In late January, Oracle announced that the company would stop supporting its ubiquitous Java plug-in, which would be, in developer terminology, “deprecated” in the next version of the Java software development kit, slated for release in 2017.
The announcement comes not as a surprise but a recognition of a trend among browser developers toward removing the ability of third parties to add code—and potentially security flaws—to their software and users’ systems. Attackers have often exploited vulnerabilities in the two most popular plug-ins—Java and Adobe’s Flash—building attacks into popular hacking tools known as exploit kits.
“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options,” Oracle stated in its Jan. 27 announcement.
For two decades, browsers have supported the addition of plug-ins through the use of a standard application programming interface, known as the Netscape Plugin API, or NPAPI. The ability to add plug-ins allowed developers to boost the functionality and interactivity of browsers. Video streaming, interactivity and games all started as plug-ins.
Yet, the hazards posed by bugs introduced by developers and the inconsistent updating of plug-ins by developers and end users leave many systems vulnerable to attack. Browser makers took the first steps to exorcise plug-ins from their software in 2013, when Google and then Mozilla started phasing out support.
“There will be an immediate benefit in terms of security from closing off access,” Christopher Budd, global threat communications manager for security firm Trend Micro, told eWEEK. “But if you take a step back, removing plug-ins is a huge thing in terms of the history of the Internet. This amounts to the era of infinite extensibility for the Web coming to a close.”
The major argument against plug-ins is that they allow unvetted code to affect the security of the browser. Each additional software extension requires the user to pay attention to another set of developers and their code bases.
Not only do users have to worry about updating their browser, but they have to worry about whether the developers are properly securing their code, Daniel Veditz, principal security engineer at Mozilla, told eWEEK in an email interview. In 2013, Mozilla issued an update to its browser to make the installation of plug-ins a manual procedure.
“The biggest risk to users is using out-of-date software and as a class, plug-ins have a terrible track record for quickly updating with security fixes—or updating at all,” Veditz said. “Users are safer if their exposure to potentially harmful Internet content is limited to a modern browser that focuses on user security and aggressively auto-updates.”
In the past, the third-party nature of plug-ins lured browser makers into thinking that the add-on software was not their responsibility, said Trend Micro’s Budd, who used to work at Microsoft.
“When I was at Microsoft, when we looked at Java or Adobe, it was a completely different program, totally separate from what we were doing. So it was their thing to take care of and not ours to worry about,” he said.
As Plug-ins Disappear, Browsers Gain Security, Lose Functionality
With the model that exists today with Flash, the likes of Microsoft and Google take a more pragmatic approach, Budd said. “Yes, it’s their problem, but we are taking some responsibility for it as well,” he said.
Yet, eliminating plug-ins is not without its drawbacks. While functionality is now increasingly available as native features of browsers that support HTML5, popular capabilities provided by plug-ins will no longer be supported. Google, for example, no longer supports Microsoft’s Silverlight, Oracle’s Java and Facebook’s plug-in. Developers who offer games on the Unity 3D plug-in platform will have to move to supporting WebGL technology on HTML5. Many already have, according to Google, which found that browsers that called the Unity plug-in had fallen from 9 percent in 2013 to less than 2 percent in late 2014.
Oracle warned that users who want to launch Java functionality from the browser will have to use Java Web Start, which calls out to the Java runtime environment from the browser.
“As browsers evolve, many users still need to continue to run these applications,” the company said in a blog post. “Since Java Web Start applications can be launched independently of a browser, as they don’t rely on a browser plugin, in many cases they can provide a migration path from Java Applets.”
The approach may not be more secure. Even though it separates Java from the browser, it stills allows Java to be exploited through the browser, said Mozilla’s Veditz.
“Because Java Web Start applications have to be downloaded first, that protects many users who would only install such applications from trusted sites, rather than automatically running any arbitrary plug-in code they encounter on any page,” he said. “Beyond that, Java is Java. If the exploit is based on a flaw in the core Java engine, then both would be vulnerable once an attacker can get their malicious code to run.”
The popularity of Adobe’s Flash, however, has resulted in every major browser incorporating Flash functionality into their code. Yet, building in Adobe Flash means that browser makers are taking responsibility for keeping the Flash code up to date, says Trend’s Budd.
“With Flash as part of Internet Explorer or Flash as part of Chrome, the browser vendor is willingly taking on more responsibility for that codebase from a security point of view and servicing point of view,” he said.
Taking responsibility for Flash, for example, means blocking older versions that are regularly abused by exploit kits or pushing out a quick patch when a zero-day attack is identified, Mozilla’s Veditz said. Yet, he adds that even Adobe Flash’s days are numbered.
“We do allow up-to-date Flash because users demand it—too many sites don’t function correctly without it,” he said. “We are working with major sites to help them transition to Web technologies and reduce the use of Flash on the Web to the point where we can block it by default like other plug-ins.”