Browser Plugin Security

balaji
By balaji

June 16, 2010

Everyone who's reading this article knows what a browser is. Every day we use a browser to surf the Internet and read content we're interested in from various websites. A large number of these pages are plain text or simple HTML and the browser inherently understands those and displays the same to you, the user. However many a time, you find yourself looking at files whose formats are other than HTML, i.e PDF, DOC, SWF, WMV to name a few. Now all of these formats are not understandable by the browser by default.

browser-plugin-security.jpg

Everyone who's reading this article knows what a browser is. Every day we use a browser to surf the Internet and read content we're interested in from various websites. A large number of these pages are plain text or simple HTML and the browser inherently understands those and displays the same to you, the user. However many a time, you find yourself looking at files whose formats are other than HTML, i.e PDF, DOC, SWF, WMV to name a few. Now all of these formats are not understandable by the browser by default.

A few years ago browsers, when they didn't understand files, just asked the user to download those files. So the user would download these files and then play them with a software program he had on his hard disk. Over the years though, browser vendors have given users the option to directly view the content of these files directly inside a browser without having to download them. That is where a plugin comes in; a piece of software added to the browser to give it some functionality it did not have in the first place.

A plugin is the reason you can view PDF & DOC files and Flash movies directly in the browser. Newer plugins continue to be created regularly; to cater to the varied content that is found on numerous websites. While this is no doubt great, from the perspective of the user, it also means developers have to ensure that the plugin is securely coded so the user is protected from the numerous threats on the Internet.

In the course of this article we'll look at how plugins work, with a few examples of poorly coded plugins and finally give you a small bullet point list on how you can protect yourself even while using plugins.

So how does a plugin work...

Well... for starters a plugin needs some software on disk for it to be able to work properly. So if there is an Adobe Acrobat Plugin in Firefox which allows you to read PDF's inside the browser, you will need Adobe Acrobat Reader installed on your disk. Without the reader installed - the plugin is not going to work.

Now when you click on a PDF file on some website, the browser immediately understands it is a PDF file and transfers control to the plugin that you've installed for reading PDF files. The plugin immediately checks if you have a PDF application installed on your disk and calls the program; in this case Acrobat Reader. To enable the plugin to work properly, Acrobat Reader exposes its functions to the plugin. The code in the plugin calls these exported functions, which are usually exposed as part of a DLL in the case of Windows or a .so file in the case of a Linux machine. As and when you interact with the file in your browser or it gets read, the corresponding functions in the .dll/.so file get invoked and the operation succeeds or fails. The most basic function for a PDF plugin will be to call an exported function like read_pdf_file() [Name is just for explanation purposes], which then reads the PDF file and displays the content inside the browser window itself.

Okay cool, so why is a plugin insecure?

Let's first look at 2 examples of vulnerable plugins:

  1. Here is one such example of a vulnerability in the Adobe Flash Player; this silently installs malware on the victim's machine. Here's another; this talks about 7 different vulnerabilities being present inclusive of privilege escalation, cross-site scripting, and remote execution. And one which is used to even exploit SQL Injection vulnerabilities in vulnerable machines.
  2. Here's an example of a PDF Plugin vulnerable to Cross-site scripting, Remote Code Execution and Denial of Service.

Now as we discussed above, a plugin is just an interface that a browser uses to invoke functionality of software installed on disk. So in case there is any vulnerability in any exported function in the DLL on disk, the plugin also is potentially vulnerable. So if tomorrow Adobe says that their version of Flash Player is vulnerable, there's a high probability that the plugin that you are using inside your browser is vulnerable as well. If you look at the details of the vulnerabilities in plugins, you'll see that a requirement in many cases is that the user needs to view a malicious file. This would essentially be a file which uses these vulnerable functions while, say: displaying the flash file itself. The moment the user views the file and a vulnerable function equivalent to read_pdf_file() is invoked, the vulnerability will be triggered and the attacker gets some degree of control over the user's machine. The degree can vary greatly - ranging from stealing of information from the user's browser to gaining complete control of the user's system.

Vulnerabilities related to plugins are triggered usually by viewing affected content of that specific type; namely SWF, PDF, WMV or others. There are other vulnerabilities as well that have been discovered due to improper filtering of Javascript at the client end; but its usually as simple as viewing a malicious file on some website. Here is a list of a number of vulnerabilities that have been discovered in the Flash Player; most of them involve viewing a vulnerable file.

How can I protect myself?

Here are a few good things that you can do to defend yourself against these kind of client side attacks:

  • Do not click on random links that you receive via Email that link to sites you have no clue about.
  • Do not install a plugin from any random site just because you want to view the content on that site; install them only from trusted sites
  • Ensure that you log in to your system as a low privileged user so your browser runs with as low a privilege as possible.
  • Apply all vendor-released patches for software that you have installed on your system and also make sure you're alerted when there is a patch released. If you use Firefox, it now has a website which checks whether all your plugins are up to date or not.
  • Read advisories released by vendors and apply suggested countermeasures in case there is no patch released by vendors.
  • Disable automatic running of JavaScript in your browser; for example the No Script extension for Firefox does a great job at this.
  • Understand the software that you use and secure it to the maximum; you can tweak the Security Settings for both Flash as well as Acrobat Reader

References


Tags: Technical

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset