Symantec Global internet Security threat report
Web browser plug-in vulnerabilities
this metric will examine the number of vulnerabilities affecting plug-ins for Web browsers. Browser plug- ins are technologies that run inside the Web browser and extend its features. Often, these plug-ins allow additional multimedia content from Web pages to be rendered in the browser. they can also enable execution environments that allow applications to be run inside the browser. Browser plug-in vulnerabilities are also used in a range of client-side attacks. Many browsers include various plug-ins in their default installation and provide a framework to ease the installation of additional plug-ins. plug-ins now provide much of the expected or desired functionality of Web browsers and some may even be required to effectively use the internal sites of enterprises.
the following plug-in technologies will be examined:
Adobe Flash player
Mozilla Firefox extensions
Java platform Standard Edition (Java SE)
in 2009, Symantec documented 321 vulnerabilities affecting plug-ins for Web browsers (figure 9). ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plug-in technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe reader had 49 vulnerabilities, Quicktime had 27 vulnerabilities, and Adobe Flash player was subject to 23 vulnerabilities. the remaining four vulnerabilities affected extensions for Firefox.
it should be noted that, in 2009, some vulnerabilities fell into multiple categories. For example, the Java SE ActiveX vulnerability96 counts in two categories, ActiveX and Java SE. this is because there is a version of Java SE that is implemented as an ActiveX control. Similarly, the Firefox plug-in for the Adobe reader vulnerability97 counts in both the Adobe reader and Firefox extensions categories; this is because Adobe has released a version of Adobe reader that is implemented as a plug-in for Firefox.