Saturday, April 23, 2011

Adobe Reader 9.4.4 released, 10.0.3/Win on June 14.

According to the security bulletin from Adobe (http://www.adobe.com/support/security/bulletins/apsb11-08.html), the latest available versions are:

Windows
  Adobe Reader 9.4.4 or 10.0.2  (10.0.3 will be available June 14, 2011).

Mac
  Adobe Reader 9.4.4 or 10.0.3

Secbrowsing will be updated shortly accordingly. 

Monday, April 11, 2011

New zero-day for Adobe Flash, update coming soon.

http://www.adobe.com/support/security/advisories/apsa11-02.html

Update, Apr 23, 2011:

Adobe released new versions a few days ago. The latest versions now available are:

Firefox, Safari & IE: 10.2.159.1
Chrome: 10.2.154.27
Android: 10.2.156.12

Secbrowsing will be updated shortly to point to the minimum of the above (10.2.154.27), so if you have anything later than that, you should be ok.

Saturday, March 19, 2011

Allowing out-of-date plugins in Chrome

Here's how to allow Chrome to run outdated plugins all the time (without warnings): You can disable this feature by adding the command line flag --allow-outdated-plugins.

Note: Chrome doesn't force you to use eg Adobe Reader X. Adobe Reader 8 and 9 are supported too, but they need to have all their security updates. Currently, that means Reader 8.2.6 or 9.4.2. If you have eg 9.4.1, you can update to 9.4.2 via Adobe Reader -> Check for updates.


In Windows:
  1. Right click on your "Chrome" icon.
  2. Choose properties
  3. At the end of your target line, place these parameters: --allow-outdated-plugins
  4. It should look like: chrome.exe --allow-outdated-plugins

In Mac OS X:

  1. Open Terminal
  2. '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' --allow-outdated-plugins
On Linux:
  1. From the command line, you can launch
    google-chrome --allow-outdated-plugins

Tuesday, March 8, 2011

Out-of-date plug-in warnings now part of Chrome



Chrome 10: Out-of-date plug-in warnings
As we previously mentioned, we believe that some of the most significant opportunities to increase user security revolve around plugins. We’ve made a number of improvements in this area, including actively encouraging users to update their plug-ins to the most secure version. Chrome now detects when a plug-in is out of date and blocks it with a simple infobar. This infobar helps guide the user towards updating their plug-in with the latest security fixes.


I'm glad to have contributed to the implementation of this feature -- a number of core Chrome engineers helped make it a reality. As for the secbrowsing extension, you don't need to, but you can keep it installed. It will continue to let you know when one of your plugins is out of date, even if you are not using it (In Chrome, the warning only appears when a website you visit requires one of your plugins that is out of date). This might be helpful for example if you use other browsers alongside Chrome, which don't prevent your from using out-of-date plugins.

Thursday, February 17, 2011

New security updates for Java, latest version is 6u24

A number of security vulnerabilities are fixed in this latest version of the Java plug-in:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

SecBrowsing was updated to point to the latest version (6u24)

Wednesday, February 9, 2011

New security updates for Adobe Reader, Flash and Shockwave player

Secbrowsing was just updated to point to the latest versions of Adobe Reader, Flash and Shockwave:

Adobe Shockwave Player 11.5.9.620 (on Windows, on Mac we cannot identify the full version via JavaScript)
http://www.adobe.com/support/security/bulletins/apsb11-01.html

Adobe Flash Player 10.2.152.26 (on Windows and Mac your Chrome should already have updated you to 10.2.154)
http://www.adobe.com/support/security/bulletins/apsb11-02.html


Adobe Reader 9.4.2 (10.0.0 is also affected but the sandbox should protect you).
http://www.adobe.com/support/security/bulletins/apsb11-03.html

Saturday, February 5, 2011

New security update for RealPlayer

As of yesterday, SecBrowsing was updated to point to version 12.0.1.633 of the RealPlayer plug-in for Windows, which is the latest version released by Real and addresses a security issue in Windows.

Security context: http://service.real.com/realplayer/security/01272011_player/en/

Thursday, December 16, 2010

New RealPlayer security release

As of yesterday, SecBrowsing was updated to point to version 12.0.1.609 of the RealPlayer plug-in, which is the latest version released by Real and addresses security issues in many platforms.

I've verified this is the version reported by Real Player on Windows XP and Vista. If you happen to have RealPlayer Enterprise or Mac RealPlayer or Linux RealPlayer, and you are at the latest version, please let me know what version SecBrowsing detects for you, if any.

Friday, December 10, 2010

New Quicktime security update

Apple release version 7.6.9 with a number of security fixes for Windows and Mac OS 10.5.8 or earlier. No solution is available for Mac OS 10.6 yet.

Secbrowsing was just updated to point to version 7.6.9 for Windows users.

Saturday, December 4, 2010

Chrome's Flash sandbox

On Dec 1, 2010, Google developers Justin Schuh and Carlos Pizano announced the release of the first iteration of the security sandbox for the Adobe Flash plugin in Google Chrome (for Windows). It's currently on the dev-channel of Chrome, which is an unstable build targeted at users who like to browse on the edge.

How the security sandbox works

One of the basic concepts that the operating system provides is that of a process. A process has its own piece of memory, and is a concept quite familiar even to end users. On Windows, hitting Ctrl-Alt-Delete lists (some of) the running processes of the system at any time, and lets you "kill" a process that you think is misbehaving. Bugs and crashes in one process do not (usually) affect other processes.

Chrome uses multiple process: One for the browser (networking, cache, cookies, bookmarks, sync, among others), one per website renderer (HTML, JS, CSS parsing, javascript execution, actual rendering of the page in the screen), and one per plug-in such as Java and Flash.

Multiple processes in Chrome. 1 for the browser, 1 for Flash, and 1 per tab.


The immediate impact is that a crash or a slowdown in the renderer does not slow down the other renderers, or the main browser. In addition, one can use this to enhance a browser's security by asking the operating systems to restrict a process' access to the machine's resources.

For example, the tab renderer processes are not allowed to read or write to the disk or network of the computer. They may only talk to the browser process to request resources (images, html etc).

Traditionally, browser plugins were not restricted to what they can access on a computer. In fact, the reason plugins were adopted is because they provide access to resources the browser does not typically provide, such as video rendering or access to the webcam or raw network access.  So, most plugins need to access the filesystem and the network, which makes them a security concern. Many plugins come with many security vulnerabilities, and taking over a plugin that has unrestricted access to the disk and network means one can easily force it to download and store malware on the machine.

This is exactly what the plugin sandbox tries to stop. I'm looking forward to the release of the Flash sandbox in the stable version, in all operating systems, and in other browsers such as Firefox.

Update: Google released a nice video that explains the sandbox as well as the importance of updating the plugins:

Saturday, November 6, 2010

Flash 10.1.102 released

Adobe Flash 10.1.102 was released on Nov 4, 2010: http://www.adobe.com/support/security/bulletins/apsb10-26.html. Google Chrome was also updated to update the bundled Flash.

A number of vulnerabilities were fixed, at least one of which was reportedly used by malicious websites to install malware.

SecBrowsing was updated to point to the latest version.

Updating Flash

If your Flash version in Chrome is out-of-date, one of a few things could be happening:

  • You have not restarted Chrome in a while. If you just restart, you should get the latest version.
  • You are on the beta or the developer channel. If you don't know what this is, you are probably not on them. If you are, please wait a few days. Chrome will ask you to update itself. Sometimes Flash for dev channel is released a few days later than stable.
  • You are not using the bundled Flash plugin that ships with Chrome. Type "about:plugins" and then "Details" on the top-right. Find the Flash files you use, and enable the bundled Flash, which is typically the most up-to-date.

If you also use Flash in Firefox or Safari, use one of these browsers and get the latest version at http://get.adobe.com/flashplayer/.

Resources:
Chrome bunding Flash: http://blog.chromium.org/2010/03/bringing-improved-support-for-adobe.html

Thursday, October 28, 2010

Protect yourself against new Flash and Reader zero-day.

Flash and Reader are under attack, and a fix is not due until  November 9, 2010. What you could do until then:

Flash
Reader

Advisory at
http://www.adobe.com/support/security/advisories/apsa10-05.html

Shockwave for Director 11.5.9.615

A new version of Shockwave for Director was released today, with critical security fixes.  SecBrowsing was just updated to point to the latest secure version, 11.5.9.615.

http://www.adobe.com/support/security/bulletins/apsb10-25.html

Thursday, October 21, 2010

New RealPlayer vulnerabilities and versions

The open question is, how can either a website or even the actual browser detect if the RealPlayer version installed is vulnerable.


I've tried to make sense of their vulnerability matrix in the past, but I think I'm going to give up this time:

http://service.real.com/realplayer/security/10152010_player/en/

If you can help me understand it, I'd be grateful!

My personal recommendation is to at least disable it and only enable it if you run into a website that needs it.

Critical 0-day vulnerability in Adobe Shockwave for Director -- disable now

There's a zero-day vulnerability with code sample available. In the past, that usually lead to active exploits within a few days.

The only defense right now is to disable Shockwave:
  • Type about:plugins, hit enter.
  • Find "Shockwave for Director" (no, not Shockwave Flash)
  • If you can't find it, good! Otherwise, click "Disable".
Adobe has released an advisory but there's no patch to download yet
http://www.adobe.com/support/security/advisories/apsa10-04.html

In a previous post I was counting over 1 vulnerability per week:
http://secbrowsing.blogspot.com/2010/08/one-security-hole-per-week-for-obscure.html

In an even older post I tried to answer some common questions such as "What is Shockwave for Director?"
http://secbrowsing.blogspot.com/2010/05/how-to-uninstall-shockwave-and-other.html

Monday, October 18, 2010

Java 6u22 released

The release contains "a collection of patches for multiple security vulnerabilities". The advisory from Oracle is available at
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

SecBrowsing was updated to warn if you are running a vulnerable version.

Thursday, October 7, 2010

Adobe reader 9.4.0 released

SecBrowsing was just updated to point to Adobe Reader 9.4.0, which was released a couple of days ago, and is available at http://get.adobe.com/reader/.

Many security vulnerabilities were fixed. The advisory from Adobe is available here: http://goo.gl/RCiD.

Tuesday, September 21, 2010

Adobe Flash Player version 10.1.85

On Sep 20, 2010, Adobe released Flash Player version 10.1.85, with critical security fixes for all platforms.
SecBrowsing has been warning users since. Note that Chrome auto-updates the bundled Flash plugin automatically, all you have to do is restart it.

The security advisory from Adobe is avaiable at http://www.adobe.com/support/security/bulletins/apsb10-22.html

Thursday, September 16, 2010

Apple Quicktime 7.6.8 for Windows

Apple Quicktime 7.6.8 was released yesterday. You can get it at http://www.apple.com/quicktime/download/

The release notes are here: http://support.apple.com/kb/HT4339. This release fixes a couple of vulnerabilities (CVE-2010-1818 and CVE-2010-1819), at least one of which was seen being exploited for a few days.

Metasploit has been hosting sample exploit code for 17 days now.