Linked by Kroc Camen on Sat 17th Oct 2009 05:27 UTC
Microsoft Whilst it's not okay in Microsoft's eyes for Google to install a plugin into Internet Explorer, increasing the potential surface area of attack, when Microsoft do it to Firefox, it's a different matter. Now a security hole has been found in a plugin that Microsoft have been silently installing into Firefox.
Permalink for comment 389775
To read all comments associated with this story, please click here.
RE[2]: Opt-in
by Kroc on Sat 17th Oct 2009 10:32 UTC in reply to "RE: Opt-in"
Member since:

Plugins are native code, there's no auditing that can really be done other than by your AV spotting this behaviour. The plugin interface just provides a means for the native code to load and to paint back to the browser.

Chrome and Safari on Snow Leopard place plugins on their own thread and in a sandboxed environment, which helps; but ultimately the whole nature of plugins is completely flawed and unsafe from the get-go.

Mozilla also can't outright block these things from being installed because the OS vetos the browser. Id est, any software running on the computer can manipulate any aspect of the browser to fool it into accepting a plugin, circumventing any protection Mozilla put in place.

That said, I feel Mozilla should take a firm stance and beef up how they handle plugins and things installing into the browser so that the user has complete control. They need to make managing plugins as easy as extensions.

Reply Parent Score: 2