Kicking Plugins to the Curb in the Name of Security



For many years, the web browser has been the most dangerous piece of software on a computer. They have blindly trusted the content served to them by virtually any site, allowed users to be hit by all manner of malware and drive-by downloads and generally been that friend you don’t want to follow down a sketchy side street.

That has begun to change in recent years as the browser makers realized that most users spend the vast majority of their days in one browser or another and the best way to protect them from attackers and themselves was to lock their software down. The change has taken various forms, with Microsoft adding anti-exploit technologies to Internet Explorer as attacks improved, Google and Mozilla following suit, and then expanding their protections over time. Modern browsers now include a variety of security defenses that users could only have dreamed of just five years ago.

Google has been at the forefront of this evolution, gradually removing unnecessary functionality and adding new protections as the threat landscape has changed. The company’s Safe Browsing API, which is used by the other major browser vendors as well, is the back end system that feeds warnings to users about potentially harmful sites or malicious downloads. That system alone is responsible for protecting users from millions of potential threats every year. Google also has given users the option to disable most plugins by default and make them click-to-play. That means that users don’t get bombarded with Flash videos and other crap content.

And it also means that Flash-based threats and others that are based on abusing browser plugins are minimized, if not eliminated entirely. Google will take that one step further at the end of the year, when it switches to HTML5 video by default, taking Flash out of the equation. Now, Mozilla is on that same path, announcing that next month it will block a lot of Flash content on the web, a change that will improve security in a big way.

“Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness,” Benjamin Smedberg of Mozilla said in a blog post Wednesday.

The news will get even better by the end of 2016.

“In 2017, Firefox will require click-to-activate approval from users before a website activates the Flash plugin for any content. Websites that currently use Flash or Silverlight for video or games should plan on adopting HTML technologies as soon as possible. Firefox currently supports encrypted video playback using Adobe Primetime and Google Widevine as alternatives to plugin video,” Smedberg said.

These changes will look like minor cosmetic ones to most users, if they notice them at all. But they will go a long way toward protecting people against some of the more insidious and prevalent threats on the web right now. Sometimes it’s the small, behind-the-scenes improvements that can have the biggest effect on user security.

Browser plugins image via Ampercent.

Dennis Fisher

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.