As Plug-ins Disappear, Browsers Gain Security, Lose Functionality
With the model that exists today with Flash, the likes of Microsoft and Google take a more pragmatic approach, Budd said. "Yes, it's their problem, but we are taking some responsibility for it as well," he said. Limited Functionality? Yet, eliminating plug-ins is not without its drawbacks. While functionality is now increasingly available as native features of browsers that support HTML5, popular capabilities provided by plug-ins will no longer be supported. Google, for example, no longer supports Microsoft's Silverlight, Oracle's Java and Facebook's plug-in. Developers who offer games on the Unity 3D plug-in platform will have to move to supporting WebGL technology on HTML5. Many already have, according to Google, which found that browsers that called the Unity plug-in had fallen from 9 percent in 2013 to less than 2 percent in late 2014. Oracle warned that users who want to launch Java functionality from the browser will have to use Java Web Start, which calls out to the Java runtime environment from the browser.The approach may not be more secure. Even though it separates Java from the browser, it stills allows Java to be exploited through the browser, said Mozilla's Veditz. "Because Java Web Start applications have to be downloaded first, that protects many users who would only install such applications from trusted sites, rather than automatically running any arbitrary plug-in code they encounter on any page," he said. "Beyond that, Java is Java. If the exploit is based on a flaw in the core Java engine, then both would be vulnerable once an attacker can get their malicious code to run." The popularity of Adobe's Flash, however, has resulted in every major browser incorporating Flash functionality into their code. Yet, building in Adobe Flash means that browser makers are taking responsibility for keeping the Flash code up to date, says Trend's Budd. "With Flash as part of Internet Explorer or Flash as part of Chrome, the browser vendor is willingly taking on more responsibility for that codebase from a security point of view and servicing point of view," he said. Taking responsibility for Flash, for example, means blocking older versions that are regularly abused by exploit kits or pushing out a quick patch when a zero-day attack is identified, Mozilla's Veditz said. Yet, he adds that even Adobe Flash's days are numbered. "We do allow up-to-date Flash because users demand it—too many sites don't function correctly without it," he said. "We are working with major sites to help them transition to Web technologies and reduce the use of Flash on the Web to the point where we can block it by default like other plug-ins."
"As browsers evolve, many users still need to continue to run these applications," the company said in a blog post. "Since Java Web Start applications can be launched independently of a browser, as they don't rely on a browser plugin, in many cases they can provide a migration path from Java Applets."