Skip to main content

Kicking Plugins to the Curb in the Name of Security

by Dennis Fisher on Thursday October 13, 2016

Contact Us
Free Demo

For many years, the web browser has been the most dangerous piece of software on a computer. They have blindly trusted the content served to them by virtually any site, allowed users to be hit by all manner of malware and drive-by downloads and generally been that friend you don’t want to follow down a sketchy side street.

That has begun to change in recent years as the browser makers realized that most users spend the vast majority of their days in one browser or another and the best way to protect them from attackers and themselves was to lock their software down. The change has taken various forms, with Microsoft adding anti-exploit technologies to Internet Explorer as attacks improved, Google and Mozilla following suit, and then expanding their protections over time. Modern browsers now include a variety of security defenses that users could only have dreamed of just five years ago.

Google has been at the forefront of this evolution, gradually removing unnecessary functionality and adding new protections as the threat landscape has changed. The company’s Safe Browsing API, which is used by the other major browser vendors as well, is the back end system that feeds warnings to users about potentially harmful sites or malicious downloads. That system alone is responsible for protecting users from millions of potential threats every year. Google also has given users the option to disable most plugins by default and make them click-to-play. That means that users don’t get bombarded with Flash videos and other crap content.

And it also means that Flash-based threats and others that are based on abusing browser plugins are minimized, if not eliminated entirely. Google will take that one step further at the end of the year, when it switches to HTML5 video by default, taking Flash out of the equation. Now, Mozilla is on that same path, announcing that next month it will block a lot of Flash content on the web, a change that will improve security in a big way.

“Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness,” Benjamin Smedberg of Mozilla said in a blog post Wednesday.

The news will get even better by the end of 2016.

“In 2017, Firefox will require click-to-activate approval from users before a website activates the Flash plugin for any content. Websites that currently use Flash or Silverlight for video or games should plan on adopting HTML technologies as soon as possible. Firefox currently supports encrypted video playback using Adobe Primetime and Google Widevine as alternatives to plugin video,” Smedberg said.

These changes will look like minor cosmetic ones to most users, if they notice them at all. But they will go a long way toward protecting people against some of the more insidious and prevalent threats on the web right now. Sometimes it’s the small, behind-the-scenes improvements that can have the biggest effect on user security.

Browser plugins image via Ampercent.

Tags:  Web Security

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.