Saturday, January 30, 2010

Take a second and disable Javascript from Acrobat Reader

Secbrowsing does not yet track the versions of the Adobe Reader plugin, because Reader does not expose its version to websites. We plan to find a way to track the version soon. In the meantime, please:
  • Update Acrobat Reader
  • Disable Acrobat Javascript
Update Acrobat Reader
  1. Launch Adobe Reader
  2. Select Help > Check for Updates
  3. Exit Adobe Reader
  4. Repeat
You might have to repeat this process a few times if you have missed a lot of updates. Keep asking Reader to check for updates, even after it has installed some. If you have 9.1.1 and the latest version is 9.1.3 you need to run the update process twice.

Disable Acrobat Javascript

Also, please disable JavaScript for Reader. Many of the security releases of Reader fix vulnerabilities that involve its JavaScript engine.
  1. Launch Acrobat or Adobe Reader.
  2. Select Edit > Preferences
  3. Select the JavaScript Category
  4. Uncheck the 'Enable Acrobat JavaScript' option
  5. Click OK
More about disabling Javascript, from Adobe. HowtoGeek also has a screenshot.

Sunday, January 24, 2010

Check your plugins right within iGoogle

Aiming for the smallest iGoogle gadget ever (in terms of screen real estate), today we made SecBrowsing available for your iGoogle homepage:



Go ahead and add it to your Google homepage

Saturday, January 23, 2010

RealPlayer Versioning (and did I mention you should update it?)

Realplayer was recently updated to address a number of vulnerabilities

In theory the RealPlayer AutoUpdate should run and get you up-to-date, according to their privacy page: A background update check may happen automatically and without advanced notification if RealNetworks deems a critical update is required, such as for urgent security patches and bug fixes.

In practice, if you know what realsched.exe is, and you've disabled it, you should go and update RealPlayer yourself, from the application itself or by downloading a fresh copy at at Real.com

It's not trivial for me at least to understand how SecBrowsing can help users identify if they are running a vulnerable version right now. Their versioning system is quite confusing. Here's a snippet of the vulnerability report from RealPlayer for Windows
Not vulnerable:

  • RealPlayer SP 1.0.2 - 1.0.5
Vulnerable
  • RealPlayer SP 1.0.0 and 1.0.1
  • RealPlayer 11 (11.0.5 and higher)
  • RealPlayer 11 (11.0.1 - 11.0.4)
  • RealPlayer 11 (11.0.0)
  • RealPlayer 10.5 (6.0.12.1675)
  • RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741)
  • RealPlayer 10
  • RealPlayer Enterprise
I downloaded a fresh copy of RealPlayer yesterday, installed it on Windows Vista, checked the reported version, and it came back as 6.0.12.448. It's not one of the reported vulnerable versions, I guess, but it's also not "greater than" them in the typical sense.

Which makes Mozilla's effort in building a Plugin Directory with version history a more viable solution to our "latest good version" solution. Mozilla also offers APIs to this service, for other browsers to use even, which is great.

I'm still skeptical on whether we'll be able to identify all these arbitrary versions from the browsers without some help, going forward at least, from the plugin vendors.

New Shockwave security update

Brian Krebs reports on a new vulnerability, this time on Shockwave. He also describes how Shockwave is different from Flash. Here's the report from Adobe.

My personal recommendation is to actually uninstall Shockwave and just keep Flash, unless you really remember using it.

Download the latest version here

Note to SecBrowsing users
SecBrowsing was just updated to point users to version 11.5.6. Unfortunately, on Windows, the plugin still reports "11.5" as its version, so it's impossible to identify the vulnerable version (11.5.2) from the safe one (11.5.6).

Until we have a nicer way of showing users that we can't detect the version correctly, I've decided to keep pointing users to the latest version, even if they have already installed it.

If you have installed Shockwave 11.5.6 (released Jan 19, 2010), please ignore the warning, you do not need to reinstall it.

You can check your exact version on Adobe's website. If you are out-of-date, please download the latest version here.

Friday, January 22, 2010

Firefox 3.6 with Plugin Check -- and what's missing

Firefox 3.6 is out, with a link to the Firefox Plugin Check page on the "Addons -> Plugins" tool.



The Firefox Plugin Check webpage works in a very similar fashion as SecBrowsing, giving you links to download the latest versions of plugins that are old.

The plugin check is also integrated into Firefox in another way. Blair McBride explains that "Whenever you load a page that uses a plugin that is out of date, you’ll get a warning". I expect this to dramatically reduce the ratio of Firefox users with out-of-date plugins.



There's a significant improvement that still remains to be done, however: Notice on the screenshot how Adobe Acrobat's version is detected inside Firefox. The browser itself appears to be able to detect the plugin version. On the updater page, however, the version is not detected.



The list of plugins with unknown versions is unfortunately usually long, meaning that there's still a lot of vulnerable attack vectors against the browser. Acrobat Reader in particular has been targeted a lot lately.

SecBrowsing suffers from the same issue: Reader does not expose its version to HTML pages. Deeper integration into the browser is needed for both the Firefox Plugin Check and SecBrowsing to be helpful with such plugins. I plan to post more on this in the future.

Thursday, January 21, 2010

How to secure plugins in Chrome

Google Chrome has the capability to run its plugins in its sandbox. However that option is not enabled by default. Personally I don't agree with this choice but read the disclaimer about how that's not the opinion of my employer.

I strongly recommend using the safe-plugins option for Chrome. Here's instructions on how to create a shortcut for a "safe chrome" on Windows:

  • Copy the launcher icon (from the desktop, taskbar, or start menu)
  • Paste it on the desktop, rename it if you wish.
  • Right-click on the new icon, select "Properties"
  • Change the target so it ends like this:
    • ...\Application\chrome.exe" --safe-plugins

Wednesday, January 20, 2010

New Silverlight version out

Latest version of the Microsoft Silverlight Plug-In: 3.0.50106.0

Release notes: http://support.microsoft.com/kb/979202

According to the notes "this update includes functional, performance, reliability, and security improvements", however particular security improvements are not mentioned.

Get it from http://secbrowsing.appspot.com/

Tuesday, January 19, 2010

New Java out (non-security release)

Java 6 update 18 (1.6.0_18) is out.

According to the release notes, no security fixes in this version.

Link is available on http://secbrowsing.appspot.com/