Browser plug-ins are the biggest target on your computer. Java is a gaping security hole, but Flash has seen a stream of 0-day attacks recently. There’s even been an increase in attacks against Silverlight.
These plug-ins have also become less necessary over time. For example, YouTube recently dumped Flash, and Netflix has dumped silverlight. Your browser is capable of doing this stuff on its own — as long as websites cooperate.
Why Browser Plug-ins Are Bad
Web browsers are becoming ever more capable, and the functions that once required browser plug-ins — various video playback features, video chatting, animations, in-browser games, and more — are now built into modern browsers. It’s just up to websites to switch over to the in-browser features from those old plug-ins they’re still using.
And plug-ins really are old. Firefox still uses the NPAPI plug-in system created for Netscape Navigator. Internet Explorer uses ActiveX, which is notorious for its security problems. Chrome uses PPAPI, which is designed to provide additional sandboxing — but even it isn’t ideal. If an attacker finds a hole in your browser plug-in, they can generally exploit that hole to gain access to the system. They aren’t sandboxed — except on Chrome, and even that sandbox won’t protect you from everything.
Note that browser plug-ins are different from extensions, or add-ons. An extension or add-on adds a new feature to your browser that you can use, if you like. A plug-in is a program that websites can require. They were necessary when browsers weren’t evolving fast enough — like back in the Internet Explorer 6 days — but now need to go away.
Popular Plug-ins You May Not Need
Plug-ins will likely never vanish completely from the web. Even now, if you dug deep enough, you could probably find web pages that required you install RealPlayer to view their old videos. But, at a certain point, we all uninstalled RealPlayer because it just wasn’t necessary. Plug-ins like Java and Silverlight have already hit that point for most people, and even Flash should get there one day soon.
- Silverlight: Most people have Microsoft’s Silverlight plug-in installed for Netflix. If you’re one of them, there’s good news — in modern browsers, Netflix will just use HTML5 instead of Silverlight. So, if you still just have Silverlight installed for Netflix, you can go uninstall it now. Really, Microsoft wants the Silverlight browser plug-in to go away, too. You’re doing them a favor by ditching it.
- Java: What more can we say about Java? Java applets have all but vanished from the consumer web — unless they’re being used for exploits — but the terribly insecure Java browser plug-in is still enabled by default. Even if you need Java installed (to play Minecraft, for example), you don’t need the browser plug-in enabled. Head to the Java Control Panel and disable the Java plug-in if you can’t uninstall it.
- Flash: Flash is the plug-in you might still want. Flash is becoming less necessary than ever, and you can now even view every single video on YouTube without having Flash installed. Other video-playback sites have also switched to Flash, and modern websites shouldn’t require it. On the other hand, Flash is still used for many different things — the videos on Facebook, for example, require having Flash installed. To alleviate the problem, we recommend enabling click-to-play for Flash rather than uninstalling it complete.
Other plug-ins have also become unnecessary as they’ve been folded into the browser. Google’s Google Talk plug-in for audio and video calls is no longer needed, nor is the Google Earth plugin for looking at detailed satellite views on Google Maps. Microsoft is working on a version of Skype for the web that will no longer require the Skype browser plugin. Plug-ins like QuickTime, RealPlayer, Windows Media Player, and the VLC Web Plugin aren’t really used anymore either.
Seeing Which Plugins You Have Installed
To see which plug-ins you have installed, check the list of plug-ins buried in your web browser of choice.
- Chrome: Plug “chrome://plugins/” into your address bar (without the quotes) and press Enter. You can also navigate to Settings>Show advanced settings>Content settings>Disable individual plugins.
- Firefox: Click the menu button, click Manage add-ons, and select the Plug-ins icon.
- Internet Explorer: Click the gear menu on the toolbar and select Add-ons. Ensure the “Toolbars and extensions” category is selected, and then click the Show box and select All add-ons.
- Safari: Click the Safari menu, select Preferences, and click the Security icon. Click the Website Settings button to the right of “Internet plug-ins.”
- Opera: Click the Opera menu and select Settings. Select the Websites category and click “Disable individual plugins.” Alternately, you can just plug “opera://plugins” into the address bar (without quotes) and press Enter.
Uninstalling or Disabling Plugins
If you see any ancient plugins you don’t need, you should head to your Control Panel and uninstall them — you can’t uninstall them from inside your browser.
If you’d rather just temporarily disable the plug-ins, you can click the Disable button on your browser’s plug-in manager page. Leave it disabled for a while and see if you really need it. If you don’t notice you need it, you can head to the Control Panel and uninstall it later. Note that disabling a plug-in in one browser only disables it for that specific browser. For example, if you disable Flash in Firefox, it’ll still be enabled in Chrome and Internet Explorer.
You could also set up different browser profiles, with the plug-ins disabled in one browser (or profile) and the plug-ins enabled in another browser. This would let you isolate the plug-ins from your normal browsing experience.
Assuming you don’t uninstall every single plug-in — and you probably won’t — you should head to the Firefox Plug-in Check page. Don’t let the name fool you — this tool will work for any web browser. It’ll let you know if you have any old, vulnerable plugins that you need to update or get rid of immediately.