Why are browser plug-ins so insecure?

Flash and Java, I’m looking at you.

You may have heard about the paper released at this week’s Black Hat conference, describing limitations in Windows’ memory protection schemes like ASLR, DEP, etc.  The paper is well-written, very detailed, and I’ve no reason to doubt that it’s pretty accurate.  Some points it makes are things that teams at Microsoft are already aware of and working to remedy (such as DEP not being enabled for IE, for example). 

But reading the paper made it very clear that the most exploitable targets these days aren’t even web browsers, they’re plug-ins like Flash and Java.  The article points out how the Java run-time (“JVM”) was made DEP-compatible with the ingenious change to make all of the memory it allocates be marked as executable.  So yeah, it works with DEP by making DEP irrelevant.  Hilarious.  And sad.

Flash is still not ASLR or DEP compatible.  We’re rapidly approaching two years from the release of Vista.  They’ve had way longer than that to prepare to take advantage of these very helpful security features.  Yet here we are in August 2008 and the most prevalent and successful browser add-ins do virtually nothing to ensure that they aren’t abused by attackers.

Now, to be fair, the attackers also mention .NET as a possible attack vector.  In fact, what they describe is pretty clever.  But that’s the thing, at least they had to be clever.  With Flash and Java they don’t, as those add-ins make no attempt to be secure.  And if you want to make a bet about which of those three (Flash, JVM, .NET) has its issues fixed first, I know where I’m putting my money.