This article is right on, there have been a massive number of quicktime exploits in the last two years (to pick just one example)... however, browser makers have a responsibility to work on deprivileging these things as well.

Please keep in mind: My remarks concerned where attackers have been focusing their attention, and not, as implied, who is to blame.

Internet Explorer 8 adds a number of defenses against buggy add-ons. Joining Vista IE7's Protected Mode and the IE7 "ActiveX Opt-in" feature are the new IE8 Per-site ActiveX feature and the fact that the browser (and by extension, the add-ons) now run with DEP/NX protection by default.

[**NOTE FROM SEAN** I included mention of the per-site ActiveX feature in this post too, but hey..I guess not everyone has read the whole post...**]

http://blogs.msdn.com/ie/archive/2008/08/29/trustworthy-browsing-with-ie8-summary.aspx is a good summary of the security work that's gone into the new IE8.

There's a simpler solution than bloating up these crappy addons with even more mechanisms to update them.... don't install or run them at all!

I do not install Flash, Adobe's Acrobat or Quicktime, and haven't for a very long time. Flash is used mainly for annoying adverts online, and is a direct threat to your privacy online (through their cookie-type system and propreitary software having access to your PC, including microphone and webcam!). Acrobat is bloated and horrifically slow even on the fastest computers, and the less said about Quicktime (and its forced bundling with Itunes - more DRM, great), the better!

There are extensions for the Mozilla family to make plugins optional (click to run), and even though I have this feature available via NoScript I still choose not to install any of the popular plugins. Infact, looking at about:plugins I only have Real Alternative installed. I went to the lengths of removing Windows Media Player from FF too, as the DRM in WMP is utterly offensive, and WMP does not have a good security track record. And the MS media formats also support some very annoying features that are aimed at businesses to use to ram ads or similar into users' faces (loading URLs at points during a clip, or even executing code!).

I can assure you that by not having flash you are not missing much. If I want to see a video off youtube I download it via keepvid.com and watch it in MPlayer/VLC. I use free software alternatives to Acrobat (which also tend to ignore the DRM-esque features in Adobe's implementation of a PDF viewer), and VLC or MPlayer tends to cope fine with any file that Apple would like you to play with their crap.

Great post! I actually sent my post to the MS IE8 team and got a less than positive response. (this post: http://interactiveasp.net/blogs/natesstuff/archive/2008/11/12/microsoft-please-do-not-release-ie8.aspx).

Whatever they try to do to prevent data execution it won't be enough. IMHO -- let IE fail. The ego-centric at MS seem to have a very skewed world view and are no longer capable of real innovation.

Long ago figured out that some addons are more vulnerable to security issues than others. I absolutely for a couple of reasons won't use the popular Adobe reader, don't have flash installed and refuse to do so, keep my plug in addons to only those few I can't live without, such as NoScript, and will absolutely not run IE.

Adobe products have far too many phone homes in them. Not to mention the security flaws.

I won't run flash because... I've had it with those flashy ads done in flash. Flash has become the new way to store cookies where you can't easily find and remove them in place of the browser cookies that everyone is aware of being part of datamining and most often delete. So if you have ever wondered why everyone is going to flash movies, it might give you a clue. Not only are they hard to find and have no provision for deletion without a special program, they are allowed bigger sizes so even more data can be stored to report on where you go, what you do, and what you favor. All of major interest to ad companies.

ActiveX has long been a popular part of the browser to hijack. Who runs ActiveX anymore? Most browsers that support ActiveX come with it off as the default setting. It's just too easy to get inside your OS through that method.

M$ didn't think browser security was that much of a problem that it might need reworking until Firefox started taking a chunk of it's market share. All of a sudden after 10 years, M$ decided maybe it should address some of those security holes before they lost the majority of the market share to Mozilla. Computer monoculture had by then been set up to be struck with a vengeance.

I have very little faith in M$ actually getting serious about security. They are earning money for computer OSes as well as business licenses. As long as money is flowing in from both ends of the stream, why should they close the gap that attracts many of the developer tool sales to do the work with to get into the datamining stream?

At the end of this, I am wondering just why I am still running M$ stuff and not on the Linux wagon.

Come on Eric, don't regurgitate stuff you heard from speakers at Hack In The Box 2008 and pass it off as your own. Be original.

Blaming the plugins is like blaming cats for stealing into houses and stealing food. Plugins are like cats, they are wild, and you should expect them not to behave. There is a simple solution that has been known since the early days of the browsers, and that is the concept of a sandbox. If the browser API that the plug-in can access, does not include disk access, or general memory access, or network access outside of the site they came from, then all plugins are harmless, as they unload from the computer the moment you leave the page. So yes, Microsoft is to blame for giving plugins the power of causing damage.

See:
http://en.wikipedia.org/wiki/Sandbox_(computer_security)

Two words for Microsoft's take: cow pie.

What other browser besides IE supported Browser Helper Objects (BHOs)? Or, as I like to call them, the Windows Malware Launch Vehicle. These insidious beasts were easy to hide and difficult for novices to disable.

Furthermore, they could install themselves -- with no user intervention -- under way too many scenarios.

For BHO's, lets remember that back in the '90's it was considered a "great feature" that IE could install add-ons without a restart, which was considered a "design flaw" in Netscape. Everybody loved it, though I continued to use Netscape because I didn't want stuff installing in my browser without some serious consideration.

So I don't see how Microsoft can blame add-ons, unless they consider ActiveX an add-on. Lots of folks are getting their systems infected without their knowledge using the security holes that were "designed in" to IE. I hate telling friends and family to "be careful" surfing and to tell them them need all kinds of protection software as a band-aid to keep them safe.

Don't think Apple is so safe either as Safari really doesn't have anything to stop active code from running in the browser without first asking a user's acceptance. Apple only has a temporary reprieve from the same serious issues as IE because malware writers go for the majority which is still Windows+IE.

Until something else comes along it will be Firefox+NoScript.