tag:blogger.com,1999:blog-69994626020183441032024-03-13T22:43:07.507-07:00SecBrowsing blogStay malware-free: Keep your browser and plugins secure and up-to-date.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comBlogger57125tag:blogger.com,1999:blog-6999462602018344103.post-39379676898551507002011-04-23T22:15:00.000-07:002011-04-23T22:15:52.647-07:00Adobe Reader 9.4.4 released, 10.0.3/Win on June 14.<div dir="ltr" style="text-align: left;" trbidi="on">According to the security bulletin from Adobe (http://www.adobe.com/support/security/bulletins/apsb11-08.html), the latest available versions are:<br />
<br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Windows</div> Adobe Reader 9.4.4 or 10.0.2 (10.0.3 will be available June 14, 2011).<br />
<br />
Mac<br />
<div style="text-align: left;"> Adobe Reader 9.4.4 or 10.0.3</div><br />
Secbrowsing will be updated shortly accordingly. </div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-29945051567387008582011-04-11T17:24:00.000-07:002011-04-23T22:20:19.258-07:00New zero-day for Adobe Flash, update coming soon.<div dir="ltr" style="text-align: left;" trbidi="on"><a href="http://www.adobe.com/support/security/advisories/apsa11-02.html">http://www.adobe.com/support/security/advisories/apsa11-02.html</a><br />
<br />
Update, Apr 23, 2011:<br />
<br />
Adobe released new versions a few days ago. The latest versions now available are:<br />
<br />
Firefox, Safari & IE: 10.2.159.1<br />
Chrome: 10.2.154.27<br />
Android: 10.2.156.12<br />
<br />
Secbrowsing will be updated shortly to point to the minimum of the above (10.2.154.27), so if you have anything later than that, you should be ok.<br />
<span class="Apple-style-span" style="font-family: Georgia; font-size: 14px; line-height: 21px;"></span><br />
<div style="background-attachment: initial; background-clip: initial; background-color: transparent; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #555555; font-size: 14px; margin-bottom: 20px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><a href="http://krebsonsecurity.com/wp-content/uploads/2011/04/adobeflash.jpg" style="background-attachment: initial; background-clip: initial; background-color: transparent; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #cc6600; font-size: 14px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;"></a></div></div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-4166615404928928382011-03-19T11:53:00.000-07:002011-03-26T18:13:32.974-07:00Allowing out-of-date plugins in Chrome<div dir="ltr" style="text-align: left;" trbidi="on">Here's how to allow Chrome to run outdated plugins all the time (without warnings): You can disable this feature by adding the command line flag <b>--allow-outdated-plugins</b>.<br />
<div><br />
</div><i>Note:</i> Chrome doesn't force you to use eg Adobe Reader X. Adobe Reader 8 and 9 are supported too, but they need to have all their security updates. Currently, that means Reader 8.2.6 or 9.4.2. If you have eg 9.4.1, you can update to 9.4.2 via Adobe Reader -> Check for updates.<br />
<br />
<br />
In Windows:<br />
<ol style="text-align: left;"><li>Right click on your "Chrome" icon.</li>
<li>Choose properties</li>
<li>At the end of your target line, place these parameters: --allow-outdated-plugins</li>
<li>It should look like: <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">chrome.exe --allow-outdated-plugins</span></li>
</ol><br />
In Mac OS X:<br />
<br />
<ol style="text-align: left;"><li>Open Terminal</li>
<li><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">'/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' --</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">allow-outdated-plugins</span></li>
</ol>On Linux:<br />
<ol style="text-align: left;"><li>From the command line, you can launch<br />
google-chrome --allow-outdated-plugins</li>
</ol><div><br />
</div></div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-17714747168449851272011-03-08T22:16:00.000-08:002011-03-08T22:16:43.631-08:00Out-of-date plug-in warnings now part of Chrome<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 15px;"><b>From the <a href="http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html">official Chromium blog</a>:</b></div><div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 15px;"><b><br />
</b></div><b>Chrome 10: Out-of-date plug-in warnings</b><blockquote>As we <a href="http://blog.chromium.org/2010/06/improving-plug-in-security.html">previously mentioned</a>, we believe that some of the most significant opportunities to increase user security revolve around plugins. We’ve made a number of improvements in this area, including actively encouraging users to update their plug-ins to the most secure version. Chrome now detects when a plug-in is out of date and blocks it with a simple infobar. This infobar helps guide the user towards updating their plug-in with the latest security fixes.</blockquote><div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 15px;"><br />
</div><br />
I'm glad to have contributed to the implementation of this feature -- a number of core Chrome engineers helped make it a reality. As for the secbrowsing extension, you don't need to, but you can keep it installed. It will continue to let you know when one of your plugins is out of date, even if you are not using it (In Chrome, the warning only appears when a website you visit requires one of your plugins that is out of date). This might be helpful for example if you use other browsers alongside Chrome, which don't prevent your from using out-of-date plugins.<br />
<br />
</div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-77470674937717320012011-02-17T17:53:00.000-08:002011-02-17T17:53:17.286-08:00New security updates for Java, latest version is 6u24<div dir="ltr" style="text-align: left;" trbidi="on">A number of security vulnerabilities are fixed in this latest version of the Java plug-in:<br />
<a href="http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html">http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html</a><br />
<br />
<a href="http://secbrowsing.appspot.com/">SecBrowsing</a> was updated to point to the latest version (6u24) </div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-30904877952600823662011-02-09T14:28:00.000-08:002011-02-09T14:28:12.639-08:00New security updates for Adobe Reader, Flash and Shockwave player<div dir="ltr" style="text-align: left;" trbidi="on">Secbrowsing was just updated to point to the latest versions of Adobe Reader, Flash and Shockwave:<br />
<br />
Adobe Shockwave Player 11.5.9.620 (on Windows, on Mac we cannot identify the full version via JavaScript) <br />
<a href="http://www.adobe.com/support/security/bulletins/apsb11-01.html">http://www.adobe.com/support/security/bulletins/apsb11-01.html</a><br />
<br />
Adobe Flash Player 10.2.152.26 (on Windows and Mac your Chrome should already have updated you to 10.2.154)<br />
<a href="http://www.adobe.com/support/security/bulletins/apsb11-02.html">http://www.adobe.com/support/security/bulletins/apsb11-02.html</a><br />
<br />
<br />
Adobe Reader 9.4.2 (10.0.0 is also affected but the sandbox should protect you).<br />
<a href="http://www.adobe.com/support/security/bulletins/apsb11-03.html">http://www.adobe.com/support/security/bulletins/apsb11-03.html</a><br />
<br />
</div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-13673404236496814102011-02-05T23:16:00.000-08:002011-02-05T23:16:46.275-08:00New security update for RealPlayer<div dir="ltr" style="text-align: left;" trbidi="on">As of yesterday, SecBrowsing was updated to point to version 12.0.1.633 of the RealPlayer plug-in for Windows, which is the latest version released by Real and addresses a security issue in Windows.<br />
<br />
Security context: http://service.real.com/realplayer/security/01272011_player/en/</div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-84576236900236158112010-12-16T12:46:00.000-08:002010-12-16T12:46:18.296-08:00New RealPlayer security releaseAs of yesterday, <a href="http://secbrowsing.appspot.com/">SecBrowsing</a> was updated to point to version <b>12.0.1.609</b> of the RealPlayer plug-in, which is the latest version released by Real and addresses <a href="http://service.real.com/realplayer/security/12102010_player/en/">security issues in many platforms</a>. <br />
<br />
I've verified this is the version reported by Real Player on Windows XP and Vista. If you happen to have RealPlayer Enterprise or Mac RealPlayer or Linux RealPlayer, and you are at the latest version, please let me know what version SecBrowsing detects for you, if any.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-80162712163107592832010-12-10T13:55:00.000-08:002010-12-10T13:55:07.266-08:00New Quicktime security updateApple release version 7.6.9 with a number of security fixes for Windows and Mac OS 10.5.8 or earlier. No solution is available for Mac OS 10.6 yet.<br />
<br />
<a href="http://secbrowsing.appspot.com/">Secbrowsing</a> was just updated to point to version 7.6.9 for Windows users.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-87487580797194096362010-12-04T12:04:00.000-08:002010-12-16T12:55:16.043-08:00Chrome's Flash sandboxOn Dec 1, 2010, Google developers Justin Schuh and Carlos Pizano <a href="http://blog.chromium.org/2010/12/rolling-out-sandbox-for-adobe-flash.html">announced</a> the release of the first iteration of the security sandbox for the Adobe Flash plugin in Google Chrome (for Windows). It's currently on the dev-channel of Chrome, which is an unstable build targeted at users who like to browse on the edge.<br />
<br />
<b>How the security sandbox works</b><br />
<br />
One of the basic concepts that the operating system provides is that of a process. A process has its own piece of memory, and is a concept quite familiar even to end users. On Windows, hitting Ctrl-Alt-Delete lists (some of) the running processes of the system at any time, and lets you "kill" a process that you think is misbehaving. Bugs and crashes in one process do not (usually) affect other processes.<br />
<br />
Chrome uses multiple process: One for the browser (networking, cache, cookies, bookmarks, sync, among others), one per website renderer (HTML, JS, CSS parsing, javascript execution, actual rendering of the page in the screen), and one per plug-in such as Java and Flash. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDAqvQvN5cysv8HDq-t7qxoJ7ssT-IyGjpAxgsrTO4LaueN704hwSucsaIfWLUyhmJEfFO7tokCb7zWN1fEGiKoo9iQHMxnpYoF5On2_RlWEhBYl6v9M2G3KbUZODOu6sJMwVR2EEmb0bQ/s1600/taskmanager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDAqvQvN5cysv8HDq-t7qxoJ7ssT-IyGjpAxgsrTO4LaueN704hwSucsaIfWLUyhmJEfFO7tokCb7zWN1fEGiKoo9iQHMxnpYoF5On2_RlWEhBYl6v9M2G3KbUZODOu6sJMwVR2EEmb0bQ/s320/taskmanager.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><i>Multiple processes in Chrome. 1 for the browser, 1 for Flash, and 1 per tab.</i></div><br />
<br />
The immediate impact is that a crash or a slowdown in the renderer does not slow down the other renderers, or the main browser. In addition, one can use this to enhance a browser's security by asking the operating systems to restrict a process' access to the machine's resources.<br />
<br />
For example, the tab renderer processes are not allowed to read or write to the disk or network of the computer. They may only talk to the browser process to request resources (images, html etc).<br />
<br />
Traditionally, browser plugins were not restricted to what they can access on a computer. In fact, the reason plugins were adopted is because they provide access to resources the browser does not typically provide, such as video rendering or access to the webcam or raw network access. So, most plugins need to access the filesystem and the network, which makes them a security concern. Many plugins come with many security vulnerabilities, and taking over a plugin that has unrestricted access to the disk and network means one can easily force it to download and store malware on the machine.<br />
<br />
This is exactly what the plugin sandbox tries to stop. I'm looking forward to the release of the Flash sandbox in the stable version, in all operating systems, and in other browsers such as Firefox.<br />
<br />
Update: Google released a nice video that explains the sandbox as well as the importance of updating the plugins:<br />
<br />
<object width="480" height="320"><param name="movie" value="http://www.youtube.com/v/29e0CtgXZSI?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/29e0CtgXZSI?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="320"></embed></object>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-3702056871355890392010-11-06T23:17:00.000-07:002010-11-06T23:18:51.842-07:00Flash 10.1.102 releasedAdobe Flash 10.1.102 was released on Nov 4, 2010: <a href="http://www.adobe.com/support/security/bulletins/apsb10-26.html">http://www.adobe.com/support/security/bulletins/apsb10-26.html</a>. Google Chrome was also updated to update the bundled Flash.<br />
<br />
A number of vulnerabilities were fixed, at least one of which was reportedly used by malicious websites to install malware.<br />
<br />
<a href="http://secbrowsing.appspot.com/">SecBrowsing</a> was updated to point to the latest version.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-19350002749984880152010-11-06T22:42:00.000-07:002010-11-06T22:42:19.533-07:00Updating FlashIf your Flash version in Chrome is out-of-date, one of a few things could be happening:<br />
<br />
<ul><li>You have not restarted Chrome in a while. If you just restart, you should get the latest version.</li>
<li>You are on the beta or the developer channel. If you don't know what this is, you are probably not on them. If you are, please wait a few days. Chrome will ask you to update itself. Sometimes Flash for dev channel is released a few days later than stable.</li>
<li>You are not using the bundled Flash plugin that ships with Chrome. Type "about:plugins" and then "Details" on the top-right. Find the Flash files you use, and enable the bundled Flash, which is typically the most up-to-date.</li>
</ul><br />
If you also use Flash in Firefox or Safari, use one of these browsers and get the latest version at <a href="http://get.adobe.com/flashplayer/">http://get.adobe.com/flashplayer/</a>.<br />
<br />
Resources:<br />
Chrome bunding Flash: <a href="http://blog.chromium.org/2010/03/bringing-improved-support-for-adobe.html">http://blog.chromium.org/2010/03/bringing-improved-support-for-adobe.html</a>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-67370084580737759862010-10-28T16:20:00.000-07:002010-10-28T16:20:45.006-07:00Protect yourself against new Flash and Reader zero-day.Flash and Reader are under attack, and a fix is not due until November 9, 2010. What you could do until then:<br />
<br />
Flash<br />
<ul><li>Either <a href="http://secbrowsing.blogspot.com/2010/03/disable-plugins-in-chrome-with.html">disable</a> the plugin, or</li>
<li>Use <a href="http://secbrowsing.blogspot.com/2010/09/get-click-to-play-on-unsandboxed.html">click-to-play</a> in Chrome dev channel. </li>
</ul>Reader<br />
<ul><li> <a href="http://secbrowsing.blogspot.com/2010/09/protect-yourself-against-todays-pdf.html">Protecting yourself against today's and future zero-days for Reader</a> is relevant again </li>
</ul><br />
Advisory at<br />
<a href="http://www.adobe.com/support/security/advisories/apsa10-05.html">http://www.adobe.com/support/security/advisories/apsa10-05.html</a>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-61172893905601154482010-10-28T16:15:00.000-07:002010-10-28T16:15:29.380-07:00Shockwave for Director 11.5.9.615A new version of Shockwave for Director was released today, with critical security fixes. <a href="http://secbrowsing.appspot.com/">SecBrowsing</a> was just updated to point to the latest secure version, 11.5.9.615.<br />
<br />
<a href="http://www.adobe.com/support/security/bulletins/apsb10-25.html">http://www.adobe.com/support/security/bulletins/apsb10-25.html</a>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-25223623250690888482010-10-21T18:08:00.000-07:002010-10-21T18:08:28.493-07:00New RealPlayer vulnerabilities and versionsThe open question is, how can either a website or even the actual browser detect if the RealPlayer version installed is vulnerable.<br />
<br />
<br />
I've tried to make sense of their vulnerability matrix in the past, but I think I'm going to give up this time: <br />
<br />
<a href="http://service.real.com/realplayer/security/10152010_player/en/">http://service.real.com/realplayer/security/10152010_player/en/</a><br />
<br />
If you can help me understand it, I'd be grateful! <br />
<br />
My personal recommendation is to at least disable it and only enable it if you run into a website that needs it.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-73316319692689649002010-10-21T18:00:00.000-07:002010-10-21T18:00:40.132-07:00Critical 0-day vulnerability in Adobe Shockwave for Director -- disable nowThere's a zero-day vulnerability with <a href="http://www.exploit-db.com/exploits/15296/">code sample available.</a> In the past, that usually lead to active exploits within a few days. <br />
<br />
The only defense right now is to disable Shockwave:<br />
<ul><li>Type about:plugins, hit enter.</li>
<li>Find "<b>Shockwave for Director</b>" (no, <i>not Shockwave Flash</i>)</li>
<li>If you can't find it, good! Otherwise, click "Disable".</li>
</ul>Adobe has released an advisory but there's no patch to download yet<br />
<a href="http://www.adobe.com/support/security/advisories/apsa10-04.html">http://www.adobe.com/support/security/advisories/apsa10-04.html</a><br />
<br />
In a previous post I was counting over 1 vulnerability per week: <br />
<a href="http://secbrowsing.blogspot.com/2010/08/one-security-hole-per-week-for-obscure.html">http://secbrowsing.blogspot.com/2010/08/one-security-hole-per-week-for-obscure.html</a><br />
<br />
In an even older post I tried to answer some common questions such as "What is Shockwave for Director?" <br />
<a href="http://secbrowsing.blogspot.com/2010/05/how-to-uninstall-shockwave-and-other.html">http://secbrowsing.blogspot.com/2010/05/how-to-uninstall-shockwave-and-other.html</a>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-45836213989669059092010-10-18T16:11:00.001-07:002010-10-18T16:11:37.117-07:00Java 6u22 releasedThe release contains "a collection of patches for multiple security vulnerabilities". The advisory from Oracle is available at<br />
<a href="http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html">http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html</a><br />
<br />
SecBrowsing was updated to warn if you are running a vulnerable version.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-65580948528622366672010-10-07T15:09:00.000-07:002010-10-07T15:09:17.703-07:00Adobe reader 9.4.0 releasedSecBrowsing was just updated to point to Adobe Reader 9.4.0, which was released a couple of days ago, and is available at <a href="http://get.adobe.com/reader/">http://get.adobe.com/reader/</a>.<br />
<br />
Many security vulnerabilities were fixed. The advisory from Adobe is available here: <a href="http://goo.gl/RCiD">http://goo.gl/RCiD</a>.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-74958089025353186642010-09-21T15:07:00.000-07:002010-10-07T15:08:55.073-07:00Adobe Flash Player version 10.1.85On Sep 20, 2010, Adobe released Flash Player version 10.1.85, with critical security fixes for all platforms.<br />
SecBrowsing has been warning users since. Note that Chrome auto-updates the bundled Flash plugin automatically, all you have to do is restart it.<br />
<br />
The security advisory from Adobe is avaiable at <a href="http://www.adobe.com/support/security/bulletins/apsb10-22.html">http://www.adobe.com/support/security/bulletins/apsb10-22.html</a>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-67052804856168898422010-09-16T17:30:00.000-07:002010-09-16T17:30:12.433-07:00Apple Quicktime 7.6.8 for WindowsApple Quicktime 7.6.8 was released yesterday. You can get it at <a href="http://www.apple.com/quicktime/download/">http://www.apple.com/quicktime/download/</a><br />
<br />
The release notes are here: <a href="http://support.apple.com/kb/HT4339">http://support.apple.com/kb/HT4339</a>. This release fixes a couple of vulnerabilities (CVE-2010-1818 and CVE-2010-1819), at least one of which was seen being exploited for a few days.<br />
<br />
Metasploit has been hosting <a href="https://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb">sample exploit code</a> for 17 days now.Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-51632635287256838422010-09-13T16:19:00.000-07:002010-09-13T16:19:35.767-07:00Adobe Flash zero-day vulnerability under attackThis report from <a href="http://www.zdnet.com/blog/security/adobe-flash-player-zero-day-under-attack/7342?utm_source=twitterfeed&utm_medium=twitter">ZDnet</a> covers an Adobe Flash zero-day, labelled CVE-2010-2884.<br />
<br />
Adobe's advisory: <a href="http://www.adobe.com/support/security/advisories/apsa10-03.html">http://www.adobe.com/support/security/advisories/apsa10-03.html</a><br />
<br />
Is there any way to protect yourself against this without blocking Flash, until you get the update (due Sept 27)? I would try the <a href="http://secbrowsing.blogspot.com/2010/01/how-to-secure-plugins-in-chrome.html">--safe-plugins option</a>, which runs all your plugins in a sandbox. It could break some features, like Flash might not be able to access your webcam or microphone anymore. If I get the chance I'll try this out and let you know if anything breaks.<br />
<br />
Note that as of today, Sept 13, virtually all web users are vulnerable to zero-day exploits for 3 different browser plugins, for which no fix is available:<br />
<br />
<ul><li><a href="http://secbrowsing.blogspot.com/2010/09/quicktime-767-zero-day-exploits-in-wild.html">Quicktime 7.6.7 for IE</a></li>
<li><a href="http://secbrowsing.blogspot.com/2010/09/protect-yourself-against-todays-pdf.html">Adobe Reader 9.3.4 for all platforms</a></li>
<li>Adobe Flash 10.1.82 for all platforms</li>
</ul>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-38800851809962438702010-09-10T19:19:00.000-07:002010-09-12T10:57:20.920-07:00Get click-to-play on unsandboxed plugins<div style="text-align: left;">It seems that the latest developer version of Chrome (7.0.517.0) adds an option to auto-run plugins that are sandboxed, and prompt for the others. </div><br />
It can be enabled by The Tools menu, then "Preferences", "Under the hood", "Content settings". In "Plug-ins", you can select "Allow only sandboxed plug-ins"<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUVInTHy56YcxjRsWE7_xAOZuK1Idwrk864Xj40CwRQpDKA8t4GD7-P2AoCcN44BqX2rNYrl4Ue06Zrg19tDKqLiMlnysSU0POzVMATCBUiQOHx-e2pCn5Ba8aMcX03J1hHVmAb1-4kB9C/s1600/Screenshot-Content+Settings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUVInTHy56YcxjRsWE7_xAOZuK1Idwrk864Xj40CwRQpDKA8t4GD7-P2AoCcN44BqX2rNYrl4Ue06Zrg19tDKqLiMlnysSU0POzVMATCBUiQOHx-e2pCn5Ba8aMcX03J1hHVmAb1-4kB9C/s320/Screenshot-Content+Settings.png" /></a></div><br />
<br />
<div style="text-align: left;">Then, embedded objects that require a plug-in to run will be replaced with a button. There's also an infobar that lets you enable the plug-in for the whole page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUlPYntZqPlWVoQdwdWTCHbmeJBCwAhi7hJZOAZRH09GohX_NrJHoLXRuFt_w5Tgvg_AZEhIndUqsWlRe8_w2-dlOi2tpm4sITQ4rhQvKKaLtXQ3sPYtvUKZyi1GsvmUMTLFqGxRYGSDyX/s1600/blocked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUlPYntZqPlWVoQdwdWTCHbmeJBCwAhi7hJZOAZRH09GohX_NrJHoLXRuFt_w5Tgvg_AZEhIndUqsWlRe8_w2-dlOi2tpm4sITQ4rhQvKKaLtXQ3sPYtvUKZyi1GsvmUMTLFqGxRYGSDyX/s320/blocked.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><br />
</div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-51084823588312280592010-09-10T18:33:00.000-07:002010-09-10T18:33:59.116-07:00Quicktime 7.6.7 zero-day exploits in the wildQuicktime's latest version (7.6.7) is currently being exploited by a known bug. All IE users on Windows are affected. The majority of the readers of this blog are Chrome users (since most of you come here via the Chrome extension), but, for completeness, I thought I'd write about this. There's no fix yet, so the only way to keep yourself safe is to disable the Quicktime plug-in from IE.<br />
<br />
References: <a href="http://www.securecomputing.net.au/News/231511,active-exploits-targeting-apple-quicktime-zero-day.aspx?eid=7&edate=20100909&eaddr=">http://www.securecomputing.net.au/News/231511,active-exploits-targeting-apple-quicktime-zero-day.aspx?eid=7&edate=20100909&eaddr=</a>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-34547491495995420422010-09-08T18:00:00.000-07:002010-09-10T18:37:34.329-07:00Protect yourself against today's (and future) PDF zero-days3 months after the previous <a href="http://secbrowsing.blogspot.com/2010/06/flash-and-pdf-zero-day-expect-new.html">PDF zero-day in June 4</a>, and 3 weeks after <a href="http://secbrowsing.blogspot.com/2010/08/how-to-update-adobe-reader.html">various critical security fixes</a>, Adobe advices of a new <a href="http://www.adobe.com/support/security/advisories/apsa10-02.html">zero-day exploit that's actively being exploited</a>. "Zero-day" means that <i>even if you have the latest version of Adobe Reader (9.3.4), there's sites out there that can hack you</i>. A lot of users are affected (<a href="http://secbrowsing.blogspot.com/2010/07/google-on-browser-and-plugin-attacks.html">86% of Chrome users for example have the Adobe Reader plugin)</a>.<br />
<br />
"Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date." <a href="http://krebsonsecurity.com/2010/09/attackers-exploiting-new-acrobatreader-flaw/">Brian Krebs, however, points out that only 1/4 of the virus scanners catch this</a>. My recommendations for viewing PDF files:<br />
<ol><li>[<span class="Apple-style-span" style="background-color: #d9ead3;">do this first</span>] <a href="http://secbrowsing.blogspot.com/2010/03/disable-plugins-in-chrome-with.html">Disable the Adobe Reader plugin from your browser</a>. </li>
<li>You'll still be able to view PDF files! When you encounter a PDF file that you trust it's safe to view, you can do the following:</li>
<ul><li><span class="Apple-style-span" style="background-color: white;">[</span><span class="Apple-style-span" style="background-color: #d9ead3;">safest</span><span class="Apple-style-span" style="background-color: white;">] </span><a href="http://googlesystem.blogspot.com/2008/06/google-docs-to-add-support-for-pdfs.html" style="background-color: white;"><span class="Apple-style-span" style="background-color: white;">Upload the PDFs to Google Docs and view its image there</span></a><span class="Apple-style-span" style="background-color: white;">. Google has a <a href="https://chrome.google.com/extensions/detail/nnbmlagghjjcbdhgmkedmbmedengocbn">Chrome extension</a> that does this automatically for you.</span></li>
<li>[<span class="Apple-style-span" style="background-color: #d9ead3;">safe</span>] If you use Google Chrome, <a href="http://googlesystem.blogspot.com/2010/06/built-in-pdf-reader-for-google-chrome.html">turn on its built-in (and sandboxed) PDF Viewer</a>. There haven't been any reports of breakouts from the Chrome sandbox.</li>
<li>[<span class="Apple-style-span" style="background-color: #d9ead3;">safe</span>] Use alternative PDF viewers. Preview on Mac, or for Windows, <a href="http://krebsonsecurity.com/2010/09/attackers-exploiting-new-acrobatreader-flaw/">Brian Krebs suggests FoxIt, Sumatra or Nitro PDF</a>. On Linux, I've used evince and kpdf in the past. There's also xpdf. All of these are usually less targeted.</li>
<li>[<span class="Apple-style-span" style="background-color: #fce5cd;">risky</span>] Download it in your desktop, and open it in Adobe Reader. This is still dangerous, but at least random hacked pages won't auto-load invisible PDFs. If you do this, at least <a href="http://krebsonsecurity.com/2010/09/attackers-exploiting-new-acrobatreader-flaw/">disable Javascript from Adobe Reader</a>.</li>
</ul></ol>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.comtag:blogger.com,1999:blog-6999462602018344103.post-54439488279684924662010-09-03T15:31:00.000-07:002010-09-07T10:33:01.820-07:00Top browser plugins, and more statistics.<div class="separator" style="clear: both; text-align: left;"><a href="http://secbrowsing.appspot.com/">SecBrowsing</a> allows users to report their plugins, by clicking on the "Send to server" button. We use the data to see if we are missing any important plugins with known security vulnerabilities. In this post, I've aggregated the reports for 1 month, producing some hopefully interesting statistics.</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><b>How many plugins are there?</b></div><div class="separator" style="clear: both; text-align: left;"></div><ul><li>Over 600 plugins (including different versions of the same plugin) were reported by over 3000 users , in the month of Aug 2010. That by itself was interesting to me.</li>
</ul><br />
<div class="separator" style="clear: both; text-align: left;"><b>How many plugins does a user have?</b></div><div class="separator" style="clear: both; text-align: left;"></div><ul><li>50% of the users reported <b>over 20 plugins</b>. (This is the median. The average is 21 plugins.)</li>
<li>25% of the users reported over 26 plugins.</li>
<li>5% of the users reported over 30 plugins.</li>
<li>One user reported 52 plugins! </li>
</ul><br />
<div class="separator" style="clear: both; text-align: left;"><b>Note that some plugins are reported multiple times: Java is reported twice, Realplayer 2-3 times, and Quicktime on Windows is reported </b><i><b>7 times</b></i><b>. So the number of unique plugins is probably around 10 on average.</b></div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN1n9Gda_5gyxd6j3f9wbb-cWBXgXmkprrs5dexQ6g580Ng2b2Vniquf-iq-joqeddUIa4UQ3ZOv-LpzoBF9gvEtyUlbxDnkYRZkxE0w2J0MN_JZEO_uZvsRUFHhPlTWzz8gX3zMDuoplO/s1600/plugins_per_user_(cummulative_distribution_function).png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN1n9Gda_5gyxd6j3f9wbb-cWBXgXmkprrs5dexQ6g580Ng2b2Vniquf-iq-joqeddUIa4UQ3ZOv-LpzoBF9gvEtyUlbxDnkYRZkxE0w2J0MN_JZEO_uZvsRUFHhPlTWzz8gX3zMDuoplO/s400/plugins_per_user_(cummulative_distribution_function).png" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><b>The most popular plugins</b></div><div class="separator" style="clear: both; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; text-align: left;"></div><ul><li>38 plugins were reported by over 10% of the 3000 users.</li>
</ul><br />
<div class="separator" style="clear: both; text-align: left;">They are listed here - after dropping some plug-ins that come bundled with Chrome.</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"></div><ul><li>98% Shockwave Flash</li>
<li>83% Silverlight Plug-In</li>
<li>78% Adobe Acrobat</li>
<li>66% QuickTime Plug-in</li>
<li>61% Microsoft® DRM</li>
<li>45% iTunes Application Detector</li>
<li>44% Windows Presentation Foundation</li>
<li>42% Google Earth Plugin</li>
<li>39% Picasa</li>
<li>38% Java(TM) Platform SE 6 U21</li>
<li>36% Microsoft® Windows Media Player Firefox Plugin</li>
<li>31% RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit)</li>
<li>31% Windows Live® Photo Gallery</li>
<li>31% Microsoft Office 2010</li>
<li>28% Java Deployment Toolkit 6.0.210.7</li>
<li>26% Shockwave for Director</li>
<li>25% Windows Media Player Plug-in Dynamic Link Library</li>
<li>20% Microsoft Office Live Plug-in for Firefox</li>
<li>18% DivX Web Player</li>
<li>16% Chrome IE Tab</li>
<li>15% VLC Multimedia Plug-in</li>
<li>14% 2007 Microsoft Office system</li>
<li>10% Cooliris</li>
</ul><br />
<div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJylOM2WMt5rVw4bNEwlU3TxRMKInTWEbp4Ozf0roA31Ksk0Q_a6id5u_yRkk2QY8yGAc3WJbKnj0X2knF0geiV8knJbGSV1XO7nzRU09WHYCOkFWuvsz4xsB4tAdJojSz78aQB8ft64ms/s1600/plugins_with_more_than_10%2525_reach.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJylOM2WMt5rVw4bNEwlU3TxRMKInTWEbp4Ozf0roA31Ksk0Q_a6id5u_yRkk2QY8yGAc3WJbKnj0X2knF0geiV8knJbGSV1XO7nzRU09WHYCOkFWuvsz4xsB4tAdJojSz78aQB8ft64ms/s400/plugins_with_more_than_10%2525_reach.png" width="400" /></a></div><br />
<div class="separator" style="clear: both; text-align: left;">Note: Cooliris and Chrome IE Tab are extensions that bundle NPAPI plugins. The rest are system-wide NPAPI plugins.</div><div class="separator" style="clear: both; text-align: left;"><br />
</div>Panayiotishttp://www.blogger.com/profile/15083696673461982384noreply@blogger.com