Are Plug-Ins threatening your business' data?

Mon, Aug, 10, 2015 @ 16:08 PM


Technology Superstars Call for an End to the Plug-in Era

Last month, a clearly exasperated Alex Stamos, Facebook’s head security honcho, tweeted, “It is time for Adobe to announce the end-of-life date for Flash”. Soon after, Mozilla’s support chief Mark Schmidt tweeted that all versions of Flash had been turned off in Firefox, meaning that users would not be able to turn on the plug-in to access Flash content.

This swift excommunication of the plugin stemmed from the recent revelation that the spyware giant known as “The Hacking Team” had been using a vulnerability in Flash to remotely take over people’s computers and subsequently infect them with malware. This instance, however, is merely one mishap in a slew of plugin-related mishaps that have plagued users since Microsoft held a near monopoly on web browsers.

Therefore, it is no surprise that frustrated browser developers are stepping up their game in order to kick faulty plugins to the curb once and for all.




 Why We Needed Plug-Ins in the First Place

Between 2001 and 2006, during the reign of Internet Explorer, browser development had more or less ground to a screeching halt, opening the door for plug-in developers to expand upon and fill holes in otherwise elementary web browsers. In 2005, Adobe acquired the company behind Flash, Macromedia, and introduced (the now much-maligned) Flash player for video playback and animations to a wider audience than ever before. In an effort to compete, Microsoft developed Silverlight and released it in 2007 to provide streaming media and animation support. 

In the very early days of web browsers, plug-ins were used in bare-boned browsers to add features that the browsers simply lacked. There was no built in way for browsers to play videos, nor was there any web-wide standard for video playback. If you’ve been around long enough you may faintly remember being presented with a choice of using Windows Media Player, Quicktime, or RealPlayer to play videos during this ancient time.


Plug-ins, Cybersecurity and Compatibility

Before we go dousing our computers with holy water attempting to exorcise the demonic plug-ins within, it’s important to remember that plug-ins aren’t inherently bad, they’re just outdated and thus largely unnecessary—which can lead to security and compatibility issues (bad). Plug-ins are simply following the path of other ancient technology: they served their purpose gallantly and are now getting slowly phased out as newer, more secure methods are put into place. It’s all a part of the circle of IT life. The major issues that plug-ins raise are those of:

Security: Plug-ins are notorious for cybersecurity flaws, with Flash and Java being two of the main offenders. Flash and Java plug-ins are the same across all operating systems and browsers, meaning that an attack on the plug-in should work across every browser and operating system—affecting the maximum amount of people possible. Furthermore, traditional browser plug-ins aren’t sandboxed. A hole in the plug-in can give access to an entire operating system.

Compatibility: Unlike the web, plug-ins don’t operate with open standards. Therefore, it’s impossible to have multiple implementations across varied platforms implemented by different people. Plug-ins are created by a single vendor, so there is a single implementation and it only runs on the vendor’s supported platforms. For example, want to play Flash games on your iPad—sorry, no can do—Adobe Flash doesn’t run on iOS. Furthermore, because Apple developers can’t write their own support for Flash, implementation would have to come solely from the plug-in developers themselves.

Stability: By now, plug-ins are infamous for crashes. In fact, they have been known to bring down entire web browsers. With no way to fix these crashes, and no other plug-in options besides the one installed, browser developers had to rely on the plug-in’s developers to fix the crashes and simply hope for the best.


Phasing out by Browsers

Rather than continue to wrestle with outdated, faulty plug-ins, browser developers have simply begun integrating the features of plug-ins into the browsers themselves, resulting in a more secure, powerful web.

For example, Chrome has permanently ended NPAPI (old plug-ins) support and Firefox is making it harder for plug-ins to work on their browser by no longer activating most plug-ins by default, instead letting people enable plug-ins on websites they visit. The Mozilla Security Blog even goes so far as to state, “We strongly encourage site authors to phase out their use of plugins. The power of the Web itself, especially with new technologies like emscripten and asm.js, makes plugins much less essential than they once were.

Lastly, the new Microsoft Internet Explorer Edge does not support plug-ins at all: “The biggest change for developers coming with Microsoft Edge is that it will get rid of legacy browser technologies including ActiveX and Browser Helper Objects (BHO)”- Microsoft Dev Blog.


Ushering in New Technology

Currently we are in an age of rapid browser development and web standards. Many of the features plug-ins implemented in the past (drag and drop, rendering of 3D graphics, communicating with web sockets, playing music and video without Flash..) are being introduced in the form of built-in browser features. HMTL5 is shoving Flash out of the limelight as the preferred method of video playback, while Microsoft is ending development on Silverlight. Furthermore, thanks to WebGL, 3D graphics are now possible on web pages without the use of plug-ins.

And with that, the circle of IT life rolls on…


Further Reading:

 Cybersecurity In The Mobile Era

Your Cybersecurity Policy Could Land You In Legal Trouble