October 30, 2015 By David Strom 3 min read

With the latest release of Web browsers that include Microsoft’s Edge and new versions of Chrome and Firefox, software-makers are moving away from the older browser add-on architecture developed in the early days when Netscape walked among us. Back then, browsers were relatively simple pieces of software. While exploits such as Javascript-based malware and phishing were first seen in the late 1990s, it took some time before they became popular attack vectors. During that time, developers wrote add-ons to provide extra functionality to these early browsers, but they sometimes added unwanted security vulnerabilities.

A New Hope for the Browser Add-Ons

To stem the tide of security problems, browser-makers have had to toss aside the older browser add-on models and force the market to evolve. Windows 10 actually sports two different browsers: Microsoft has its new Edge browser, which doesn’t support any plugins whatsoever, and it includes a copy of Internet Explorer (IE) for those times when pages require the older architecture. This could be a nightmare for end users who get confused about which browser to run for their particular websites.

The current versions of both Google Chrome and Mozilla Firefox — versions 45 and 41, respectively — no longer support the older browser plugin standard called Netscape Plugin Application Programming Interface (NPAPI). This is mainly because of security issues, but also because these and other major browser-makers are incorporating technologies previously found in plugins into their main browser engines both to leverage performance and to make them more secure.

Browser add-ons had three major issues. First, they had access to the entire browser session, so they couldn’t be sandboxed and protected. They represented large targets of cyberattack opportunities since every user had the same version of Flash or Java. They also were less stable than the main browser code themselves. As one post on How-To Geek stated, “Plugins are still necessary for the moment, but they’re on their way out. They were very useful at one time, but we’re moving beyond them.”

Attack of the Browser Extensions

Note that while browser plugins are going away, browser extensions are still with us and are a completely different beast. Both Firefox and Chrome have thriving extension ecosystems that are used to add various functions and software integrations, and Internet Explorer has its own ecosystem called Browser Helper Objects (BHO). For example, there are integrations for popular cloud-based file repositories like Dropbox and Evernote that take the form of browser extensions, allowing users to move files quickly into a browser context.

Browser-makers are trying to bring some discipline to their extension partners. Some are starting to implement process isolation to better protect users, along with code signing policies. “The consequence of these changes are that existing add-ons will have to be reengineered and some may not make it through the approvals process, which will not please users who rely on rejected add-ons,” Mark Gibbs wrote in Network World.

Finally, some website operators are approaching the browser security issue by trying to prohibit Adobe Flash-based pages and advertisements. Amazon was the latest Internet conglomerate to make this move away from Flash Player. It isn’t exactly a new trend: Ever since Apple’s iPad came out with no Flash support, organizations (even Netflix, which has used Microsoft Silverlight up until now) have been trying to build websites with HTML v5 support.

But it is noteworthy that Flash still lingers on despite the numerous security challenges. Perhaps this year we will finally see HTML v5 finally take off for enterprise developers — the standards, tools and performance are finally all in place for this more secure version of HTML, as Al Hilwa wrote in the SD Times.

Infographic: Where You’ll Find Today’s Top Malware

Revenge of the Security Professional

So how should enterprise developers and security managers handle these latest developments? First, if you have corporate Flash-based apps, now is the time to move them to HTML v5. Second, start looking at rigorous ways to screen and upgrade your browser population to the latest versions.

While the browser-makers seemingly release new versions weekly, at least make an attempt to bring your users to a version that is more recent. This will improve your security posture and, in the long run, could save you from potential exploits. You should also look at the new programming interfaces from Firefox and Chrome to see if they can be useful to your custom-built apps.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today