Call to reconsider browser plug-ins

Posted On 06 Aug 2013
Comment: Off

Following Oracle’s recent patch for its Java plug-in for web browsers, Catalin Cosoi, Chief Security Strategist at Bitdefender, stated, ‘Browser plug-ins are the bridge between the web and the applications installed on the machine. Information about the plug-in name and version is available to websites requested by the user, so malicious websites can get an overview of what vulnerable plug-ins are running at any time. Since they directly interact with content, they can be tricked into executing malicious code as it gets rendered inside the browser. ‘Application development is a race between companies and cyber-criminals. No matter how much vendors invest in quality assurance, attackers always find a breach they can exploit in specific circumstances. A significant chunk of these incidents also happen because computer users fail to update their plug-ins to the latest version. Most modern exploit packs still bundle malicious code for exploiting vulnerabilities that had been patched years ago, but some users failed to apply the hotfix. ‘Although the widespread adoption of HTML5 will likely contribute to the reduction of the attack surface (by replacing the Flash Player plug-in, for instance), it is not a universal substitute for specific plug-ins such as Java. More than that, HTML5 comes with its own share of threats. The HTML5 API natively supports location tracking and other features that have been demonstrated to introduce new attack vectors.’ Those using browser plug-ins are advised to avoid potentially dangerous websites and keep plug-ins updated. It is also advised that unnecessary plug-ins could increase the attack surface for malicious code. Users are advised to use a security solution that scans web traffic and blocks malicious code, and where plug-ins are reported as vulnerable they should be uninstalled or disabled.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.