Thursday, February 18, 2010

New Adobe Reader vulnerability, open Adobe Reader -> Help -> Update.

Quoting http://www.adobe.com/support/security/bulletins/apsb10-07.html

A critical vulnerability has been identified in Adobe Reader 9.3 and Acrobat 9.3 for Windows, Macintosh and UNIX, [...] As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users [...] update to Adobe Reader 9.3.1.

Note that this allows any website you visit to take over your machine, it's not required that you eg open a bad PDF file that was emailed to you, websites embed evil PDFs all the time (especially hacked websites).

SecBrowsing does not track Adobe Reader yet because its version is not exposed in the browser. So please go ahead and update Adobe Reader manually:
  • Launch Adobe Reader
  • Help
  • Check for Updates

Thursday, February 11, 2010

New Flash player vulnerability, v10.0.45.2 released

Quoting Adobe Security Bulletin,
a critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.
Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2

I think this translates to "any website with a malicious flash object can make requests to websites with private information such as email, bank accounts etc". I might be wrong. But unauthorized cross-domain requests are not good. At least the vulnerability does not allow arbitrary code execution, but these days, if you can take over the browser, you are almost as good as taking over the machine itself.

Secbrowsing points to version 10.0.45.2.

Friday, February 5, 2010

New Chrome extension hides the icon if all is good.

The most requested feature for our Chrome extension was to hide the icon if all was good. Today Noe pushed a version of the extension that does that. The icon moved from the toolbar inside the address bar. It's a bit less visible, but it does not take up valuable space if you are up-to-date.

Important: If you don't see any icon, do not worry: You are up-to-date.
If you want to verify that SecBrowsing is installed, click wrench > Extensions.



Here's how it will look like if your have an out-of-date plugin:


As always, click on the red icon to get to http://secbrowsing.appspot.com/ with directions on how to update your plugins.

Better plugin version detection thanks to Firefox 3.6

Up until a few days ago, in order to find and parse plugin versions in JavaScript one had to write a pretty complex function that also involved a lot of guesswork, as you can see in our source code.

As of Firefox 3.6, however, websites can access the plugin version in the simplest way possible:
navigator.plugins[i].version
This means SecBrowsing can use this version when available and correctly detect plugins we cannot detect now correctly, such as

  • Adobe Reader
  • Shockwave for Director
  • RealPlayer 
We can also try to get this functionality into Google Chrome, so SecBrowsing can be accurate for Chrome as well. Stay tuned.

Thursday, February 4, 2010

New Internet Explorer security vulnerability

IE uses, you should visit this link and update your security settings http://www.microsoft.com/technet/security/advisory/980088.mspx

From the bulletin:
Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location.
Which means, for example, that if you can figure out the user's user name, you can read their address book from your website: "C:\Documents and Settings\user_name\Application Data\Microsoft\Address Book\user_name.wab".