Extensions are great, but not always secure. Learn from history.

Posted by: Seth Posted date:

by Matt Heller

I’m old enough to remember when ActiveX first ‘came on the scene,’ and it was transformative. To that point, we’d all used static content and simple hyperlinked pages. You could manage to fake some dynamic content if you knew what you were doing, but real interactivity and dynamic content wasn’t a reality. Yes, that’s a LONG time ago, especially in Internet years. After the euphoria of these new capabilities wore off, we began to see some downsides. At first, it was mostly network related stuff – I recall being asked by our network team why usages were rising in certain teams. It turns out. Active desktop and ActiveX were great ways to keep data flowing to the endpoints…even if the user wasn’t using those apps at the time. Remember this was a long time ago when networks were token ring and ethernet was 10MB if you were lucky. BIG Internet connections for business were T1 lines, so bandwidth consumption was a different concern than today.

Next came the serious security downside and as the old saying goes “with great power comes great responsibility.” It wasn’t long before people started to realize that binary extensibility could deliver pretty much limitless capabilities…which then opened up a considerable surface area for attack. ActiveX quickly got the reputation as a security hole, one that it’s struggled to shake since that time. Despite all the security additions and parameters setup around ActiveX, it’s arguably still a security risk.

However, ActiveX served an essential function in the historical record of the web. At a time when browsers were new, and ‘simple,’ ActiveX helped push beyond the limitations of HTML and browser functionality. ActiveX showed us that despite what features and capabilities that working groups and vendors could think up, there were always more ideas under the sun. The web needed a way to go beyond the known limitations and ActiveX was unfortunately not the design we could count on for the long term.

So then we had extensions…lightweight, easy to build, non-binary extensions that could deliver those ‘beyond the box’ experiences that developers and consumers wanted. Even if they didn’t know they wanted them yet, extensions provided a path to deliver them whenever the need arose. Being ‘non-binary’ code, they were inherently more secure and controllable than ActiveX, so the web was seeing a great advancement without the risk. I’ve long believed that extensions were much better than ActiveX from a code execution standpoint (apparently), but they represented a more subtle security threat, which I felt wasn’t getting proper attention. Unlike ActiveX which could be attacked from various sides and directly used for escalation of privilege attacks, extensions were bound under tighter controls, so they appeared to be secure.

However, think about what developers use extensions to accomplish:

·         Password manager

·         Shopping discounts

·         Developer page manipulation

·         Ad-blocking

Just to name a few.

These are GREAT experiences for end users. They deliver tons of value and make online experiences better. Take a second and think about what these extensions can do. They can read the page(s) users browse; they report back to identify specific targeted sites/content; they allow pages to be edited inline. Sure there are many well known and trustworthy extensions doing these essential jobs well and securely. However, we read about compromises every day. Well-known password manager databases have been compromised. Shopping discount engines aren’t immune to their bad news days as well. The examples go on and on. our friends over at just did a piece on the risks of even trusting a ‘trusted’ store for your extensions.

Don’t get me wrong; I’m not advocating people turn off extensions, I use a bunch myself. I’m just urging IT managers and CISOs to view extensions with a wary eye. Trust but verify. Most organizations have no idea what extensions are in their environment. Unlike ActiveX which registers to Windows, extensions don’t register in that way. ActiveX requires elevated privilege to install whereas any user can install extensions. Heck, even Chrome and Firefox can be installed without admin privilege or even run from a USB. Existing ITOM tools have no visibility into extensions. The idea that extensions run in the enterprise isn’t a concern, but not knowing which ones, where and by whom should be a concern. Extensions can directly or indirectly expose corporate data, so how can a CISO or CIO effectively sign compliance documents without an accurate and ongoing inventory?

Let’s learn from history and be sure to keep the “great power” under control with our “great responsibility” by keeping an eye on extensions.

  • Share:  

Recent Posts

ITOM for Browsers: Visibility, Security, Efficiency with Proton
Posted on: March 27, 2024
The Browser Blind Spot: Is Your IT Management Missing Critical Data?
Posted on: March 25, 2024
Enhancing Enterprise Efficiency with Advanced Browser Management Tools
Posted on: February 12, 2024

Blog Topics

ActiveX Advanced Solutions Application Modernization Application Sandboxing BCMS Upgrade Browser Compatibility Browser compatibility issues Browser Compatibility Testing Browser end of life (EOL) frustration Browser IT Management Browser Management Browser management solution Browser Management Tool Browser Performance Monitoring Browser Selection Automation Browser Telemetry Tool Browser-Based Applications Browsium Browsium Chrome Extension Browsium Extension Browsium Ion Browsium Proton Catalyst Centralize browser management Chrome Compatibility Compatibility Challenges Compatibility Layers Compatibility Strategies Compatibility Testing Cross-Browser Testing CVE-2021-44228 Deployment eBook Edge IE Edge IE Chrome Edge IE Mode Edge Legacy Edge Readiness Emulation Enterprise Browser Management Enterprise Browser Security Events Extensions File Swap Firefox Flash EOL Group Policy History Hotfix How-To IE 11 EOL IE End of Life IE EOL IE11 Internet Explorer End of Life Internet Explorer EOL Ion Ion v4.9.4 IT Business Strategy IT Challenges IT Landscape IT Solutions ITOM Java Java Applets Latest Version Legacy Application Compatibility Legacy Application Integration Legacy Application Regression Testing Legacy Application Strategies Legacy Applications Legacy Browser Applications Legacy Browser Compatibility Legacy Web Applications Log4shell Microsoft Cumulative Update Migration Mission-Critical Applications Modern IT Modernizing Legacy Applications Patch Tuesday Performance Preserving Legacy Applications Product Offerings Product Release Proton Remediation Sandboxing Legacy Applications Security Services Shadow IT Silent Heroes Silverlight Support Testing Modernized Applications Flash EOL Top News User Training Virtualization Web Application Compatibility Webinar Win10 Preview Release Windows 10 Windows 8 XP Usage Share

Request Demo

Internet Explorer End of Life problems?Learn More