NPAPI - Security

Security

On Microsoft Windows, a popular misconception concerning the NPAPI technology is that a plugin is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. If the host processes have the same privileges, a malicious plugin can do as much damage as a malicious ActiveX control. It is important to note that NPAPI plugins can be made much safer by simply running in a limited user account. It is generally possible to install and run plugins with a limited user, while installing ActiveX controls requires administrative privileges (prior to IE8) even when the ActiveX runs in a limited account. When running with limited privileges, a plugin cannot do as much damage.

One important difference between NPAPI and ActiveX is that NPAPI is solely for Internet plugins, while ActiveX is used for a wide variety of purposes, including application composition in windows applications. A typical Windows user has a vast array of ActiveX controls installed, a number of which are probably marked "safe for scripting", but are not actually secure. Any of these can be used as means to subvert the user's computer prior to the introduction of the ActiveX Opt-in feature in Internet Explorer 7.

Another difference for the NPAPI is that implementations (prior to Mozilla Firefox, see below) did not automatically download or install missing plugins. A missing plugin caused the browser to display a jigsaw piece representing the plugin. If the user clicked on that they were directed to Netscape's plugin finder service where they could manually download and install the plugin for themselves. While this is inconvenient to the user, it is also an important security measure since it prevented the content using the browser as a vector for malware.

In Internet Explorer, the HTML content specifies the location where the ActiveX control resides. If the control is not already installed, IE will offer to download and install the control from the specified source. For legitimate controls, this offers a more streamlined installation mechanism with minimal user interaction. However malicious content could convince the user with clever social engineering to ignore warnings (or their better judgement) and install something that might harm their privacy or the machine. A number of spyware, adware and malware sites use this mechanism to deploy executable content to machines. Microsoft has had to increase the default security settings for ActiveX and maintain blacklists of malicious controls in an attempt to mitigate this risk.

Mozilla Firefox attempts to present a middle ground. If a plugin is missing, it will notify the user that the plugin is missing and initiate a secure connection to a plugin finder service hosted on mozilla.org. The user can permit Firefox to download and install the plugin. This model prevents content specifying where a plugin should be downloaded from – the plugin finder service does. This enables Firefox to present a fairly seamless installation mechanism but limit the service to trusted and compatible plugins from reliable sources. This model implicitly trusts the plugin finder service to return "good" plugins, increasing the security required on the host site.