Security advisories have become commonplace these days, with criminals going to unprecedented lengths in order to steal data and infect computers. Often, this is done through browser plugins. As security has improved in operating systems, the lower layers have become harder for malware to attack. So instead, the bad guys are looking at other avenues, and the one place that is now the most common attack vector is through a browser plugin. The reason is simple — we all use them, and most of us don’t keep track of which add-ons we have installed. Worse, plenty of software out there add their own plugins and it can be difficult to get rid of them.
Add-ons come in many types. Plugins are actual software programs on our computers that interface with the browser. This includes Flash and Java, which have a browser hook so that any web page can get access to the code on your machine. And then there are extensions, things that run inside of the browser’s environment, such as AdBlock and NoScript, basically anything you can get through the Mozilla extension library or the Chrome web marketplace. These extensions rarely have serious vulnerabilities in them because the attack surface is much lower. They simply do not have access to the underlying system, and even if a bug is found, the worst that can happen is something like cross-site scripting. This is still a serious issue, but it is harder to exploit and get useful data from you this way. Instead, we will focus more on the standard plugins, those that constantly seem to be getting hacked. Just recently, Twitter was suggesting that everyone disable Java in their browsers due to the unbelievable number of security holes it has had in the past years.
In order to see which plugins are installed in Internet Explorer, you can simply click on the gear icon on the toolbar and select Manage add-ons. This will bring you to the add-ons window where you can see a list of plugins. This list can be quite long and you may be surprised at some of the names that you will find. Fortunately the list is sorted by company so you can quickly see those that come from Microsoft and those made by some unknown entity. The main issue is that applications love to add plugins to your browser, which is why you need to go to this window on a regular basis. You can go through this list and see which ones you need and which you should disable. You don’t necessarily have to uninstall each software program that you don’t want to have access to your browser; simply disabling them works.
The problem with having such a long list of plugins is that each of those are a direct link from any website to your computer. If any of them has a bug, then it is a potential security risk. In the case of Internet Explorer, its Achilles heel has long been ActiveX, the framework that allows software to hook into various components of the OS. The issue was that Internet Explorer allowed ActiveX controls to be embedded into web pages, which gave a huge open door to malicious sites. Fortunately in recent versions, ActiveX has been sandboxed far more than before.
In the case of Firefox, you can access the list of plugins by going to Tools, Add-ons, and then selecting Plugins on the left side of the screen. Again, you will see a long list of plugins that were installed in your Firefox browser. This one is sorted by alphabetical order, and you can often see more information about a specific plugin by clicking the More link. From here you can enable and disable them as you need. A good way to judge which plugin you should leave on is if it is something you need on a regular basis. Flash is used on many sites still, and many people like to read PDF files in their browsers so you may see the Adobe Reader, but there are often far more plugins than the ones you really need.
Mozilla also goes one step further and provides a free tool to check whether your plugins are up to date. If you click on the link that says Check to see if your plugins are up to date it will bring you to this page which checks the versions that you are running. If there is an update available, the page will tell you. This is a very nice and easy way to make sure all your updates have been done, and that you are secure.
While the extensions are easy to get to in Chrome, the plugins are hidden unbelievably deep in the interface. To get to them, you have to click on the menu icon, then select Settings, scroll to the bottom and click on Show advanced settings, then click on Content settings under Privacy, and then click on Disable individual plugins. Fortunately, there is a shortcut which is to simply type chrome://plugins in your URL bar. The screen will then show you a list of plugins that are installed in your Chrome browser. Again, you can disable individual plugins, and I highly suggest disabling the ones you do not need. While getting to this list is harder in Chrome, it does include a lot more details than the other browsers if you click on the Details link on the right, which will even tell you the filename of the plugin on your system.
Safari is a little trickier to check than other browsers. You have to navigate to the folder that holds the plugin (/Library/Internet Plug-Ins/) and there you can delete it from the folder. See the Apple support tip for Safari 6 here for more details. However, if you specifically want to disable the Java web plugin, you can go to Safari | Preferences and click on the Security tab. There, you can uncheck the box next to Enable Java.
Teach your users to be plugin-aware
The bottom line of plugins management is that this is the number one way that security holes get exploited on the web today, and as such it is incredibly important to stay on top of what plugins are installed. Any computer that gets infected is likely to have many more plugins, often referred to as browser hijacks, attempting to spam the user, display popups, send spam or even gather personal information. But even the well known, trusted plugins like Adobe Flash or Java constantly get updated because new security holes have been found. So knowing which plugins are enabled in your browser and keeping them up to date is something that all users should be able to do.