Why Browser Extensions Are a Security Risk
Web browsers have become the center of our daily Internet universe. But browsers, by themselves, are often not sufficiently powerful to do what people want them to do. Enter the world of plugins or addins or browser extensions. These little bits of code allow a browser to do something that they were not designed by the browser vendor to do.
One of the most well known browser plugins is Adobe Flash. Flash was invented years ago to handle video and interact with the browser user in ways that were not possible to do at the time. Now, HTML5 does most of what Flash can do and does it much more securely.
But Flash has been the subject of so many security holes (see this post for June’s bug patch fest – 36 in one month alone and that was not unusual. In fact, we used to joke about the morning Flash patches followed by the evening Flash patches) that many people removed it from their browsers and last month Adobe announced the long awaited death of Flash, but not until the end of 2020.
But this post is not about Flash; it is about browser plugins in general.
This problem is the kissing cousin to installing “apps” on your phone or tablet. Both of them add security vulnerabilities to your computing environment.
In January Cisco revealed a security hole (see announcement) that would allow an attacker to use the Cisco Webex browser plugin to execute ANY ARBITRARY CODE on the user’s machine that the attacker wanted to execute. Cisco released a patch in February for this hole.
Assuming that every single user who has installed the Webex extension in Chrome, Firefox or Internet Explorer (there are tens of millions of them) has patched it in each browser in which it is installed, then they are safe from this particular bug. But, I am sure, that there are a lot of people who have not installed the new version or maybe don’t even realize that they have the plugin installed.
Fast forward to July and Cisco revealed another security hole (see announcement) that allowed an attacker – drum roll please – to execute arbitrary code. Cisco says this only affected Chrome and Firefox users and not Internet Explorer users. In August Cisco released another patch.
This post is not about beating up Cisco for poor software security design. But it is about users understanding the security risks of installing software. Every time you install a piece of software you add an attack surface. If you don’t patch each and every one of those plugins, then you have made it easy for the bad guys.
So, there are two take-aways from this:
1a. Don’t install software, including browser plugins, unless you need them.
1b. If you don’t need the software anymore, uninstall it.
2. If you have the software installed then make sure that you patch it regularly. Including browser plugins.
Do you even know what browser plugins employees in your company may have installed?
Many companies have software that looks for security updates. The problem is that there are so many software products out there that no product provides 100% protection. There are also products that do software asset tracking, but again, those don’t provide 100% coverage either. This doesn’t mean that these software products are worthless. What is does mean is that they are not a silver bullet.
For personal users, the free products cover a very limited subset of the software out there. Much less than the paid products.
Bottom line – see the two rules above.