Definition[edit | edit source]
A plug-in is a
|“||software program that extend[s] the capabilities of the . . . browser in a specific way — giving you, for example, the ability to play audio samples or view video movies from within your browser.||”|
Overview[edit | edit source]
Plug-ins are native code modules or scripts that work in conjunction with software applications to enhance their capabilities. Plug-ins are often added to Web browsers to enable them to support new types of content (e.g. additional audio or video formats). Plug-ins have also been devised for email clients and other desktop software. They can be downloaded from either the browser vendor's site or a third-party site.
Browsers typically prompt the user to download a new plug-in when a document requires functionality beyond the browser's current capabilities. Although plug-ins allow browsers to support new types of content and functionality, they are not active content in and of themselves, but simply executables that enable active content technologies. Windows Media Player, RealPlayer, QuickTime, ShockWave, and Flash are all examples of plug-ins that allow browsers to support new content types, such as audio, video, and interactive animation.
Security concerns[edit | edit source]
There are two security concerns with plug-ins: the behavior of active content processed by an installed plug-in, and the behavior of the plug-in executables themselves once they are downloaded and installed. Plug-ins can bypass a browser’s underlying security model. For instance, the ShockWave plug-in from Adobe provides the ability to render multimedia presentations (created in a compatible format) as they are downloaded. By design, Shockwave content supports the Lingo interpretative language as an aid to presentation development. Early versions of Lingo allowed the author to make local system calls based on the platform executing the content, potentially allowing malicious code to be downloaded as part of the presentation.
From a security standpoint, plug-ins are executable code, and precautions should be exercised in obtaining and installing them, as with any other software application. Downloading plug-ins directly from a reputable manufacturer is normally less risky than downloading them from other sources, but even in the first case, it is difficult for the user to be aware of the security implications. In the past, unwanted side effects such as changes to browser security settings and tracking of a user’s content preferences, albeit well intentioned, have occurred. Plug-ins designed to animate cursors or hyperlinks have also been designed to track user preferences and viewing habits across a particular website more accurately. Although these capabilities may improve the user's experience with a particular website, the privacy and security implications are often not readily disclosed.
Even if the site has a valid identity certificate associated with the signed downloaded code, that only tells the user that the manufacturer of the code has been verified by a certificate authority, not whether the code obtained from them will behave non-maliciously or correctly. Users of plug-ins should be cautioned to read the fine print before agreeing to download executables and take adequate measures to backup the system in the event of problems.