Skip to content

Why are browser plug-ins so insecure?

by Brandon on August 9th, 2008

Flash and Java, I’m looking at you.

You may have heard about the paper released at this week’s Black Hat conference, describing limitations in Windows’ memory protection schemes like ASLR, DEP, etc.  The paper is well-written, very detailed, and I’ve no reason to doubt that it’s pretty accurate.  Some points it makes are things that teams at Microsoft are already aware of and working to remedy (such as DEP not being enabled for IE, for example). 

But reading the paper made it very clear that the most exploitable targets these days aren’t even web browsers, they’re plug-ins like Flash and Java.  The article points out how the Java run-time (“JVM”) was made DEP-compatible with the ingenious change to make all of the memory it allocates be marked as executable.  So yeah, it works with DEP by making DEP irrelevant.  Hilarious.  And sad.

Flash is still not ASLR or DEP compatible.  We’re rapidly approaching two years from the release of Vista.  They’ve had way longer than that to prepare to take advantage of these very helpful security features.  Yet here we are in August 2008 and the most prevalent and successful browser add-ins do virtually nothing to ensure that they aren’t abused by attackers.

Now, to be fair, the attackers also mention .NET as a possible attack vector.  In fact, what they describe is pretty clever.  But that’s the thing, at least they had to be clever.  With Flash and Java they don’t, as those add-ins make no attempt to be secure.  And if you want to make a bet about which of those three (Flash, JVM, .NET) has its issues fixed first, I know where I’m putting my money.

From → Uncategorized

3 Comments
  1. suc permalink

    to add ASLR in flash, just execute this command:
    link /edit /dynamicbase %windir%\System32\Macromed\Flash\Flash9*.ocx

  2. Bonjour

    Help please, je vais d’ici peu devoir faire une radio et ca va coûter beaucoup d’argent. Je cherche à bien être rembourser grâce à une mutuelle santé.

    Savez-vous où pouvons-nous trouver une mutuelle santé ? J’ai cherché sur cette mutuelle santé mais je ne sais pas quoi en penser.

    Merci pour votre aide

  3. Je recherche une bonne mutuelle santé. Connaissez vous un comparateur de mutuelles en ligne svp ?

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS