Introduction
In several security articles we have discussed the fact that new media and communication devices are successful vehicles for malware propagation. See for example the article Facebook - an increasingly popular spreading vector for malware. This time we will examine a type of application, which has not been focused upon - (presumably) neither by the malware authors yet, nor by commentators.
Add-ons to applications
Definition and examples
The add-ons to applications are software that enhances the functionality to the application it supplements.
Add-ons are also often referred to at plug-ins, extensions, snap-ins etc. The point is that an add-on is not usually a stand-alone application, rather a piece of software that offers extra, special functionality to a host program.
The most typical hosts for add-ons are the different types of browsers. When you view a web page that uses a Flash element, this is visible in your browser if the browser is extended with a flash add-on. In a previous security article - Clickjacking - a new danger or an innovational new name? - we mentioned the add-on NoScript, which is a security add-on to some browsers.
The popular browser Firefox has a dedicated section on the Mozilla project's web site with thousands of add-ons.
Examples of other applications that may use add-ons are email clients and office applications like editors.
Exploiting Add-ons
There are at least two different methods for exploiting add-ons.
Malicious add-ons
The most obvious technique for a person with malicious intent is to create a malicious add-on. Such an add-on may masquerade as a useful, innocent program, but will also perform the malicious task that the programmer has instructed her program to do. In other words, the add-on is a trojan.
The problem with this approach - seen from the malicious person's point of view, is that she must trick users into installing the add-on. There are several options available for her to accomplish this, but unless she has developed an add-on that seems to be extremely useful, it is quite a challenge for her to get the add-on installed on a significant number of computers to fulfill her needs.
Thus, the creation of malicious add-ons does not seem like a good technique for spreading malware, except perhaps for targeted attacks. Even then other attack methods are probably to be preferred.
Utilizing vulnerabilities in add-ons
A much more tempting approach would be for the person with bad intent to look for vulnerabilities in existing, popular add-ons and exploit those. This would be similar to exploiting a vulnerability in any application.
The rational malicious person will normally target the most popular add-ons and attempt to exploit those. She will then have a big potential for successful propagation of her malware, as the number of vulnerable applications may be sufficiently big.
Recently we have seen that vulnerabilities in browser plug-ins used to view PDF format have been exploited. This may be seen as a typical example of this.
Another example is the issue where a plug-in to Internet Explorer enabled Google's browser Chrome to run inside Internet Explorer. It was claimed that this made browsing less secure as those who used such a setup exposed themselves to vulnerabilities in both Internet Explorer and Chrome. For more information about this, see for example this blog item from ZDNet.
Security in add-ons
One of the potential problems with add-ons is they may be developed by everyone. Security considerations may be less prioritized by the developers of the add-ons than the developers of the host application. That way an add-on may make the host application less secure by introducing new security holes.
Before you install add-ons to your applications, it is recommended that you check the developer of the add-on. Your goal is to determine if this is an organization/person that you trust in such a way that your system environments may not get less secure by installing the add-on.
