The World Wide Web has become the main target for much of the computer usage these days. This has several consequences, one of which is that more economic value is placed in it, attracting more attacks. XSS, CSRF, RIF and so on. These are all terms which are used daily by the security research community. What I realized today (yes, I’m slow :)) is that these problems are amplified by every browser plugin out there (Flash, Java, QuickTime, etc).
These plugins are deeply integrated into the browsers in both ways: browsers can instantiate these plugin objects and set their parameters (either via HTML or via scripting) and in turn the plugins can set
browser parameters (page location, manipulating the DOM, etc). This means that the vulnerabilities can exists inside of the files destined for these plugins and/or such files can be used to hide the exploitation.
This all hit me when I’ve read XSS Vulnerabilities in Common Shockwave Flash Files. If the makers of tools can not be trusted to take security into consideration, how can the users of the tools be trusted? And Flash is not the only target by a long shot (remember XSS via PDF? or via links in QuickTime MOV files?) it’s just the biggest one. According to a chart on Adobe’s site (so it is clearly biased, but the only one I could find), the most widely used browser plugins are the following:
- Adobe Flash Player
- Windows Media Player
- QuickTime player
- Adobe Shockwave player
- Real player
While there are some elements missing from this list (like the browser integration of the Adobe Acrobat Reader), it is probably the best target list for the following year or so from a web application vulnerability point of view. To protect yourself, you should do the following:
- uninstall the plugins you don’t need / use (for example I get pretty well by with Flash only)
- make sure that those plugins are up-to-date. For flash you can visit the About page to make sure that you have the latest version and use the links there to update if it’s the case
- use separate browsers for separate purposes (more on this to come)