With the latest release of Web browsers that include Microsoft’s Edge and new versions of Chrome and Firefox, software-makers are moving away from the older browser add-on architecture developed in the early days when Netscape walked among us. Back then, browsers were relatively simple pieces of software. While exploits such as Javascript-based malware and phishing were first seen in the late 1990s, it took some time before they became popular attack vectors. During that time, developers wrote add-ons to provide extra functionality to these early browsers, but they sometimes added unwanted security vulnerabilities.

A New Hope for the Browser Add-Ons

To stem the tide of security problems, browser-makers have had to toss aside the older browser add-on models and force the market to evolve. Windows 10 actually sports two different browsers: Microsoft has its new Edge browser, which doesn’t support any plugins whatsoever, and it includes a copy of Internet Explorer (IE) for those times when pages require the older architecture. This could be a nightmare for end users who get confused about which browser to run for their particular websites.

The current versions of both Google Chrome and Mozilla Firefox — versions 45 and 41, respectively — no longer support the older browser plugin standard called Netscape Plugin Application Programming Interface (NPAPI). This is mainly because of security issues, but also because these and other major browser-makers are incorporating technologies previously found in plugins into their main browser engines both to leverage performance and to make them more secure.

Browser add-ons had three major issues. First, they had access to the entire browser session, so they couldn’t be sandboxed and protected. They represented large targets of cyberattack opportunities since every user had the same version of Flash or Java. They also were less stable than the main browser code themselves. As one post on How-To Geek stated, “Plugins are still necessary for the moment, but they’re on their way out. They were very useful at one time, but we’re moving beyond them.”

Attack of the Browser Extensions

Note that while browser plugins are going away, browser extensions are still with us and are a completely different beast. Both Firefox and Chrome have thriving extension ecosystems that are used to add various functions and software integrations, and Internet Explorer has its own ecosystem called Browser Helper Objects (BHO). For example, there are integrations for popular cloud-based file repositories like Dropbox and Evernote that take the form of browser extensions, allowing users to move files quickly into a browser context.

Browser-makers are trying to bring some discipline to their extension partners. Some are starting to implement process isolation to better protect users, along with code signing policies. “The consequence of these changes are that existing add-ons will have to be reengineered and some may not make it through the approvals process, which will not please users who rely on rejected add-ons,” Mark Gibbs wrote in Network World.

Finally, some website operators are approaching the browser security issue by trying to prohibit Adobe Flash-based pages and advertisements. Amazon was the latest Internet conglomerate to make this move away from Flash Player. It isn’t exactly a new trend: Ever since Apple’s iPad came out with no Flash support, organizations (even Netflix, which has used Microsoft Silverlight up until now) have been trying to build websites with HTML v5 support.

But it is noteworthy that Flash still lingers on despite the numerous security challenges. Perhaps this year we will finally see HTML v5 finally take off for enterprise developers — the standards, tools and performance are finally all in place for this more secure version of HTML, as Al Hilwa wrote in the SD Times.

Infographic: Where You’ll Find Today’s Top Malware

Revenge of the Security Professional

So how should enterprise developers and security managers handle these latest developments? First, if you have corporate Flash-based apps, now is the time to move them to HTML v5. Second, start looking at rigorous ways to screen and upgrade your browser population to the latest versions.

While the browser-makers seemingly release new versions weekly, at least make an attempt to bring your users to a version that is more recent. This will improve your security posture and, in the long run, could save you from potential exploits. You should also look at the new programming interfaces from Firefox and Chrome to see if they can be useful to your custom-built apps.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…