Microsoft: Don't blame us, blame the browser add-ons

Slashdot It! Worried that Internet Explorer is less secure than alternatives? Eric Lawrence Security Program Manager on Microsoft's Internet Explorer team argued on a Black Hat webcast about Clickjacking that Microsoft is not to blame. In fact, Lawrence essentially argued that it's the browser add-ons that are where many problems are. "One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore. The browser is becoming a harder target and there are many more browsers," Lawrence said. "So attackers are targeting add-ons." He added that attackers are finding add-ons with high market share looking for vulnerabilities and then exploiting every browser through the add-on. So in Lawrence's view - whether you're running IE, Firefox, Safari or Chrome you could still be at risk if there is a vulnerability in Flask, PDF, QuickTime or another popular add-on (sometimes also called plug-ins). However I know well that it is also true that how a browser vendor actually uses add-ons can also affect how secure a potential vulnerability. A good example is how Mozilla fixed some validation issues related to QuickTime so it wouldn't lead to a Firefox exploit. Apparently Microsoft has got a few ideas of its own in that area too and will be implmenting them for IE 8. "For IE 8 we've done a lot to increase the hardening of the system against add-on vulnerabilities," Lawrence claimed. "In IE 8 has a feature called per-site ActiveX so if you go out to Yahoo! and install the Yahoo music engine then by default that control isn't available to any other site except for yahoo. by doing that can mitigate malicious IFRAME attacks." This all sound fine and good to me - but there is still a very large underlying problem here. While Microsoft users have Microsoft Update and Firefox users have an integrated update too, not all of the add-ons that people use have update mechanisms that are as obvious or as used. So here is what I recommend to ALL browser vendors: Include an add-on validation script that automagically warns users if they are running outdated version of Flash,PDF, QuickTime etc in big RED type so they know there is a risk (and yes I know Mozilla has an add-on update notifier now but do yourself a favor and look right now to see if it check for Flash? and do you have the most updated version of Flash??). Permalink | Comments (5) | TrackBacks (0) | Share Share this Article Digg Del.icio.us furl StumbleUpon BlinkList Newsvine Magnolia Facebook Tailrank Slashdot Technorati Google Bookmarks Yahoo Favorites Windows Live Ask Tags: * add-ons, * browsers, * IE8, * Microsoft 0 TrackBacks Listed below are links to blogs that reference this entry: Microsoft: Don't blame us, blame the browser add-ons . TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/5889 5 Comments Anonymous said: This article is right on, there have been a massive number of quicktime exploits in the last two years (to pick just one example)... however, browser makers have a responsibility to work on deprivileging these things as well. November 21, 2008 4:25 PM Eric Lawrence said: Please keep in mind: My remarks concerned where attackers have been focusing their attention, and not, as implied, who is to blame. Internet Explorer 8 adds a number of defenses against buggy add-ons. Joining Vista IE7's Protected Mode and the IE7 "ActiveX Opt-in" feature are the new IE8 Per-site ActiveX feature and the fact that the browser (and by extension, the add-ons) now run with DEP/NX protection by default. [**NOTE FROM SEAN** I included mention of the per-site ActiveX feature in this post too, but hey..I guess not everyone has read the whole post...**] http://blogs.msdn.com/ie/archive/2008/08/29/trustworthy-browsing-with-ie8-summary.aspx is a good summary of the security work that's gone into the new IE8. November 21, 2008 4:41 PM 88.96.23.134 said: There's a simpler solution than bloating up these crappy addons with even more mechanisms to update them.... don't install or run them at all! I do not install Flash, Adobe's Acrobat or Quicktime, and haven't for a very long time. Flash is used mainly for annoying adverts online, and is a direct threat to your privacy online (through their cookie-type system and propreitary software having access to your PC, including microphone and webcam!). Acrobat is bloated and horrifically slow even on the fastest computers, and the less said about Quicktime (and its forced bundling with Itunes - more DRM, great), the better! There are extensions for the Mozilla family to make plugins optional (click to run), and even though I have this feature available via NoScript I still choose not to install any of the popular plugins. Infact, looking at about:plugins I only have Real Alternative installed. I went to the lengths of removing Windows Media Player from FF too, as the DRM in WMP is utterly offensive, and WMP does not have a good security track record. And the MS media formats also support some very annoying features that are aimed at businesses to use to ram ads or similar into users' faces (loading URLs at points during a clip, or even executing code!). I can assure you that by not having flash you are not missing much. If I want to see a video off youtube I download it via keepvid.com and watch it in MPlayer/VLC. I use free software alternatives to Acrobat (which also tend to ignore the DRM-esque features in Adobe's implementation of a PDF viewer), and VLC or MPlayer tends to cope fine with any file that Apple would like you to play with their crap. November 21, 2008 5:03 PM Nathan Zaugg said: Great post! I actually sent my post to the MS IE8 team and got a less than positive response. (this post: http://interactiveasp.net/blogs/natesstuff/archive/2008/11/12/microsoft-please-do-not-release-ie8.aspx). Whatever they try to do to prevent data execution it won't be enough. IMHO -- let IE fail. The ego-centric at MS seem to have a very skewed world view and are no longer capable of real innovation. November 21, 2008 5:18 PM Charles said: Long ago figured out that some addons are more vulnerable to security issues than others. I absolutely for a couple of reasons won't use the popular Adobe reader, don't have flash installed and refuse to do so, keep my plug in addons to only those few I can't live without, such as NoScript, and will absolutely not run IE. Adobe products have far too many phone homes in them. Not to mention the security flaws. I won't run flash because... I've had it with those flashy ads done in flash. Flash has become the new way to store cookies where you can't easily find and remove them in place of the browser cookies that everyone is aware of being part of datamining and most often delete. So if you have ever wondered why everyone is going to flash movies, it might give you a clue. Not only are they hard to find and have no provision for deletion without a special program, they are allowed bigger sizes so even more data can be stored to report on where you go, what you do, and what you favor. All of major interest to ad companies. ActiveX has long been a popular part of the browser to hijack. Who runs ActiveX anymore? Most browsers that support ActiveX come with it off as the default setting. It's just too easy to get inside your OS through that method. M$ didn't think browser security was that much of a problem that it might need reworking until Firefox started taking a chunk of it's market share. All of a sudden after 10 years, M$ decided maybe it should address some of those security holes before they lost the majority of the market share to Mozilla. Computer monoculture had by then been set up to be struck with a vengeance. I have very little faith in M$ actually getting serious about security. They are earning money for computer OSes as well as business licenses. As long as money is flowing in from both ends of the stream, why should they close the gap that attracts many of the developer tool sales to do the work with to get into the datamining stream? At the end of this, I am wondering just why I am still running M$ stuff and not on the Linux wagon. Get Daily Updates via Email Protect your computer with Windows Onecare