Introduction

With web content becoming ever more dynamic with images and sounds everywhere, it’s now necessary for even casual users to be aware of Plug-in helper applications, and how they work. These applications are usually started by your web browser automatically and normally only help users visualize unique and engaging content. But as the sophistication of hacker groups continues to grow, the dark side to Plug-in use becomes more threatening. As web Browsers inherently trust such Plug-ins, this opens an unguarded backdoor for unintended remote execution of malware.

Cyber Defense and Plug-ins

In web based computing, a plug-in (or add-on) is a software program that enables the Web Browser or other media program to play specific content. Common examples are the plug-ins used in web browsers to add new web content capability. Such capability can be search engine assist, language translation, virus scanners, or video media streaming. The most common browser plug-ins are Adobe Acrobat, Adobe Flash Player, QuickTime Player, and Java plug-in. These are at times installed by default within browsers or other media programs.

But Plug-ins have a major drawback: they execute with the browser’s own execution permissions, and if on a user PC, can be used to execute arbitrary software. This execution capability can be exploited via a software flaw in the plug-in to cause malware and viruses to infect user systems. Many system administrators by default are disabling plug-ins from running on critical servers and systems to prevent disruption to critical IT services. Some security professionals are even going so far as to disable ALL plug-in execution from User systems, just to be safe.

Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising

Why Hackers target Plug-ins – The software execution backdoor that is unguarded

Once while talking with a security expert who tended to at least be a GrayHat (if not full BlackHat hacker at times), I asked what avenue he would recommend to exploit Microsoft Windows. He said something that has stayed with me to this day.

"Don't Hack Windows, Hack the Programs Windows Trusts."

His point was that in many cases Windows has a limited area of vulnerability. But there is an unlimited number of helper applications that have control over media output, computer displays and memory spaces to run their special routines. These applications (assuming that they are installed in a high percentage of Windows PCs) are a fertile ground for zero day exploits that tend to have a long shelf life.

Just a casual examination of the Zero Day patch reports from the biggest player in the Plug-in software market is Adobe. In 2015 alone, Adobe reported 13 (yes, 13!!!) zero day critical vulnerabilities in the Adobe Flash Player Plug-in. In the first three months of 2016, Adobe has reported an additional 3 Critical Adobe Flash critical flaws. Couple this high zero day flaw rate with Malvertising techniques and you have all the makings of serious compromise to an Industrial Company’s networks.

Malvertising is the use of online advertising to spread malware

Becoming More Secure – Basic Plug-in Security

Obviously most, if not All Plug-ins should be disabled on critical networks like Industrial Control networks. Many security professionals in Government and Military networks currently remove all Adobe and Apple plug-ins to prevent arbitrary execution.

It is now getting to the point that the threat of zero days in Adobe Flash Player coupled with Malvertising campaigns are serious enough to use draconian measures to prevent system compromise. Measures that include disablement of All plug-in execution on even User PC systems.

In Internet Explorer (IE) 11, a user can simply select Tools Menu – Manage Add-ons to enable/disable the browser’s use of Plug-ins. It is strongly recommended that users do so at least for Adobe Flash (NOTE: In IE you will need to select All Add-ons and the Flash player is called “Shockwave Flash Object”). 

Plug-in Disablement and Next Steps

One of the side benefits of Plug-in disablement is the faster loading of web pages. In particular disabling Adobe Flash yields a marked improvement on getting to textual content faster on the internet. The speed is SO LARGE that it makes one wonder just “what” the plug-ins were running in the background while a web page was loading so slowly before disabling!

Another thing to consider is utilizing a scanning tool like the free version of Malwarebytes to make sure that no Malvertising / Plug-in threat has previously compromised your system. (And it is strongly recommended, that if you are on a corporate owned PC or IT System, get permission from your organizations IT Professionals BEFORE you install Malwarebytes on your own).

Summary

In general, outside of critical IT systems a Plug-in vulnerability at worst can lead to Cryptographic Ransomware attack, turn a PC into a member of a Botnet or perhaps enable financial fraud. 

Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction

A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control (C&C) or by passing messages to one another. (C&C might be built into the botnet as P2P.) They have been used many times to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation

While these are serious at a local level, these types of Plug-in attacks are not the targeted attacks used typically to gain corporate level compromise. Usually Plug-in attacks are mass produced to gain compromise of home user PC systems. But one never knows if a particular Plug-in zero day creator may have a way to track down compromises to specific companies or industries, and target them. Cyber Defensive vigilance in the face of an ever changing Cyber security landscape is always recommended at home and at work.

If you enjoyed this article, read Jeff's previous article SecureIT - Who left the Backdoor Open?

Do you have any questions or comments? Send us an email or leave a comment below!