October 30, 2015 By David Strom 3 min read

With the latest release of Web browsers that include Microsoft’s Edge and new versions of Chrome and Firefox, software-makers are moving away from the older browser add-on architecture developed in the early days when Netscape walked among us. Back then, browsers were relatively simple pieces of software. While exploits such as Javascript-based malware and phishing were first seen in the late 1990s, it took some time before they became popular attack vectors. During that time, developers wrote add-ons to provide extra functionality to these early browsers, but they sometimes added unwanted security vulnerabilities.

A New Hope for the Browser Add-Ons

To stem the tide of security problems, browser-makers have had to toss aside the older browser add-on models and force the market to evolve. Windows 10 actually sports two different browsers: Microsoft has its new Edge browser, which doesn’t support any plugins whatsoever, and it includes a copy of Internet Explorer (IE) for those times when pages require the older architecture. This could be a nightmare for end users who get confused about which browser to run for their particular websites.

The current versions of both Google Chrome and Mozilla Firefox — versions 45 and 41, respectively — no longer support the older browser plugin standard called Netscape Plugin Application Programming Interface (NPAPI). This is mainly because of security issues, but also because these and other major browser-makers are incorporating technologies previously found in plugins into their main browser engines both to leverage performance and to make them more secure.

Browser add-ons had three major issues. First, they had access to the entire browser session, so they couldn’t be sandboxed and protected. They represented large targets of cyberattack opportunities since every user had the same version of Flash or Java. They also were less stable than the main browser code themselves. As one post on How-To Geek stated, “Plugins are still necessary for the moment, but they’re on their way out. They were very useful at one time, but we’re moving beyond them.”

Attack of the Browser Extensions

Note that while browser plugins are going away, browser extensions are still with us and are a completely different beast. Both Firefox and Chrome have thriving extension ecosystems that are used to add various functions and software integrations, and Internet Explorer has its own ecosystem called Browser Helper Objects (BHO). For example, there are integrations for popular cloud-based file repositories like Dropbox and Evernote that take the form of browser extensions, allowing users to move files quickly into a browser context.

Browser-makers are trying to bring some discipline to their extension partners. Some are starting to implement process isolation to better protect users, along with code signing policies. “The consequence of these changes are that existing add-ons will have to be reengineered and some may not make it through the approvals process, which will not please users who rely on rejected add-ons,” Mark Gibbs wrote in Network World.

Finally, some website operators are approaching the browser security issue by trying to prohibit Adobe Flash-based pages and advertisements. Amazon was the latest Internet conglomerate to make this move away from Flash Player. It isn’t exactly a new trend: Ever since Apple’s iPad came out with no Flash support, organizations (even Netflix, which has used Microsoft Silverlight up until now) have been trying to build websites with HTML v5 support.

But it is noteworthy that Flash still lingers on despite the numerous security challenges. Perhaps this year we will finally see HTML v5 finally take off for enterprise developers — the standards, tools and performance are finally all in place for this more secure version of HTML, as Al Hilwa wrote in the SD Times.

Infographic: Where You’ll Find Today’s Top Malware

Revenge of the Security Professional

So how should enterprise developers and security managers handle these latest developments? First, if you have corporate Flash-based apps, now is the time to move them to HTML v5. Second, start looking at rigorous ways to screen and upgrade your browser population to the latest versions.

While the browser-makers seemingly release new versions weekly, at least make an attempt to bring your users to a version that is more recent. This will improve your security posture and, in the long run, could save you from potential exploits. You should also look at the new programming interfaces from Firefox and Chrome to see if they can be useful to your custom-built apps.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today