Plugins – yes, they’re handy but they also increase the surface of attack

Any plugin could potentially put your computer – and your data – at risk.

Yasin Soliman

Web browser plugins

If you’re reading this on a computer, it’s pretty likely that you have at least one of these plugins installed: Adobe Flash, Oracle Java or Microsoft Silverlight.

You may have downloaded Flash to play a game or Silverlight to watch a live football match, inside of your web browser. Starting to sound familiar?

Whichever web browser you are using, you should know that using any plugin runs the risk of putting your system – and your data – in increased peril.

Sign up to our free newsletter.
Security news, advice, and tips.

Let’s travel back in time for a quick history lesson.

A history of web plugins

The advent of the World Wide Web meant demand for complex, interactive content increased – think animations, games and video, inside of your everyday webpages.

The original Flash Player didn’t become part of Adobe’s portfolio until 2005. Nevertheless, Flash soon became a big name in web technologies: a de-facto standard for embedding media into websites.

The first version of Silverlight was released by Microsoft halfway through 2007, as a contemporary alternative to Adobe’s Flash technology.

Although the underlying technology differs, Microsoft’s intentions were to produce a new framework for interactive content, much like Flash.

Java, however, means different things to different people. In this article, I’m particularly talking about Java “applets” – the mini-applications developed for the Java platform but executed inside your web browser.

Nowadays, interactive content has become even more advanced; many sites use HTML5 to help with this. A quick side note: every webpage you look at is written in a special, vendor-neutral programming language called HTML, where HTML5 is the fifth – and most advanced – revision of the original version.

Flash, Java and Silverlight are all branded frameworks on the path to obsolescence, but the movement away from proprietary software is just one part of the story.

The world of exploits

Unfortunately, the key ability that made each of these plugins so widely accepted – running complex code inside your web browser – is actively abused by cybercriminals and other malicious actors.

New ways to abuse this computing power are being found every day; commonly regarded as “exploits” within the information security industry. What’s more, many of these computer vulnerabilities raise major concerns.

Today’s cybercriminals parcel up many of these exploits into “exploit kits” – multi-pronged packages designed specifically to take advantage of flaws in plugins like Flash and Java.

Gaining this kind of direct to a victim’s computer means the cybercriminal can push ransomware and a plethora of other threats – the sky’s the limit.

In a series of follow-up articles I will describe how you can keep some of the most commonly exploited plugins updated, and – importantly – how you can uninstall them if you wish to shut the door permanently to their exploitation by malicious hackers.

Further reading:

Researcher at heart, Yasin Soliman lives and breathes information security. You can find him on Twitter at @SecurityYasin.

5 comments on “Plugins – yes, they’re handy but they also increase the surface of attack”

  1. Chris Thomas

    Use MalwareBytes Anti-Exploit for free web browser (including plugins) protection. Anyone can install it. It's that simple (unless you already use EMET). It needs no setting up or tweaking and automatically updates.

    No I don't have shares in MalwareBytes. This recommendation is pure altruism.

    1. Joshua · in reply to Chris Thomas

      Where to get the activation key?

  2. coyote

    'A quick side note: every webpage you look at is written in a special, vendor-neutral programming language called HTML, where HTML5 is the fifth – and most advanced – revision of the original version. '

    You might call me a pedant (I won't argue it) but there is a subtle point: web standards aren't exactly followed the same (hence why for some things you need hacks for IE or do something in a different way for another) so whether it is vendor neutral or not is questionable (at least to someone who is a literal thinker and a pedant like me[1]). But not every web page is in HTML; you have: perl and php to name two examples.

    Otherwise you had me concerned. I thought for sure there was another update to flash and I didn't want to do rounds updating it. Again.

    [1] Although I readily admit that my second point is more valid ('reasonable' ?) because even if the standard (e.g. of HTML) isn't followed exactly correct (which indeed also happens for many other things) it still is meant to be the same language.

    1. coyote · in reply to coyote

      And it seems there IS another Flash update. If only every website that still uses it were to stop using it – the world wide web would be far safer. And if every application (I seem to think that some do but maybe I'm mixing it up with other things [Java is another example of course]) that used it were to stop using it the Internet would be far safer. If both were to be satisfied it'd be better still.

  3. Aitchjayem

    Highly informative article, Yasin – and comments, Coyote. Security made plain and interesting.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.