Most Web browser users have come to expect the convenience that browser extensions, plug-ins and browser helper objects provide.
Unfortunately, these add-ons -- which improve productivity by adding components to a browser's default functionality -- are prime targets for malicious attackers. Because enterprises are generally poor at patching and updating plug-ins and extensions, the browser has become the endpoint's softest target. The two- to three-month patch cycle that most organizations have for endpoint environments is simply not frequent enough to keep up with the exploit kits taking advantage of browser extension and plug-in vulnerabilities.
In this tip, we'll explore the growth of Web browser extensions -- in terms of both popularity and functionality -- as well as the threats inherent to the environment and how to mitigate them.
While many popular add-ons are developed by well-known vendors, anyone can write one, and this makes them a potential tool for delivering malware. In the past, malicious browser extensions have been used to carry out click fraud by inserting rogue advertisements into websites or hijacking search queries. For example, security researcher Zoltan Balazs developed a browser extension that is capable of modifying webpages, downloading and executing files, hijacking accounts and bypassing two-factor authentication. A browser infected with this extension can be controlled in the same way as a botnet client: The extension receives instructions and send information back to the attacker. Because this data appears to be normal HTTP traffic initiated by the browser, it's hard for local or network firewalls to spot and block it.
Browsers aim to provide some user control over extension permissions, but often suffer from coarse-grained access controls and insufficient user awareness of the dangers of granting permissions to various add-ons. Never assume that an add-on is safe just because it's hosted on one of the official extension galleries either. Though most add-ons are reviewed prior to being listed, malicious extensions that violate browser developer program policies are not uncommon. Apple Safari extensions submitted to the Apple Extension gallery are actually hosted at an external location, while Mozilla Firefox allows the installation of extensions from third-party websites.
When reviewing which extensions to allow in your enterprise, always keep in mind the type of resources the extension can access and where it sends data. Although Google Chrome extensions are given a risk rating by the company, and just recently Google announced it would tighten restrictions so that Windows-based extensions can only be added via the Chrome Web store, administrators should complete their own assessment. Treat with extreme caution any extensions that do any of the following:
- Interact with local files
- Interact with the Windows Registry
- Interact with cookies
- Access any browser tab or window
- Execute commands in the user's shell
Sandboxed plug-ins should always be preferred over non-sandboxed plug-ins, as the latter run under the privilege level of the user and may have access to resources such as the file system or network. Any extension or plug-in that demands highly privileged access should only be allowed in the enterprise if a strong business case and risk assessment deem it absolutely necessary.
The auto-update option should always be turned on for browsers, but know that not all plug-ins will be updated automatically. For example, Chrome will automatically update the Adobe Flash plug-in, but most others must to be updated by running the associated product's installer. Disabling the running of plug-ins that are outdated is recommended and will help ensure that enterprise patching strategies include browser extensions and plug-ins. Organizations may consider implementing an audit tool, such as the Secunia CSI 7.0 or Qualys BrowserCheck, which are able to scan common browser plug-ins and determine whether they need updating.
Meanwhile, many browser vendors are trying to improve the security of add-ons. Chrome no longer allows silent extension installs. This is similar to Internet Explorer's Protected Mode and Firefox's add-on control, which also do not allow silent extension installations. In Active Directory environments, Group Policy provides a comprehensive set of settings to manage Windows Internet Explorer 8, including the ability to enable or disable ActiveX controls and restrict which add-ons may be installed or run. FirefoxADM is also able to generate Security Group Policy Objects (GPO) to manage security settings. Although Chrome has security templates, a GPO must be created manually to deploy to a Windows Domain.
To successfully mitigate their many risks, blacklisting all plug-ins and then selectively whitelisting necessary ones is the recommended approach. Organizations that need to reduce their risk profile should also consider eliminating the most widely attacked plug-ins altogether and -- unless there is a pressing need for that business application -- uninstall them completely from all computers. As the most widely targeted plug-in, Java should be considered for this. The second most frequently targeted application for exploitation is Adobe Reader. Organizations may consider testing alternatives such as Mozilla's PDF viewer integrated within Firefox to replace Adobe's version.
The risks of browser extensions are quite real. Enterprises and end users alike need to take these threats quite seriously. Security awareness training must stress that an extension can potentially access everything in the browser -- all data, passwords and sites visited. It should also note that users should never install unknown extensions -- allowing uncontrolled installation of arbitrary plug-ins will increase a network's overall attack surface and leave users and networks open to infection and data loss.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).