The Changing Browser Add-on Security Model
A New Hope for the Browser Add-Ons
To stem the tide of security problems, browser-makers have had to toss aside the older browser add-on models and force the market to evolve. Windows 10 actually sports two different browsers: Microsoft has its new Edge browser, which doesn’t support any plugins whatsoever, and it includes a copy of Internet Explorer (IE) for those times when pages require the older architecture. This could be a nightmare for end users who get confused about which browser to run for their particular websites.
The current versions of both Google Chrome and Mozilla Firefox — versions 45 and 41, respectively — no longer support the older browser plugin standard called Netscape Plugin Application Programming Interface (NPAPI). This is mainly because of security issues, but also because these and other major browser-makers are incorporating technologies previously found in plugins into their main browser engines both to leverage performance and to make them more secure.
Browser add-ons had three major issues. First, they had access to the entire browser session, so they couldn’t be sandboxed and protected. They represented large targets of cyberattack opportunities since every user had the same version of Flash or Java. They also were less stable than the main browser code themselves. As one post on How-To Geek stated, “Plugins are still necessary for the moment, but they’re on their way out. They were very useful at one time, but we’re moving beyond them.”
Attack of the Browser Extensions
Note that while browser plugins are going away, browser extensions are still with us and are a completely different beast. Both Firefox and Chrome have thriving extension ecosystems that are used to add various functions and software integrations, and Internet Explorer has its own ecosystem called Browser Helper Objects (BHO). For example, there are integrations for popular cloud-based file repositories like Dropbox and Evernote that take the form of browser extensions, allowing users to move files quickly into a browser context.
Browser-makers are trying to bring some discipline to their extension partners. Some are starting to implement process isolation to better protect users, along with code signing policies. “The consequence of these changes are that existing add-ons will have to be reengineered and some may not make it through the approvals process, which will not please users who rely on rejected add-ons,” Mark Gibbs wrote in Network World.
Finally, some website operators are approaching the browser security issue by trying to prohibit Adobe Flash-based pages and advertisements. Amazon was the latest Internet conglomerate to make this move away from Flash Player. It isn’t exactly a new trend: Ever since Apple’s iPad came out with no Flash support, organizations (even Netflix, which has used Microsoft Silverlight up until now) have been trying to build websites with HTML v5 support.
But it is noteworthy that Flash still lingers on despite the numerous security challenges. Perhaps this year we will finally see HTML v5 finally take off for enterprise developers — the standards, tools and performance are finally all in place for this more secure version of HTML, as Al Hilwa wrote in the SD Times.
Revenge of the Security Professional
So how should enterprise developers and security managers handle these latest developments? First, if you have corporate Flash-based apps, now is the time to move them to HTML v5. Second, start looking at rigorous ways to screen and upgrade your browser population to the latest versions.
While the browser-makers seemingly release new versions weekly, at least make an attempt to bring your users to a version that is more recent. This will improve your security posture and, in the long run, could save you from potential exploits. You should also look at the new programming interfaces from Firefox and Chrome to see if they can be useful to your custom-built apps.