The age of plugin free browsers: A new age of exploitation

15 Jan 2013

For a long time, you could be fairly assured that every computer had a browser, Flash, a pdf reader, and Java installed. I believe we are rapidly approaching a day when our browsers are all plug-in free. This means a new direction for exploitation.

RIP: Flash

Apple refused to allow Flash on it's iPhone and iPad (reasoning here), and this helped slowly kill Flash. One of the last hold-outs for Flash was video, but youtube and vimeo have supported HTML5 video playback since at least January 2010. I invite you to disable Flash in your browser, and see how little you are affected by it. Back in November, 2011 Adobe announced they would stop supporting Flash for mobile browsers, which was the final nail in the coffin. You'll still see Flash being used around the web, but I think I can live without it. If it was a good enough cat video, someone would have made an HTML5 version of it.

RIP: PDF Readers

Adobe Reader was a pretty ubiquitous 3rd party app. Back when we use to install things via CD, it seemed like every CD came with a copy of an Adobe Reader installer. Now both Chrome (currently) and Firefox (soon) have their own built-in, non-Adobe, PDF readers. Soon, users likely won't even notice when they don't have a non-browser PDF Reader. Even if they do install Adobe Reader, I think Chrome is moving in the direction of pushing it out of the browser entirely, with their stance of No more silent extension installs.

RIP: Java

With the recent Java issues, I think it exposed to a lot of people that we really don't have much of a need for Java. With Chrome and Firefox now making Java "Click-to-play", it might not be a nail in the coffin to Java in the browser, but it's a solid hit.

RIP: Anyone else?

I think it's safe to say Silverlight is also dead, as it doesn't work anywhere beside Windows, and even Microsoft's own Metro browser has disabled all plugins. Mobile platforms don't support browser plugins, and if a website can't be delivered to mobile, it is dying.


HTML5 is the future for browsers. I think the most compelling argument is from "The Security Practice" in their November 30, 2012 post In Defense of HTML5.

But what does this have to do with exploitation? When Windows XP SP2 came along in 2004, and enabled the Windows Firewall by default, it neutered an entire class of exploitation (service exploits), which had allowed for things like the Blaster and Sasser worms. This brought us into the age of client-side exploits. Some security professionals are recognizing that this age has likely come to an end. If users no longer have browser plug-ins, you can't exploit them through those plug-ins. Does this mean attacks directly on the browser, as was seen with the recent IE 8 CButton vulnerability? I don't know, but we're at a turning point.