Plug-ins to applications - a ripened target for malware
Introduction
In several security articles we have discussed the fact that new media and communication devices are successful vehicles for malware propagation. See for example the article Facebook - an increasingly popular spreading vector for malware. This time we will examine a type of application, which has not been focused upon - (presumably) neither by the malware authors yet, nor by commentators.
Add-ons to applications
Definition and examples
The add-ons to applications are software that enhances the functionality to the application it supplements.
Add-ons are also often referred to at plug-ins, extensions, snap-ins etc. The point is that an add-on is not usually a stand-alone application, rather a piece of software that offers extra, special functionality to a host program.
The most typical hosts for add-ons are the different types of browsers. When you view a web page that uses a Flash element, this is visible in your browser if the browser is extended with a flash add-on. In a previous security article - Clickjacking - a new danger or an innovational new name? - we mentioned the add-on NoScript, which is a security add-on to some browsers.
The popular browser Firefox has a dedicated section on the Mozilla project's web site with thousands of add-ons.
Examples of other applications that may use add-ons are email clients and office applications like editors.
Exploiting Add-ons
There are at least two different methods for exploiting add-ons.
Malicious add-ons
The most obvious technique for a person with malicious intent is to create a malicious add-on. Such an add-on may masquerade as a useful, innocent program, but will also perform the malicious task that the programmer has instructed her program to do. In other words, the add-on is a trojan.
The problem with this approach - seen from the malicious person's point of view, is that she must trick users into installing the add-on. There are several options available for her to accomplish this, but unless she has developed an add-on that seems to be extremely useful, it is quite a challenge for her to get the add-on installed on a significant number of computers to fulfill her needs.
Thus, the creation of malicious add-ons does not seem like a good technique for spreading malware, except perhaps for targeted attacks. Even then other attack methods are probably to be preferred.
Utilizing vulnerabilities in add-ons
A much more tempting approach would be for the person with bad intent to look for vulnerabilities in existing, popular add-ons and exploit those. This would be similar to exploiting a vulnerability in any application.
The rational malicious person will normally target the most popular add-ons and attempt to exploit those. She will then have a big potential for successful propagation of her malware, as the number of vulnerable applications may be sufficiently big.
Recently we have seen that vulnerabilities in browser plug-ins used to view PDF format have been exploited. This may be seen as a typical example of this.
Another example is the issue where a plug-in to Internet Explorer enabled Google's browser Chrome to run inside Internet Explorer. It was claimed that this made browsing less secure as those who used such a setup exposed themselves to vulnerabilities in both Internet Explorer and Chrome. For more information about this, see for example this blog item from ZDNet.
Security in add-ons
One of the potential problems with add-ons is they may be developed by everyone. Security considerations may be less prioritized by the developers of the add-ons than the developers of the host application. That way an add-on may make the host application less secure by introducing new security holes.
Before you install add-ons to your applications, it is recommended that you check the developer of the add-on. Your goal is to determine if this is an organization/person that you trust in such a way that your system environments may not get less secure by installing the add-on.