Over the last few months, I have been in a number of discussions with people regarding the security issues surrounding web browsers and other web-ish type clients. In all my discussions, we talk about the well-known problems with web applications, phishing, Cross Site Scripting, session stealing, plaintext communication, etc.. We pontificate on the “real” risk associated with the different vectors and potential solutions. In almost all of the conversations, I bring up the lack of plug-in/add-on (plug-ins from now on) management, and my counterpart is stumped for a short while. Why is this?
Because most people just don’t do it, and there are few (any?) technical solutions to manage plug-ins at the enterprise level.
We all know that the vast majority of critical security issues in the “browser” space are related to plug-ins. We see new vulnerabilities released regularly regarding remote exploits of plug-ins, yet how many of those vulnerable systems get patched? I dare say, a small few. Because browsers are the universal client for distributed applications, and most browsers sit on corporate networks behind firewalls, they provide the perfect vector to bypass all that perimeter protection. All is needed is a vulnerability, and vulnerable plug-ins (usually) provide that. As a matter of fact, in a recent project for a client, we did research on “remotely exploitable” browser based vulnerabilities, and found that 90% of those were because of vulnerable plug-ins (i.e., Flash, Shockwave, JRE, etc.).
So, what is the missing link? It is the lack of enterprise level plug-in management. Most companies are not doing it, the security conscientious companies are doing it ad-hoc at best, so I ask why? I believe the answer is that there is NO software package that I know of that will perform enterprise level plug-in management. If you are a patch management vendor, then there is an opportunity. If you have a current patch management system, encourage your vendor to integrate plug-in management into its solution.