As Plug-ins Disappear, Browsers Gain Security, Lose Functionality

Oracle's Java plug-in is the latest to fall, as browser developers look to simplify their code bases to improve security.

Browser Plugins 2

In late January, Oracle announced that the company would stop supporting its ubiquitous Java plug-in, which would be, in developer terminology, "deprecated" in the next version of the Java software development kit, slated for release in 2017.

The announcement comes not as a surprise but a recognition of a trend among browser developers toward removing the ability of third parties to add code—and potentially security flaws—to their software and users' systems. Attackers have often exploited vulnerabilities in the two most popular plug-ins—Java and Adobe's Flash—building attacks into popular hacking tools known as exploit kits.

"With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options," Oracle stated in its Jan. 27 announcement.

For two decades, browsers have supported the addition of plug-ins through the use of a standard application programming interface, known as the Netscape Plugin API, or NPAPI. The ability to add plug-ins allowed developers to boost the functionality and interactivity of browsers. Video streaming, interactivity and games all started as plug-ins.

Yet, the hazards posed by bugs introduced by developers and the inconsistent updating of plug-ins by developers and end users leave many systems vulnerable to attack. Browser makers took the first steps to exorcise plug-ins from their software in 2013, when Google and then Mozilla started phasing out support.

"There will be an immediate benefit in terms of security from closing off access," Christopher Budd, global threat communications manager for security firm Trend Micro, told eWEEK. "But if you take a step back, removing plug-ins is a huge thing in terms of the history of the Internet. This amounts to the era of infinite extensibility for the Web coming to a close."

The major argument against plug-ins is that they allow unvetted code to affect the security of the browser. Each additional software extension requires the user to pay attention to another set of developers and their code bases.

Not only do users have to worry about updating their browser, but they have to worry about whether the developers are properly securing their code, Daniel Veditz, principal security engineer at Mozilla, told eWEEK in an email interview. In 2013, Mozilla issued an update to its browser to make the installation of plug-ins a manual procedure.

"The biggest risk to users is using out-of-date software and as a class, plug-ins have a terrible track record for quickly updating with security fixes—or updating at all," Veditz said. "Users are safer if their exposure to potentially harmful Internet content is limited to a modern browser that focuses on user security and aggressively auto-updates."

In the past, the third-party nature of plug-ins lured browser makers into thinking that the add-on software was not their responsibility, said Trend Micro's Budd, who used to work at Microsoft.

"When I was at Microsoft, when we looked at Java or Adobe, it was a completely different program, totally separate from what we were doing. So it was their thing to take care of and not ours to worry about," he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...