Critical security vulnerabilities in browser plugins have been widely reported in recent months. As soon as one has been found and patched, more are discovered. Zero-day Adobe Flash vulnerabilities (Shockwave Flash) have been some of the most publicized, due to the sheer volume discovered in 2015.
Earlier this year a number of companies pulled the plug on the Flash plugin, deeming it not to be worth the security risk. While it was once the most commonly used way of displaying videos and animations on webpages, the critical vulnerabilities that have been discovered have made it simply too risky to use. There have been many calls for Flash to be retired.
Google Chrome and Firefox stopped supporting Adobe Flash and many companies are moving over to HTML5 which offers the ability to display the same multimedia items without requiring a browser plugin to be used. One of the main problems with a plugin from a security perspective, is it will only be secure if the latest version is installed. Even then, as we have seen with the sheer number of security vulnerabilities found in Adobe Flash, the latest version many not be very secure at all.
If a user has not updated the plugin to the latest version, and an older version is still in use, criminals will be able to take advantage. A visitor to a website containing malware could result in the vulnerabilities being exploited. Exploit kits can be used by hackers to probe for security vulnerabilities in browsers to find out which software can be exploited. Other Adobe plugins can be exploited, such as PDF Reader.
Numerous critical security vulnerabilities in browser plugins discovered
It is not only Adobe plugins that are a problem of course, others company’s plugins also contain vulnerabilities that can be exploited. Even HTML5, which is seen by many as a more secure way of showing multimedia items on websites than Flash, is far from immune and also contains security vulnerabilities. No plugin is even required with HTML5.
In mid-October, Oracle released a security update for its Java software to deal with over twenty new security vulnerabilities that had been discovered. Oracle announced that an update was necessary on all computers as “all but one of those flaws may be remotely exploitable without authentication”. That means that a hacker could potentially exploit the vulnerabilities on any computer with an older version of Java installed, without the need to use a password.
Once critical security vulnerabilities in browser plugins have been announced and details of the flaws released online, the information is out there and available to hackers. Assuming hackers have not already discovered the vulnerabilities themselves.
A website link may not be as genuine as it appears (hovering your mouse arrow over it will not reveal a potentially malicious link!)
There are easy ways to check to see if a web link is legitimate or if the text has been changed so that it appears genuine. If you hover your mouse arrow over the link, the correct URL will be displayed. If end users get into the habit of checking every link before clicking, it will become second nature. Many phishing websites and other nasty web pages can thus be avoided.
Unfortunately, it is not always that simple. There are ways to make a URL appear genuine, even when the mouse arrow is used to check the link.
Some Japanese characters appear to be very similar to a forward slash, while certain Cyrillic characters are displayed as letters. This makes links appear genuine, and can be virtually impossible to spot. If one of these characters is present in a link and is displayed as a standard letter, the webpage could be a fake but would be indistinguishable from the genuine page.
An apparently genuine link could well be a link to a webpage containing malware. Many malicious websites can probe for critical security vulnerabilities in browser plugins.
These worrying issues were recently discussed at the SC Congress in New York, with Salesforce.com’s product security director Angelo Prado and senior product security engineer Xiaoran Wang demonstrating these and other worrying security flaws. They pointed out a particularly scary feature in HTML5 that allows a link to automatically download a file to a computer without the user being taken to the webpage used to host the file.
Protection is required and vigilance is key to avoid becoming a victim
The latest discoveries may make it exceptionally difficult to tell if a link is genuine. Even changing from the security flaw ridden Flash to HTML5 will not necessarily make the Internet a safer place. Fortunately, it is possible to take steps to ensure that end users are better protected, and stopped from visiting malicious websites. That said, it is essential that critical security vulnerabilities in browser plugins are addressed.
IT professionals should also install a web filtering solution such as WebTitan. Links can be blocked and users stopped in their tracks before they reach a malicious website. This type of protection is vital for businesses, schools, colleges and charities.
A visit to a malicious website can result in keyloggers being installed that can record and send passwords and login credentials to a hacker’s command and control center. Devices can become part of botnets and be used to send out huge volumes of spam emails, or computers could be hijacked and used for Bitcoin mining. Worse still, an infected computer, tablet, or Smartphone could be used to launch an attack on a corporate network.
It is also essential to be more security conscious. It may be difficult, or even impossible, to identify all online threats (and those delivered via email or social media networks), but many are obvious if you know what to look for. Staff training on security threats and online/email best practices must be provided if networks are to be kept secure.
It really does pay to take the advice offered by the FBI. Stop. Think. Connect. If in doubt. Do not connect. This should now be a common practice that is second nature. The current volume of data breaches now being reported suggest that for many employees it is not.