And you realize you are on the right track. Users are being trained to run more and more software off of web servers, and lets face it whether the code is Open Source or closed source the user has no idea what the software is doing on his machine. A couple of years ago, my 14 year old son came to a web site that offered "Dancing Bikini's on the Desktop", there are not two many 14 year old boys that could resist this offer. :^) Of course his machine was quickly infected.
A couple of weeks ago I wrote about confining nsplugin with SELinux. NSPluginWrapper is a tool used to run Firefox Plugins in a separate process. In Fedora 9 we have the capability to confine it. SELinux would stop vulnerabilities described above in two ways, First the buffer overflows protextion of execmem, execheap, execstack would cause the vulnerabiltiy to blow up before the plugin could execute the hacker code, Then if if the vulnerabilty was able to get past the memory checks, SELinux would confine the plugin to only be allowed to do what plugins are supposed to do. It would not allow the plugin to connect to random ports, like the email port. The plugin would not be allowed to write to random places in the users home directory, it would not be allowed to grab data from sensitive directories like .ssh or .gpg.
If you like to try it out, make sure you install nspluginwrapper, and turn on the allow_unconfined_nsplugin_transition boolean.
# setsebool -P allow_unconfined_nsplugin_transition 1
This will allow the default login domain unconfined_t to transition to nsplugin_t when Firefox starts the plugin wrapper. To make this work well you will also need to relabel you homedir.
# restorecon -R -v ~/
As we move forward I want to get to the point where we can turn these features on by default. But a lot of this technology is brand new and needs to get flushed out, problems like labeling of the home directory, or users wanting to run some random plugin that does something weird. We have a constant battle between "Usability" and Security. If we turn on features like nsplugin_t by default, we increase security, but if SELinux stops "Dancing Bikinis", I get the SELinux Sucks how do I turn it off...