Light Dark
October 30, 2015 By David Strom 3 min read
Malware

With the latest release of Web browsers that include Microsoft’s Edge and new versions of Chrome and Firefox, software-makers are moving away from the older browser add-on architecture developed in the early days when Netscape walked among us. Back then, browsers were relatively simple pieces of software. While exploits such as Javascript-based malware and phishing were first seen in the late 1990s, it took some time before they became popular attack vectors. During that time, developers wrote add-ons to provide extra functionality to these early browsers, but they sometimes added unwanted security vulnerabilities.

A New Hope for the Browser Add-Ons

To stem the tide of security problems, browser-makers have had to toss aside the older browser add-on models and force the market to evolve. Windows 10 actually sports two different browsers: Microsoft has its new Edge browser, which doesn’t support any plugins whatsoever, and it includes a copy of Internet Explorer (IE) for those times when pages require the older architecture. This could be a nightmare for end users who get confused about which browser to run for their particular websites.

The current versions of both Google Chrome and Mozilla Firefox — versions 45 and 41, respectively — no longer support the older browser plugin standard called Netscape Plugin Application Programming Interface (NPAPI). This is mainly because of security issues, but also because these and other major browser-makers are incorporating technologies previously found in plugins into their main browser engines both to leverage performance and to make them more secure.

Browser add-ons had three major issues. First, they had access to the entire browser session, so they couldn’t be sandboxed and protected. They represented large targets of cyberattack opportunities since every user had the same version of Flash or Java. They also were less stable than the main browser code themselves. As one post on How-To Geek stated, “Plugins are still necessary for the moment, but they’re on their way out. They were very useful at one time, but we’re moving beyond them.”

Attack of the Browser Extensions

Note that while browser plugins are going away, browser extensions are still with us and are a completely different beast. Both Firefox and Chrome have thriving extension ecosystems that are used to add various functions and software integrations, and Internet Explorer has its own ecosystem called Browser Helper Objects (BHO). For example, there are integrations for popular cloud-based file repositories like Dropbox and Evernote that take the form of browser extensions, allowing users to move files quickly into a browser context.

Browser-makers are trying to bring some discipline to their extension partners. Some are starting to implement process isolation to better protect users, along with code signing policies. “The consequence of these changes are that existing add-ons will have to be reengineered and some may not make it through the approvals process, which will not please users who rely on rejected add-ons,” Mark Gibbs wrote in Network World.

Finally, some website operators are approaching the browser security issue by trying to prohibit Adobe Flash-based pages and advertisements. Amazon was the latest Internet conglomerate to make this move away from Flash Player. It isn’t exactly a new trend: Ever since Apple’s iPad came out with no Flash support, organizations (even Netflix, which has used Microsoft Silverlight up until now) have been trying to build websites with HTML v5 support.

But it is noteworthy that Flash still lingers on despite the numerous security challenges. Perhaps this year we will finally see HTML v5 finally take off for enterprise developers — the standards, tools and performance are finally all in place for this more secure version of HTML, as Al Hilwa wrote in the SD Times.

Infographic: Where You’ll Find Today’s Top Malware

Revenge of the Security Professional

So how should enterprise developers and security managers handle these latest developments? First, if you have corporate Flash-based apps, now is the time to move them to HTML v5. Second, start looking at rigorous ways to screen and upgrade your browser population to the latest versions.

While the browser-makers seemingly release new versions weekly, at least make an attempt to bring your users to a version that is more recent. This will improve your security posture and, in the long run, could save you from potential exploits. You should also look at the new programming interfaces from Firefox and Chrome to see if they can be useful to your custom-built apps.

 |  |  |  |  |  | 
David Strom
Security Evangelist

More from Malware
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

June 6, 2023

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature