Following Oracle’s recent patch for its Java plug-in for web browsers, Catalin Cosoi, Chief Security Strategist at Bitdefender, stated, ‘Browser plug-ins are the bridge between the web and the applications installed on the machine. Information about the plug-in name and version is available to websites requested by the user, so malicious websites can get an overview of what vulnerable plug-ins are running at any time. Since they directly interact with content, they can be tricked into executing malicious code as it gets rendered inside the browser. ‘Application development is a race between companies and cyber-criminals. No matter how much vendors invest in quality assurance, attackers always find a breach they can exploit in specific circumstances. A significant chunk of these incidents also happen because computer users fail to update their plug-ins to the latest version. Most modern exploit packs still bundle malicious code for exploiting vulnerabilities that had been patched years ago, but some users failed to apply the hotfix. ‘Although the widespread adoption of HTML5 will likely contribute to the reduction of the attack surface (by replacing the Flash Player plug-in, for instance), it is not a universal substitute for specific plug-ins such as Java. More than that, HTML5 comes with its own share of threats. The HTML5 API natively supports location tracking and other features that have been demonstrated to introduce new attack vectors.’ Those using browser plug-ins are advised to avoid potentially dangerous websites and keep plug-ins updated. It is also advised that unnecessary plug-ins could increase the attack surface for malicious code. Users are advised to use a security solution that scans web traffic and blocks malicious code, and where plug-ins are reported as vulnerable they should be uninstalled or disabled.