 30 of the Chrome Comic (http://www.google.com/googlebooks/chrome/small_30.html)

"Plugins have capabilities that aren't public standards, so we can't sandbox these yet."
"Though with some small changes on the part of the plugin makers, we can get them to run at a lower privilege which would be much safer."

Re:Sandboxing? (3, Informative)

tonywong (96839) | more than 4 years ago | (#30898296)

http://queue.acm.org/detail.cfm?id=1556050

"...Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the user's webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."

I'd imagine that since Chrome doesn't sandbox, the other browsers would have a hard time sandboxing those plugins as well.

Re:Sandboxing? (5, Interesting)

jpmorgan (517966) | more than 4 years ago | (#30898602)

IE7/8 uses NT6.x's mandatory access control mechanism to run itself in 'protected mode,' which really just means it's running as a low integrity process with minimal system access. It also uses a different plugin model from Chrome and Firefox, and yes, it tries to run plugins inside the low-integrity sandbox.

The problem is that Sun and Adobe took the shortcut of explicitly breaking the sandbox (from the outside) rather than make Java and Flash work within it.

Re:Sandboxing? (1)

shutdown -p now (807394) | more than 4 years ago | (#30898736)

Why doesn't IE warn when a plugin "breaks the sandbox", and asks the user to confirm? It would seem reasonable, and push plugin writers towards proper sandboxing.

Re:Sandboxing? (0)

Anonymous Coward | more than 4 years ago | (#30899162)

How would you block the broker?

Re:Sandboxing? (1)

shutdown -p now (807394) | more than 4 years ago | (#30899424)

You would block all IPC from the sandboxed process, except for the one going through preconfigured channel with the browser itself (for actual rendering and user input), until the user enables less restrictive mode for that plugin.

Re:Sandboxing? (0)

Anonymous Coward | more than 4 years ago | (#30898312)

Java got its own sandbox. And it works really great. The vulnerabilities in the past were related to native image loading components. Loading binary data with C/C++ is very fast but also very error prone.

Headline? (3, Interesting)

Anonymous Coward | more than 4 years ago | (#30897976)

Why doesn't the headline list Firefox, too?

Re:Headline? (0)

ashridah (72567) | more than 4 years ago | (#30898030)

I'm guessing because plugins in firefox are written using javascript and XUL. i thought they still supported the old netscrape (man, haven't used that one in a while) api though, which would still allow things to waltz through...

Re:Headline? (4, Informative)

Anonymous Coward | more than 4 years ago | (#30898052)

Firefox plugins still use NPAPI. Extensions use javascript/XUL.

Re:Headline? (4, Informative)

Tim C (15259) | more than 4 years ago | (#30898266)

I'm guessing because plugins in firefox are written using javascript and XUL

No. Addons use XUL & JavaScript, plugins are native.

What's the difference? Flash, Java, etc are plugins, AdBlock Plus, Firebug, etc are addons

Wrong. Extensions can use native code. (1)

QuoteMstr (55051) | more than 4 years ago | (#30898768)

It's certainly possible to create a Firefox extension [mozilla.org] (Addon) that uses native code. It's even possible to create a "fat xpi" (if you will) that will work across all supported architectures, though the build process is a little hairy.

Plugins also contain native code, but talk to Mozilla using a different API [wikipedia.org] . In theory, this API works across multiple browsers.

Extensions can do everything plugins can, and a whole lot more. The only advantage a plugin has is a stable, cross-browser ABI.

Re:Wrong. Extensions can use native code. (1)

Tim C (15259) | more than 4 years ago | (#30898810)

Ok, cool, I was wrong - but in the opposite direction, as it were. The main point is that no, plugins do not use XUL and JavaScript exclusively, and so are not guaranteed to be sandboxed and secure.

Re:Wrong. Extensions can use native code. (3, Interesting)

QuoteMstr (55051) | more than 4 years ago | (#30898880)

Even pure Javascript extensions aren't "secure". They can access all the usual XPCOM interfaces to do nasty things like overwrite all your files, and in later versions, they can use the Javascript foreign function interface [mozilla.org] to call any code C++ could.

It is essential to look at Javascript extensions as having the same security properties as native code ones.

However, plugins can be safer because their more clearly delineated NPAPI interface allows them to be run out of process [mozdev.org] , where in principle, they can be sandboxed [lwn.net] .

Re:Headline? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30899330)

Wow. Did you see the replies? You've been p0wn'd bitch. p0wn'd.

Just get the fuck out of here now and don't come back. Retard cunt bitch homo fag.

Re:Headline? (4, Insightful)

plasmator (229502) | more than 4 years ago | (#30898042)

I was just about to ask the same thing, especially when the summary lists FF.

I like Firefox, it's my primary browser, but not listing it in the headline is just lying by omission.

Re:Headline? (2, Informative)

Antony-Kyre (807195) | more than 4 years ago | (#30899350)

It's because people see FireFox as the savior of the Internet, something infallible.

Re:Headline? (4, Funny)

Anonymusing (1450747) | more than 4 years ago | (#30898064)

You must be new here. We don't diss Firefox.

</obligatory>

Re:Headline? (1)

maxwell demon (590494) | more than 4 years ago | (#30898162)

To provoke a comment which asks why the headline doesn't list Firefox.

Re:Headline? (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#30898512)

Because KDawson is an asshole? That's my guess.

Re:Headline? (5, Funny)

BeerCat (685972) | more than 4 years ago | (#30898654)

Why doesn't the headline list Firefox, too?

But... when you're running Firefox, it reads:

Slashdot|Insecure Plugins Ding IE, Safari, Chrome, Opera - Mozilla Firefox

so Firefox is part of the headline!

Oh wait...

Re:Headline? (1)

Low Ranked Craig (1327799) | more than 4 years ago | (#30898946)

Only on WIndows...

Re:Headline? (1)

aldld (1663705) | more than 4 years ago | (#30899066)

Mine says "Shiretoko"

Slashdot IT Story | Insecure Plugins Ding IE, Safari, Chrome, Opera - Shiretoko

In other news, water is wet. (4, Insightful)

MrCrassic (994046) | more than 4 years ago | (#30898032)

It's kind of common sense that having plugins with various amounts of access to their installed browser(s) can compromise its entire security model. For the Slashdot crowd, it's kind of like having an aftermarket ECU on an auto's engine which, if programmed incorrectly, can cause great harm to it.

Additionally, I think browser wars are quite insipid the amount of variety we have now. Most of the browser is in its renderer, and the pros and cons of each kind is public information. Furthermore, the pros and cons of the browsers that constitute the heaping majority of the market (IE, Firefox, Opera, Safari and Chrome) are also fairly well-known (i.e. one wouldn't put Safari on Windows because its performance is known to be subpar, and a user with more rigid browsing habits won't use IE given the amount of malicious attention it gets). If there was one unanimously labelled "BEST" browser, everyone would be using it.

Re:In other news, water is wet. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30898224)

I really cannot imagine why you think that a car analogy is going to make more sense to the slashdot crowd than the base problem, which is computer security.

Re:In other news, water is wet. (2, Funny)

MrCrassic (994046) | more than 4 years ago | (#30898458)

You must be new here. :-)

Re:In other news, water is wet. (1)

TheRealMindChild (743925) | more than 4 years ago | (#30898432)

If there was one unanimously labelled "BEST" browser, everyone would be using it.

Wait... you aren't using Netscape 4.7?!

Sounds like Krebs reads slashdot posters (0)

Anonymous Coward | more than 4 years ago | (#30900690)

http://tech.slashdot.org/comments.pl?sid=1512306&threshold=-1&commentsort=0&mode=thread&cid=30782898 [slashdot.org]

It is common sense to anyone that understands computing. In fact, the third enumerated point there in the link above merely reflects what they say about browser addons to a tee. Pity is that it got he attacked by the fanboys and trolls here as is usual for his posts from what I have seen directed his way.

The model (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30898056)

Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.

It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.

Re:The model (1, Interesting)

TheRealMindChild (743925) | more than 4 years ago | (#30898358)

Not really. With the multicore, gigabytes of ram type, systems becoming norm, think ThinApp [vmware.com] + VMWare [vmware.com] you can start having applications running in a completely disposable virtual machine and it would work just like a regular application, only it can't ACTUALLY access your system.

Re:The model (1)

Knightman (142928) | more than 4 years ago | (#30898510)

There are ways to detect that you are running in a VM and to break out of it to exploit the underlying OS.

Re:The model (1)

gmagill (105538) | more than 4 years ago | (#30898664)

There are ways to detect that you are running in a VM and to break out of it to exploit the underlying OS.

Example?

Re:The model (2, Informative)

Knightman (142928) | more than 4 years ago | (#30898758)

VMWare for example uses a virtual I/O-port (just google 0x564D5868)in the VM to communicate with the process running the VM.
If you can communicate with the VM there stands to reason you probably can break out of it.

The only way to be sure your computer is safe is to unplug it.

Re:The model (0)

Anonymous Coward | more than 4 years ago | (#30899448)

How about VirtualBox?

Re:The model (1)

Gerzel (240421) | more than 4 years ago | (#30898888)

Aye and plenty of info that gathers in the browser preferences to exploit. Bookmarks, history, passwords, email, phone numbers, credit card numbers.

Re:The model (1)

rsborg (111459) | more than 4 years ago | (#30898960)

There are ways to detect that you are running in a VM and to break out of it to exploit the underlying OS.

[cite needed]... furthermore, the more expensive it is to break out of a sandbox, the less likely any individual app/plugin-maker will do this.

Re:The model (0)

Anonymous Coward | more than 4 years ago | (#30898554)

Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.

It is probably foolish to believe that you could ever build a [useful] system that had no security flaws but still allowed untrusted, unprompted arbitrary code execution.

It always amazes me that some of the most popular add-ons and plugins have invalid security certificates - at least when I download them.

Re:The model (3, Funny)

rolfwind (528248) | more than 4 years ago | (#30898852)

Insecure huh?

Is that why my browser kept asking if it looked fat maximized in my widescreen monitor.

Re:The model (2, Insightful)

vtcodger (957785) | more than 4 years ago | (#30899206)

***Perhaps the real insecurity is the whole model whereby the entire system depends on the ability for any random server to download arbitrary program code to your machine and execute it just because you visited their server, or a page that had an embedded link to your server.***

That'd be my opinion as well, but apparently you and I are Luddite idiots.

My guess is that if you are right, it will take at least two decades and perhaps one or more complete breakdowns of e-Commerce and/or web services to bring any significant number of folks around to your point of view.

Re:The model (1)

Temporal (96070) | more than 4 years ago | (#30899498)

No, what's broken is the model that by default gives all your authority to every piece of code you run. There is absolutely nothing wrong with running untrusted arbitrary code as long as you don't give it the ability to access any sensitive resources. The Adobe Reader plugin has *no* reason to be granted access to do anything except read the PDF you downloaded and render it to the screen -- no hard drive access (other than its own installed files), no network access, etc. But by default we assume that installed programs (like plugins) should be allowed to do everything the user herself can do, and grant that permission.

In short, run the Adobe Reader plugin in a separate process in a chroot jail as user "nobody" and only let it communicate to the browser through a socket and maybe some shared memory. Then security flaws in Reader are irrelevant.

BTW, Chrome runs plugins in separate processes so we're already part of the way there. Unfortunately those plugins are still written under the assumption that they can do whatever the hell they want, which means they often break when not given that ability. Sigh.

Re:The model (0, Troll)

ld a,b (1207022) | more than 4 years ago | (#30899878)

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting malware. Your idea will not work. Here is why it won't work.

(x) The program running on the VM/jail/sandbox still has access to all the data you stream through it.

Specifically, your plan fails to account for

(x) L337 H4X0RZ
(x) The fact that you are already running the malware
(x) Who is responsible for setting the permissions
(x) The fact that the sandbox needs to have some side-effect.

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical

Furthermore, this is what I think about you:

(x) This is a stupid idea, and you're a stupid person for suggesting it.

Simple solution built into Opera... (2, Informative)

sznupi (719324) | more than 4 years ago | (#30898094)

Quick options toggle menu -> enable/disable plugins.

(with whitelisting and blacklisting of particular sites available of course)

Re:Simple solution built into Opera... (0)

Anonymous Coward | more than 4 years ago | (#30899220)

How does it help against insecure plugins? You can disable a plugin after you installed it? Will it undo the damage? Will it uninstall malware?

The problem isn't browsers. (1, Offtopic)

morgan_greywolf (835522) | more than 4 years ago | (#30898120)

The problem isn't browsers, it's the operating system they're running on. Any operating system that allows normal users to execute privileged code without entering some sort of authentication before allowing those privileges is inherently broken.

Re:The problem isn't browsers. (3, Informative)

afidel (530433) | more than 4 years ago | (#30898244)

Doesn't matter, most people don't care about the security of their computer they rightfully care about the security of their data which no OS blocks effectively, ie if I can modify my data so can any program running in my context.

Re:The problem isn't browsers. (1)

MrEricSir (398214) | more than 4 years ago | (#30898264)

Unfortunately, every OS that I'm aware of allows a browser plugin to download and execute arbitrary code.

Whether it can run as root or not isn't really relevant, since even running as a normal user it can access the entire user's home folder.

Re:The problem isn't browsers. (3, Informative)

GIL_Dude (850471) | more than 4 years ago | (#30898314)

That's absolutely correct and was solved back in Windows Vista / IE 7. As of then, "Internet zone" sites are automatically running with LESS privilege than a standard user. Bascially they can't write anything outside of temporary internet files and an untrusted "low" zone in the registry. Of course Windows 7 and IE 8 continues this. You can use Process Explorer to see the integrity level at which applications are running. Medium is standard user, Low is for things like the Internet Zone, and High is anything running with system or administrative privileges. This is one of the reasons that many of these exploits don't work correctly against anything but Windows XP.

Re:The problem isn't browsers. (5, Informative)

Kalriath (849904) | more than 4 years ago | (#30898566)

Correct except for one tiny little issue. Basically, a browser plugin can escape the sandbox by running a broker process outside of the browser context if they have a real need to. Adobe, arguably world leaders in information insecurity, decided that Flash (perhaps the most insecure plugin ever) needed that unsandboxed access, and created a broker for it. With functions like "writeArbitraryDataToHardDisk()" and "runArbitraryProbablyInsecureProgram()".

Re:The problem isn't browsers. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30898372)

Your browser wants to download a picture. Cancel/Allow?
Your browser wants to download a plugin. Cancel/Allow?
Your browser wants to show you what you just clicked on. Cancel/Allow? Allow: owned.
That doesn't work either.

Re:The problem isn't browsers. (1)

shutdown -p now (807394) | more than 4 years ago | (#30898772)

The problem isn't browsers, it's the operating system they're running on. Any operating system that allows normal users to execute privileged code without entering some sort of authentication before allowing those privileges is inherently broken.

No modern desktop OS (with a very stretched definition of "modern" - e.g. WinXP and even 2K conforms, too) does not allow normal users to execute privileged code with no confirmation. The problem with XP and earlier was that the default user with a fresh install was admin - not exactly a "normal user". This is fixed in Vista and above.

The problem is that you don't need to run privileged code to do harm. Even trojaning the system is trivial without it, since the binary can simply be deployed in user's home directory. Not to mention that one doesn't need a trojan to simply steal user's files, which may include some interesting personal information, such as CC numbers...

Re:The problem isn't browsers. (2, Informative)

mcrbids (148650) | more than 4 years ago | (#30899272)

Great! You got +5 insightful for an unenlightened post.

So you have a process, the browser. And within that process, is a security hole. And in the context of the browser, there's this scripting language called "javascript" which (tadum!) executes code. Code which might take advantage of aforementioned security hole.

In this example, the Operating System isn't even involved - it's all happening within the browser. Yet, your security is still hosed. There's still a keylogger running inside browser space, and when you go to your bank, they still get your access credentials.

How would you expect the operating system to protect you here? In this space, the Operating System is barely relevant at all!

Mod parent down (1)

argent (18001) | more than 4 years ago | (#30899358)

You don't need to run *privileged* code to exploit a vulnerability in an application. A normal user or even a browser running in a chrooted jail can still be used to launch attacks on other computers, take part in a botnet, and so on. Not to mentioon that if your browser's compromised it's sitting there waiting to steal your passwords and attack your bank accounts.

And "let me do something stupid" dialogs are little protection, because if they're used often enough to be effective they just train people to let the computer do something stupid.

No, once you're penetrated, you're ****ed.

Re:The problem isn't browsers. (0)

Anonymous Coward | more than 4 years ago | (#30899384)

And if an OS DOS ask for that authentication it gets slammed as inconveniant. Sorry, Windows. You can't win.

Adobe reader plugin? (2, Interesting)

shitzu (931108) | more than 4 years ago | (#30898130)

I never acutally understood the reason for a PDF plugin. Why can't i just download the bloody file and look at it? On second thought, that's what i usually do. Can someone give me one good reason to have a plugin for PDF files? Paedophiles?

Re:Adobe reader plugin? (1)

_Sprocket_ (42527) | more than 4 years ago | (#30898342)

Can someone give me one good reason to have a plugin for PDF files? Paedophiles?

Adobe had this dream of the World Wide Web consisting of PDFs for as far as the browser to see.

Re:Adobe reader plugin? (3, Insightful)

Trepidity (597) | more than 4 years ago | (#30898460)

If you're just reading the occasional journal article or something, that's reasonable, yeah. The original idea of the PDF plugin was that PDFs would be more widespread, as part of websites, so it'd be a hassle to download/view every time you ran across a PDF. That's thankfully not as common as Adobe had hoped, but for some kinds of sites it's still a bit of a hassle if you have no plugin--- restaurant sites that seem to find it necessary to put their lunch/dinner/drinks menus into three separate PDFs come to mind.

Re:Adobe reader plugin? (1)

Gerzel (240421) | more than 4 years ago | (#30898918)

For restaurants it is usually because the menus are sent to the printers in PDF format and they don't have the time/money to change the format for the site.

Re:Adobe reader plugin? (1)

flyingfsck (986395) | more than 4 years ago | (#30899676)

The plugin still downloads the whole PDF file before rendering it from the /tmp directory. On Linux, the PDF plugin is decidedly more clunky to use especially when you have to view multiple files as in your example.

Firefox? (2, Interesting)

guamman (527778) | more than 4 years ago | (#30898220)

I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?

Re:Firefox? (5, Funny)

Anonymous Coward | more than 4 years ago | (#30899766)

I don't know what you are talking about.

My browser's title says "Slashdot IT Story | Insecure Plugins Ding IE, Safari, Chrome, Opera - Mozilla Firefox"

Re:Firefox? (0)

Anonymous Coward | more than 4 years ago | (#30899790)

Hah! Caught you! It was a trap to get all the pro-IE5 people to float to the surface. We will now be monitoring your thought patterns to come up with a reason why you are pro-IE5.

Sincerely,

The Internet

Re:Firefox? (3, Insightful)

onefriedrice (1171917) | more than 4 years ago | (#30900092)

I noticed that Firefox / Mozilla was left out of the title list of insecure plugins. I'm certain this problem applies to it as well (particularly since it gets mentioned in the summary below). Innocent slip or ulterior motive of the anti-IE crowd?

Probably not so much anti-IE as pro-Firefox, seeing as how that was pretty much the only browser missing from the list in the title, which should have read "Insecure Plugins a Problem for Browsers."

easy solution (2, Informative)

Tumbleweed (3706) | more than 4 years ago | (#30898262)

Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).

Re:easy solution (1)

Again (1351325) | more than 4 years ago | (#30899810)

Replace Adobe Acrobat Reader with Foxit Reader, and turn off Java. Yay. Hopefully you don't need Java (most people really don't).

Except that Java is used by Facebook for their photo uploader so any Facebook user that uploads photos from in their browser needs Java.

Re:easy solution (2, Insightful)

Tumbleweed (3706) | more than 4 years ago | (#30900124)

Except that Java is used by Facebook for their photo uploader so any Facebook user that uploads photos from in their browser needs Java.

Great, another reason to loathe Facebook. Like I needed another. *shrug*

Re:Foxit is vulnerable, too (0)

Anonymous Coward | more than 4 years ago | (#30900948)

It would be naive to think that only Acrobat Reader has vulnerabilities. Foxit Reader has some, too. [coresecurity.com]

Anyway, it's probably still a good solution since Acrobat Reader is unnecessarily bloated, and I totally agree to disable Java.

Would it hurt to proof-read submissions? (1)

ChunderDownunder (709234) | more than 4 years ago | (#30898334)

I had a friend at university named Eleonora . You've just besmirched her name by referencing an article about 'Eleonore'. :(

Re:Would it hurt to proof-read submissions? (1)

TangoMargarine (1617195) | more than 4 years ago | (#30899012)

The thing in the article is spelled Eleonora...

Re:Would it hurt to proof-read submissions? (1)

ChunderDownunder (709234) | more than 4 years ago | (#30900620)

Well, the article is titled, "A Peek Inside the 'Eleonore' Browser Exploit Kit".

Oh cmon, kdawson! (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30898352)

Why was firefox left out of the article name?

Cooperation and Sandboxing (0)

Anonymous Coward | more than 4 years ago | (#30898416)

It has been my opinion since I heard of the work being done by Microsoft in Internet Explorer 8.0 and Google in Chrome that the browser companies need to come together and come up with an official set of specifications for loading and hosting plug-ins out of process and under a constrained execution context. The problem is that none of the current plug-ins are designed to function as such and either will not work or require special consideration in the browser to function. The only way to mitigate these issues is to sandbox the plug-ins, but the only way to do that in a manner that doesn't break everything is to make sandboxed plug-ins the norm.

A new browser? (1)

PopeRatzo (965947) | more than 4 years ago | (#30898690)

Reading this headline quickly, for a second I thought there was a new browser out named "Ding".

Or I guess, this being 2010 and all, it would have to be named "ding". The lower-case names apparently show extra coolness or something.

Re:A new browser? (1)

Again (1351325) | more than 4 years ago | (#30899830)

They should have called iding because we want to know who is doing the dinging.

Extensions are just as big a problem too. (0)

Anonymous Coward | more than 4 years ago | (#30898778)

In fact, they can even be worse than plugins.

The only way to ensure extensions are safe would be to have a verification process on every one of them.*
An automatic extension tester could be run on every extension before being released.
This will check for any resources it accesses, just in case they tried to be smart and hide code execution from potential scanners.
Then there should be a simple table of what an extension does.
Accesses External URLs, accesses history, accesses cache, accesses bookmarks, local storage, file management probably the main ones. Read / write on all of those.
You should also be allowed to disable access to either the R/W permissions on any of those sections of functionality.

While automatic testing of extensions on submission servers is possible, testing for date triggers might not be as easy to find in decent obfuscated code.

Good luck getting Mozilla, Opera or Google to add this in. "Oh it's too complicated, users don't need to see that" will probably be the general opinion. Pathetic.

* Or go the evil route and ask for personal information and deny any without it.

sChwit (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30898816)

Apt-get upgrade (0)

Anonymous Coward | more than 4 years ago | (#30898882)

One reason for me to use linux on my computers is that i know that there is only one plugin which i need to take care about, and that is flash. the rest is updated automatically and that is reflected in the numbers in the article (Firefox versions distributed with ubuntu having a lot of hits, but few exploits). So no, Linux is noch more secure technologically. But the fact that you pay somebody (in my case Dell payed somebody) for keeping *all* your software uppdated by less than a click a day *is* making the more secure. If i look at what windows used have to install manually before the system is approximately as usable as a freshly installed linux, i am scared. I am a lazy ass, and i know that the plugins, *required* for watching the crap (aka documentation) some companies deliver with their products, windows virtual machines i use (for CAD) are not updated frequently. Ah, and i use noscript. A webpage has to be important to get flash turned on.

Re:Apt-get upgrade (1)

hairyfeet (841228) | more than 4 years ago | (#30899478)

Uhhhhh...Anonymous Dude? We actually have that [filehippo.com] in Windows too you know, it is just like everything else in Windows in that you need a third party tool. My guess is if MSFT tried to add it natively they would get screams of antitrust! and be accused of playing favorites if it detected Adobe but not Bob's Media Player.

But it works from 98-Windows 7, only takes one click, unless you have it start with Windows then you don't have to click at all unless it finds something out of date. Just use ninite [ninite.com] to install the software you need on a clean machine, along with Update checker afterward once a week (or day if you are paranoid) and voila! Easy Peasy Windows.

Re:Apt-get upgrade (1)

seandiggity (992657) | more than 4 years ago | (#30900666)

An app that checks the web to find out if there are updates to 3rd party software you install on Windows is not anywhere as good as a package manager in a distro like Debian. That said, I'm glad there's *something* out there for Windows that searches for upgrades to non-Microsoft software on your machine, even though I assume there's some data-mining involved.

Re:Apt-get upgrade (1)

hairyfeet (841228) | more than 4 years ago | (#30901008)

Actually as someone who has used both I personally think the package managers suck the big wet titty, no offense. While they are great for nerds, they royally suck for normal folks. Example if you type in Open Office you get this huge list of packages. There should be ONE item, and one item only, and that is Open office as a single installer. Maybe have an "expert mode" that would let you choose individual packages if you like. That is why I think Click N Run is the closest I have ever seen to perfect. Just a simple description, a couple of pictures, and a "install now" button. Can't get easier then that.

As for the Update Checker from what I can tell the only data they send is the software and version numbers, which of course they need to check against their database to see if your software is old or not. But from what I can see testing it on a couple of dozen machines so far, is that they support a truly huge amount of third party software, from the biggies like Flash and Java to the smaller stuff like IMGBurn and RocketDock. If it finds out of date software it gives you a simple one click link for each one it finds out of date so that you can choose whether you want to update or not. Great if you have friends, family members, or in my case customers on Windows.

But from what I have seen package managers in Linux don't support any software that isn't from the repos, which depending on the distro can be out of date, so I really don't see package managers having a big advantage unless you refuse to install any software except from the repos. And of course your package manager won't tell you if your proprietary software is out of date, unlike Update Checker which let me know my WinRAR and Alcohol 120% was behind the times. So all in all I would give Linux a point for having it built in, and FileHippo a point for checking both free and pay software for updates. But if you have any family or friend on Windows I would point them to Ninite and FileHippo Update checker. Ninite lets them install plenty of free software without fear of Toolbars like Java and CCleaner have nowadays, and FileHippo will them keep that software up to date.

Re:Apt-get upgrade (1)

hduff (570443) | more than 4 years ago | (#30900218)

So are there Flash plug-in exploits that target Linux? I understand that you could remotely execute code with the UID of the user, but are there exploits in the wild?

No Firefox? (1, Redundant)

zaivala (887815) | more than 4 years ago | (#30899198)

I hope I'm not the only one who noticed that the headline neglected to include Firefox, but that the article makes it clear they are equally at risk.

Addons Modified Without Author Consent (Torbutton) (1, Informative)

Anonymous Coward | more than 4 years ago | (#30899282)

Especially when there's unauthorized modifications to addons/plugins BEHIND the backs of the addon authors!

Imagine.. you've gone through all the trouble to properly configure Tor and the Proxy of your choice, only to have the possibility of the plugin itself (Torbutton) modified by someone other than the author and such access could easily provide a vector of attack where a trojan can easily be inserted.

Torbutton is a very popular Firefox addon which makes Tor usage easy.

Read here where the Torbutton author mentions how his Torbutton .xpi release was modified without his consent (and you, the users, download what's been modified AFTER he last modified it!):

http://archives.seul.org/or/talk/Jan-2010/msg00189.html [seul.org]

"Thus spake Paolo Palmieri (palmaway@xxxxxx):

> Sorry, but I have to point out that none of the proposed solution really
> works, and both are actually quite bad from the security point of view.
>
> "Fetch it over SSL" doesn't give the user any guarantee about the
> authenticity of the file. Actually it does little about security. It
> only verifies that the user is connected to the real Tor website, but if
> the file is corrupt or, worse, has been maliciously replaced by some
> malware version of it, you have no means of finding out. Since we are
> talking in this very thread about Tor servers being attacked, I consider
> this as a serious threat.
>
> "Check the git/gpg sig" is a little better, but from a quick look at the
> git repository I couldn't find the .xpi's on it (correct me if I'm wrong
> here). This means that only the sources are signed, thus requiring the
> user to recompile the package at every new release. This is time
> consuming, but it also add some additional requirements on the user,
> like having the right compilation environment on the box, having it
> properly configured etc. All this for no security benefit. Finally,
> checking the git's signature is not as easy as checking a simple .asc file.
>
> So, I have to join Jim's plea. Mike, could you please put the .xpi's
> .asc signature files on the TorButton website?

You're right. I was considering addons.mozilla.org as the canonical
source of the xpi, but still, that can be owned too. In fact, I just
got a message from them informing me that they modified my torbutton
1.2.3 xpi to prevent it from being listed as compatible with FF3.6. So
they see fit to randomly modify the xpis too. Wonder what would happen
if I did have a code signing cert..

I've posted the gpg sigs for 1.2.2, 1.2.3 and 1.2.4 at:
https://www.torproject.org/torbutton/releases/ [torproject.org]

> P.S. Are git connection to the Tor git's repository protected by TLS
> against a valid certificate?

No. The git:// protocol is not protected. You need to rely on the tag
signatures.

--
Mike Perry
Mad Computer Scientist
fscked.org evil labs"

Acrobat plugin has been my nemesis for years. (2, Insightful)

argent (18001) | more than 4 years ago | (#30899322)

I used to have to go through and find that damn plugin and actually remove the plugin dll every time I installed acrobat, because there was NO WAY to tell Adobe "no, thanks, I do NOT want to hang my computer for five minutes while your plugin munches on a huge PDF every time I forget to alt-click on a pdf link".

Re:Acrobat plugin has been my nemesis for years. (1)

mathfeel (937008) | more than 4 years ago | (#30900862)

Have you tried the FireFox add-on pdfdownload? Let you pause and decide what to do.

And people WANT Flash on their phone... (2, Insightful)

rinoid (451982) | more than 4 years ago | (#30899482)

My gosh, Apple has taken so much crap for not including Flash on the iPhone and not supporting Adobe in their desire to have the Flash plugin run on the iPhone (never mind most flash content already sucks, try it without a mouse(!) onHover event). I use ClickToFlash for Safari, and, all my Firefoxen gets flashblock. I load Flash when I want to load it, not when some ad server or asswipe with an art degree (uh, that's me!) thinks their website menus would be really neato in Flash.

kdawson manipulated the title of the summary (4, Insightful)

Smurf (7981) | more than 4 years ago | (#30899708)

It is fascinating that while in the summary krebsonsecurity (the same people that wrote the article) says that the article talks about compromises "not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera," kdawson chose to exclude Firefox from the title and even changed the order of the other browsers: IE, Safari, Chrome, Opera.

I'm not saying that the order in which the browsers are mentioned has any significance at all, but it is simply wrong to alter the title in such a way that the article seems to say something different from what it actually says.

kdawson strikes again...

wow (0)

Anonymous Coward | more than 4 years ago | (#30899966)

Insecure Plugins DING IE, Safari, Chrome, Opera

... Grats!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>