Protect Yourself From Plugin Vulnerabilities

azdewars 362 Posts

Wed, Mar 30 2016 11:58 PM

How You Can Be Infected via Your Browser and How to Protect Yourself

Insecure Browser Plugins

• Use a website like Firefox’s plugin check to see if you have any out-of-date plugins. (This website was created by Mozilla, but it also works with Chrome and other browsers.)
  
• Update any out-of-date plugins immediately. Keep them updated by ensuring automatic updates are enabled for each plugin you have installed.
  
• Uninstall plugins you don’t use. If you don’t use the Java plugin, you shouldn’t have it installed. This helps reduce your “attack surface” – the amount of software your computer has available to be exploited.
  
• Consider using the click-to-play plugins feature in Chrome or Firefox, which prevents plugins from running except when you specifically request them.
  
• Ensure you’re using an antivirus on your computer. This is the last line of defense against a “zero-day” vulnerability (a new, unpatched vulnerability) in a plugin that allows an attacker to install malicious software on your machine.
  

Browser Security Holes

• Keep your web browser updated. All major browsers now check for updates automatically. Leave the auto-update feature enabled to stay protected. (Internet Explorer updates itself through Windows Update. If you use Internet Explorer, staying up-to-date on updates for Windows is extra important.)
  
• Ensure you’re running an antivirus on your computer. As with plugins, this is the last line of defense against a zero-day vulnerability in a browser that allows malware to get onto your computer.
  

Social-Engineering Tricks

• ActiveX Controls: Internet Explorer uses ActiveX controls for its browser plugins. Any website can prompt you to download an ActiveX control. This can be legitimate – for example, you might need to download the Flash player ActiveX control the first time you play a Flash video online. However, ActiveX controls are just like any other software on your system and have permission to leave the web browser and access the rest of your system. A malicious website pushing a dangerous ActiveX control may say the control is necessary to access some content, but it may actually exist to infect your computer. When in doubt, don’t agree to run an ActiveX control.
  

• Auto-Downloading Files: A malicious website may attempt to automatically download an EXE file or another type of dangerous file onto your computer in the hopes that you will run it. If you didn’t specifically request a download and don’t know what it is, don’t download a file that automatically pops up and asks you where to save it.
  
• Fake Download Links: On websites with bad ad networks – or websites where pirated content is found – you’ll often see advertisements imitating download buttons. These advertisements try to trick people into downloading something they’re not looking for by masquerading as a real download link. There’s a good chance links such as this one contain malware.
  

• “You Need a Plugin to Watch This Video”: If you stumble across a website that says you need to install a new browser plug-in or codec to play a video, beware. You may need a new browser plugin for some things – for example, you need Microsoft’s Silverlight plugin to play videos on Netflix – but if you’re on a less-reputable website that wants you to download and run an EXE file so you can play their videos, there’s a good chance they’re trying to infect your computer with malicious software.
  

• “Your Computer is Infected”: You may see advertisements saying your computer is infected and insisting you need to download an EXE file to clean things up. If you do download this EXE file and run it, your computer probably will be infected.