New RealPlayer security release

As of yesterday, SecBrowsing was updated to point to version 12.0.1.609 of the RealPlayer plug-in, which is the latest version released by Real and addresses security issues in many platforms.

I've verified this is the version reported by Real Player on Windows XP and Vista. If you happen to have RealPlayer Enterprise or Mac RealPlayer or Linux RealPlayer, and you are at the latest version, please let me know what version SecBrowsing detects for you, if any.

New Quicktime security update

Apple release version 7.6.9 with a number of security fixes for Windows and Mac OS 10.5.8 or earlier. No solution is available for Mac OS 10.6 yet.

Secbrowsing was just updated to point to version 7.6.9 for Windows users.

Chrome's Flash sandbox

On Dec 1, 2010, Google developers Justin Schuh and Carlos Pizano announced the release of the first iteration of the security sandbox for the Adobe Flash plugin in Google Chrome (for Windows). It's currently on the dev-channel of Chrome, which is an unstable build targeted at users who like to browse on the edge.

How the security sandbox works

One of the basic concepts that the operating system provides is that of a process. A process has its own piece of memory, and is a concept quite familiar even to end users. On Windows, hitting Ctrl-Alt-Delete lists (some of) the running processes of the system at any time, and lets you "kill" a process that you think is misbehaving. Bugs and crashes in one process do not (usually) affect other processes.

Chrome uses multiple process: One for the browser (networking, cache, cookies, bookmarks, sync, among others), one per website renderer (HTML, JS, CSS parsing, javascript execution, actual rendering of the page in the screen), and one per plug-in such as Java and Flash.

Multiple processes in Chrome. 1 for the browser, 1 for Flash, and 1 per tab.

The immediate impact is that a crash or a slowdown in the renderer does not slow down the other renderers, or the main browser. In addition, one can use this to enhance a browser's security by asking the operating systems to restrict a process' access to the machine's resources.

For example, the tab renderer processes are not allowed to read or write to the disk or network of the computer. They may only talk to the browser process to request resources (images, html etc).

Traditionally, browser plugins were not restricted to what they can access on a computer. In fact, the reason plugins were adopted is because they provide access to resources the browser does not typically provide, such as video rendering or access to the webcam or raw network access.  So, most plugins need to access the filesystem and the network, which makes them a security concern. Many plugins come with many security vulnerabilities, and taking over a plugin that has unrestricted access to the disk and network means one can easily force it to download and store malware on the machine.

This is exactly what the plugin sandbox tries to stop. I'm looking forward to the release of the Flash sandbox in the stable version, in all operating systems, and in other browsers such as Firefox.

Update: Google released a nice video that explains the sandbox as well as the importance of updating the plugins:

Flash 10.1.102 released

Adobe Flash 10.1.102 was released on Nov 4, 2010: http://www.adobe.com/support/security/bulletins/apsb10-26.html. Google Chrome was also updated to update the bundled Flash.

A number of vulnerabilities were fixed, at least one of which was reportedly used by malicious websites to install malware.

SecBrowsing was updated to point to the latest version.

Updating Flash

If your Flash version in Chrome is out-of-date, one of a few things could be happening:

• You have not restarted Chrome in a while. If you just restart, you should get the latest version.
• You are on the beta or the developer channel. If you don't know what this is, you are probably not on them. If you are, please wait a few days. Chrome will ask you to update itself. Sometimes Flash for dev channel is released a few days later than stable.
• You are not using the bundled Flash plugin that ships with Chrome. Type "about:plugins" and then "Details" on the top-right. Find the Flash files you use, and enable the bundled Flash, which is typically the most up-to-date.

If you also use Flash in Firefox or Safari, use one of these browsers and get the latest version at http://get.adobe.com/flashplayer/.

Resources:
Chrome bunding Flash: http://blog.chromium.org/2010/03/bringing-improved-support-for-adobe.html

Protect yourself against new Flash and Reader zero-day.

Flash and Reader are under attack, and a fix is not due until  November 9, 2010. What you could do until then:

Flash

• Either disable the plugin, or
• Use click-to-play in Chrome dev channel.

Reader

• Protecting yourself against today's and future zero-days for Reader is relevant again

Advisory at
http://www.adobe.com/support/security/advisories/apsa10-05.html

Shockwave for Director 11.5.9.615

A new version of Shockwave for Director was released today, with critical security fixes.  SecBrowsing was just updated to point to the latest secure version, 11.5.9.615.

http://www.adobe.com/support/security/bulletins/apsb10-25.html

New RealPlayer vulnerabilities and versions

The open question is, how can either a website or even the actual browser detect if the RealPlayer version installed is vulnerable.


I've tried to make sense of their vulnerability matrix in the past, but I think I'm going to give up this time:

http://service.real.com/realplayer/security/10152010_player/en/

If you can help me understand it, I'd be grateful!

My personal recommendation is to at least disable it and only enable it if you run into a website that needs it.

Critical 0-day vulnerability in Adobe Shockwave for Director -- disable now

There's a zero-day vulnerability with code sample available. In the past, that usually lead to active exploits within a few days.

The only defense right now is to disable Shockwave:

• Type about:plugins, hit enter.
• Find "Shockwave for Director" (no, not Shockwave Flash)
• If you can't find it, good! Otherwise, click "Disable".

Adobe has released an advisory but there's no patch to download yet
http://www.adobe.com/support/security/advisories/apsa10-04.html

In a previous post I was counting over 1 vulnerability per week:
http://secbrowsing.blogspot.com/2010/08/one-security-hole-per-week-for-obscure.html

In an even older post I tried to answer some common questions such as "What is Shockwave for Director?"
http://secbrowsing.blogspot.com/2010/05/how-to-uninstall-shockwave-and-other.html

Java 6u22 released

The release contains "a collection of patches for multiple security vulnerabilities". The advisory from Oracle is available at
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

SecBrowsing was updated to warn if you are running a vulnerable version.

Adobe reader 9.4.0 released

SecBrowsing was just updated to point to Adobe Reader 9.4.0, which was released a couple of days ago, and is available at http://get.adobe.com/reader/.

Many security vulnerabilities were fixed. The advisory from Adobe is available here: http://goo.gl/RCiD.

Adobe Flash Player version 10.1.85

On Sep 20, 2010, Adobe released Flash Player version 10.1.85, with critical security fixes for all platforms.
SecBrowsing has been warning users since. Note that Chrome auto-updates the bundled Flash plugin automatically, all you have to do is restart it.

The security advisory from Adobe is avaiable at http://www.adobe.com/support/security/bulletins/apsb10-22.html

Apple Quicktime 7.6.8 for Windows

Apple Quicktime 7.6.8 was released yesterday. You can get it at http://www.apple.com/quicktime/download/

The release notes are here: http://support.apple.com/kb/HT4339. This release fixes a couple of vulnerabilities (CVE-2010-1818 and CVE-2010-1819), at least one of which was seen being exploited for a few days.

Metasploit has been hosting sample exploit code for 17 days now.

Adobe Flash zero-day vulnerability under attack

This report from ZDnet covers an Adobe Flash zero-day, labelled CVE-2010-2884.

Adobe's advisory: http://www.adobe.com/support/security/advisories/apsa10-03.html

Is there any way to protect yourself against this without blocking Flash, until you get the update (due Sept 27)?  I would try the --safe-plugins option, which runs all your plugins in a sandbox. It could break some features, like Flash might not be able to access your webcam or microphone anymore. If I get the chance I'll try this out and let you know if anything breaks.

Note that as of today, Sept 13, virtually all web users are vulnerable to zero-day exploits for 3 different browser plugins, for which no fix is available:

• Quicktime 7.6.7 for IE
• Adobe Reader 9.3.4 for all platforms
• Adobe Flash 10.1.82 for all platforms

Get click-to-play on unsandboxed plugins

It seems that the latest developer version of Chrome (7.0.517.0) adds an option to auto-run plugins that are sandboxed, and prompt for the others. 

It can be enabled by The Tools menu, then "Preferences", "Under the hood", "Content settings". In "Plug-ins", you can select "Allow only sandboxed plug-ins"

Then, embedded objects that require a plug-in to run will be replaced with a button. There's also an infobar that lets you enable the plug-in for the whole page.

Quicktime 7.6.7 zero-day exploits in the wild

Quicktime's latest version (7.6.7) is currently being exploited by a known bug. All IE users on Windows are affected. The majority of the readers of this blog are Chrome users (since most of you come here via the Chrome extension), but, for completeness, I thought I'd write about this. There's no fix yet, so the only way to keep yourself safe is to disable the Quicktime plug-in from IE.

References: http://www.securecomputing.net.au/News/231511,active-exploits-targeting-apple-quicktime-zero-day.aspx?eid=7&edate=20100909&eaddr=

Protect yourself against today's (and future) PDF zero-days

3 months after the previous PDF zero-day in June 4, and 3 weeks after various critical security fixes, Adobe advices of a new zero-day exploit that's actively being exploited. "Zero-day" means that even if you have the latest version of Adobe Reader (9.3.4), there's sites out there that can hack you. A lot of users are affected (86% of Chrome users for example have the Adobe Reader plugin).

"Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date." Brian Krebs, however, points out that only 1/4 of the virus scanners catch this. My recommendations for viewing PDF files:

1. [do this first] Disable the Adobe Reader plugin from your browser. 
2. You'll still be able to view PDF files! When you encounter a PDF file that you trust it's safe to view, you can do the following:
• [safest] Upload the PDFs to Google Docs and view its image there. Google has a Chrome extension that does this automatically for you.
• [safe] If you use Google Chrome,  turn on its built-in (and sandboxed) PDF Viewer. There haven't been any reports of breakouts from the Chrome sandbox.
• [safe] Use alternative PDF viewers. Preview on Mac, or for Windows,  Brian Krebs suggests FoxIt, Sumatra or Nitro PDF. On Linux, I've used evince and kpdf in the past. There's also xpdf. All of these are usually less targeted.
• [risky]  Download it in your desktop, and open it in Adobe Reader. This is still dangerous,  but at least random hacked pages won't auto-load invisible PDFs. If you do this, at least disable Javascript from Adobe Reader.

Top browser plugins, and more statistics.

SecBrowsing allows users to report their plugins, by clicking on the "Send to server" button. We use the data to see if we are missing any important plugins with known security vulnerabilities. In this post, I've aggregated the reports for 1 month, producing some hopefully interesting statistics.

How many plugins are there?

• Over 600 plugins (including different versions of the same plugin) were reported by over 3000 users , in the month of Aug 2010. That by itself was interesting to me.

How many plugins does a user have?

• 50% of the users reported over 20 plugins. (This is the median. The average is 21 plugins.)
• 25% of the users reported over 26 plugins.
• 5% of the users reported over 30 plugins.
• One user reported 52 plugins! 

Note that some plugins are reported multiple times: Java is reported twice, Realplayer 2-3 times, and Quicktime on Windows is reported 7 times. So the number of unique plugins is probably around 10 on average.

The most popular plugins

• 38 plugins were reported by over 10% of the 3000 users.

They are listed here - after dropping some plug-ins that come bundled with Chrome.

• 98%  Shockwave Flash
• 83%  Silverlight Plug-In
• 78%  Adobe Acrobat
• 66%  QuickTime Plug-in
• 61%  Microsoft® DRM
• 45%  iTunes Application Detector
• 44%  Windows Presentation Foundation
• 42%  Google Earth Plugin
• 39%  Picasa
• 38%  Java(TM) Platform SE 6 U21
• 36%  Microsoft® Windows Media Player Firefox Plugin
• 31%  RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit)
• 31%  Windows Live® Photo Gallery
• 31%  Microsoft Office 2010
• 28%  Java Deployment Toolkit 6.0.210.7
• 26%  Shockwave for Director
• 25%  Windows Media Player Plug-in Dynamic Link Library
• 20%  Microsoft Office Live Plug-in for Firefox
• 18%  DivX Web Player
• 16%  Chrome IE Tab
• 15%  VLC Multimedia Plug-in
• 14%  2007 Microsoft Office system
• 10%  Cooliris

Note: Cooliris and Chrome IE Tab are extensions that bundle NPAPI plugins. The rest are system-wide  NPAPI plugins.

RealPlayer 6.0.12.775, fixes various vulnerabilites.

Today there's a new version of RealPlayer that fixes a bunch of critical vulnerabilies. The latest version is 6.0.12.775, although it's not always straightforward. One of the vulnerabilities is is CVE-20and I'm trying to understand this snippet10-2996, which was fixed today, but was reported 16 months ago:

• 2009-04-15 - Vulnerability reported to vendor
• 2010-08-26 - Coordinated public release of advisory

Overall, the vulnerabilites fixed in this version are:

• CVE-2010-2996, reported 2009-04-15
• CVE-2010-3001, reported 2009-12-04 
• CVE-2010-0116, reported 2010-02-11
• CVE-2010-0117, reported 2010-02-18
• CVE-2010-0120, reported 2010-02-23
• CVE-2010-3001, unknown date yet.

Secbrowsing can help you get the latest version. Disabling the plugin is also an option

Shockwave plugin v11.5.8, fixes 20 vulnerabilities from the past 15 weeks.

Adobe has released a version of Shockwave plugin today, Aug 24, 2010, that fixes 20 critical vulnerabilities in the plug-in: http://www.adobe.com/support/security/bulletins/apsb10-20.html. That's more than 1 vulnerability per week, since the last update of this plugin, on May 11, 2010, just 15 weeks ago. In a previous post we have some answers to common questions such as "What is Shockwave?"

Here's a timeline of the vulnerability reports that went into the latest release:

• May 11, 2010: 
• Shockwave 11.5.7 is released
• Unknown date: As of Aug 24, I could not find details for these vulnerability reports: 
• CVE-2010-2863
• CVE-2010-2864
• CVE-2010-2865
• CVE-2010-2868
• CVE-2010-2869
• CVE-2010-2880
• CVE-2010-2881
• CVE-2010-2882
• May 27, 2010: 
• CVE-2010-2866
• CVE-2010-2867
• CVE-2010-2870 example 
• Jun 30, 2010: 
• CVE-2010-2871
• CVE-2010-2872
• CVE-2010-2873
• CVE-2010-2874 example
• Jul 7, 2010: 
• CVE-2010-2875 example
• Jul 20, 2010: 
• CVE-2010-2876 example
• Aug 11, 2010:  
• CVE-2010-2877
• CVE-2010-2878
• CVE-2010-2879 example
• Aug 24, 2010: 
• Shockwave 11.5.8 is released

In this release, the plugin correctly identifies itself as v11.5.8 in Javascript, so SecBrowsing will start warning about Shockwave again, but once you update, the warning will go away.

---
Why update and disable plugins?
Exploits in the browser and its plugins are the most common way people's computers get malware. It happens simply by browsing to a site, without any user interaction. It can be triggered by

• Randomly browsing the web, landing on a site that has been hacked.
• Browsing a site that runs a malicious banner ad. The ad only needs to run for a few minutes on a popular site to get thousands of people infected.
• Following a URL sent by a friend, whose email/IM account was compromised. This can also be a targeted attack against your organization.

Most plugins have a really bad security history, and are not required for most websites. Disabling them is many times a good option.

Chrome's bundled Flash results in much faster update

Chrome's bundling of Flash resulted in a dramatic drop of out-of-date users after the latest update, according to our stats.

On Aug 10, 2010, Adobe released a security update for Flash. On the same day, Chrome shipped the security update to the bundled Flash plugin as well. SecBrowsing started warning about the new version of Flash, as well as the new version of the Quicktime plugin (7.6.7) on Aug 13, 2010.

We compared the number of users with up-to-date Flash, as well as the traffic to our site around the past two releases of Flash (10.1.82 on Aug 10 and 10.1.53 on June 10), and the difference is significant in both cases.

Visitors with out-of-date Flash

Graph 1: Percentage of users running out-of-date Flash on the last two security releases. For the latest release, within 2 days, fewer than 30% of Chrome users were running an out-of-date Flash.  In comparison, it took 14 days for this to happen in the previous release.

Total visitors

This method is less accurate, because many visitors came to the site because of either Flash or Quicktime (see below)  -- but the results are still significantly different than before. 

Graph 2: The relative traffic to our site around the two releases of Flash. For the first release (of 10.5.53), it took 16 days for traffic to come down to within 25% of normal, but for the latest one (of 10.1.82), only 6 days. This would have been even lower if there wasn't an update for Quicktime about on the same day (about 40% of Chrome users also have Quicktime installed).  

Notes

We track visits to http://secbrowsing.appspot.com/. 98% of the website's traffic is "direct", i.e. from users of the SecBrowsing extension (when the extension shows a warning, users click on the "red plugin" which brings them to the website). Neither the website nor the extension track the visitors' plugins, with the exception of Flash, which is tracked by Google Analytics by default. (tip: you can try to reproduce Graph 1 on your site, if you use Google Analytics).

The traffic to the site is very steady, except when a new plugin version is released. About 50% of visitors are new and 50% are returning, and this ratio has remained stable since the beginning of 2010.



Disclaimer
I work on Google's Security team -- the views expressed on this blog are personal. 

How to update Adobe Reader

Update, Sept 10: Download the latest version of Adobe Reader (9.3.4) here.

Usually secbrowsing links to the installer of the latest version for vulnerable plugins. However, the latest version Adobe Reader (9.3.4) is not always available for download directly until August 31, 2010.

Meanwhile, please update your Reader plugin, using one of the following two options:

Trigger an update yourself:

• Open Adobe Reader 
• Start -> All Applications -> Adobe Reader -> Adobe Reader
• Click on the "Help" menu
• Click on the "Check for Updates" menu item.

Or, download the incremental patch for 9.3.3:

• Download the incremental patch (9.3.3 to 9.3.4) here   
• Install the incremental patch by running it directly.
• If your current version of Adobe Reader is older than 9.3.3, you need to download it and install it  first at http://get.adobe.com/reader/

All versions of Adobe Reader 9.3.3 (and earlier versions) have critical vulnerabilities: http://www.adobe.com/support/security/bulletins/apsb10-17.html.

Comments and questions are welcome as always.

On Backward compatibility and security bugs

One of the 6 critical vulnerabilities reported on Aug 12, 2010 for Adobe Flash is CVE-2010-0209. US-CERT shares some interesting details:

Adobe Flash supports two main types of ActionScript, which is the scripting language for Flash. ActionScript 3.0 is supported by the ActionScript Virtual Machine 2 (AVM2), while previous versions are supported by the ActionScript Virtual Machine 1 (AVM1). Flash 9 and later provide both AVM versions for compatibility with both ActionScript varieties. The AVM1 implementation provided with Flash 10.1 contains a vulnerability...

Backward compatibility is the source of the security bug in this case. If the developers had only to maintain AVM2, this bug would have not emerged. Apparently, backward compatibility is a common source of security problems. In the first chapter of the book Beautiful Security, the author explains how the developers' psychology often contributes to overlook the security of the functionality that's only there for backward compatibility. In some cases, it's also just the accumulation of code. More code means more bugs, simply because the rate with which developers generate bugs is pretty much constant.

Some more examples
In general, supporting old formats is only a source for more security bugs -- even if, in theory, libraries that handle these old formats have matured. CVE-2010-0041 and CVE-2010-0042 from a recent iOS vulnerability report are caused by libraries handling BMP and TIFF images respectively. Another vulnerability in Adobe Reader for Windows, Mac and Unix (CVE-2010-0188) was again related to how Adobe Reader handles TIFF images.

Browser plugins

In a sense, a lot of the web browser plugins today are still around for backward compatibility. Many websites were built to stream audio or video with RealPlayer, Windows Media Player, or Quicktime. These days, most websites use Flash instead. 

In the new operating systems that have been introduced in the past 3 years, such as Apple's iOS, Android and ChromeOS, browser plugins are either completely unsupported or there is only limited support for them. You are probably familiar with the Apple/Adobe debate on Flash on iOS, and that Android, Chrome and ChromeOS support/bundle Flash. 

No matter what your position is on Flash's role on the web today, if you take Flash out of the picture, there is very low demand for porting the traditional plugins (Java, Windows Media, Shockwave, RealPlayer, DivX, Silverlight, Quicktime) to the modern OSes. Either via native apps, or by means of HTML5, services find ways to reach their audiences. 

Backward compatibility is everywhere

Old code (by definition) accumulates as time goes on. Why do Adobe Reader and iOS have support for TIFF, a standard first developed in the 1980s? Probably because nobody was encouraged to take the time to analyze its (lack of) usage, and support a case that it should no longer be supported. 

Even if your iOS, Android or future ChromeOS device is in theory a brand new OS, it is bundling code that's quite old, and is only getting older.

If you are a developer, think of dropping features that are only there for backward compatibility. Try to make a case that nobody uses them. My favorite argument is that, once we drop them, if users need them, they'll ask for them. How many iPhone would complain if their browser could not render BMP images? And out of the myriads of feature requests for the iPhone, how far on the top would this complaint rank?

If you can't eliminate old features, can you make them load on-demand? Maybe the user needs to run the program with a different configuration in order to get the old features. This way, you can protect the majority of users and still support the minority's needs. How many Flash movies run only on AVM1? Is it mostly sites built in 1995, and are these movies mostly their "intros"? In that case, disabling AVM1 could be thought of as a pretty good feature, actually :). 

As a user, take a minute and uninstall old software, old plug-ins and old browsers from your system. And keep the rest up-to-date with security updates.

Quicktime 7.6.7 security update for Windows

For 39% of all Chrome users on Windows who have the Quicktime plug-in install, it's time to update  -- version 7.6.7 fixes a critical security problem that allows all websites to take over your machine: http://support.apple.com/kb/HT4290

Download the latest version here http://www.apple.com/quicktime/download/ (no, don't give them your email, it's not required).

Or just disable the plugin and only enable it on pages you trust to show you Quicktime movies. Why have arbitrary pages including arbitrary third-party widgets attempt to show you (potentially malicious) movies?

The SecBrowsing page and our Chrome extension are already warning users with vulnerable versions. Chrome's "about:plugins" page should also show a warning, soon (Chrome beta, v6 and later).

Update: I expect this to be exploited pretty soon, as Metasploit has released sample exploit code already.

Google on browser and plugin attacks and defenses

Chris Evans of Google presented a talk on browser and plugin attacks. Ian Fette (also of Google) talked about the blacklisting approach and its value in browser security in the same talk (at 30:00).

Some interesting highlights:

• The plugin distribution for users of Chrome v4.1 is shared:
• 97%: Flash
• 86%: Adobe Reader
• 66%: Java (only 14% were fully uptodate)
• 53%: Windows Media Player
• 49%: Silverlight Plug-in
• 39%: Quicktime Plug-in
  
• The speaker has most of his plugins disabled, to reduce the vulnerability surface in his browser -- he recommends the same for users.
  
• Websites can request an old version of Java to be installed on the fly, basically allowing websites to put security holes in your system that you did not have. Java is so powerful that it's essentially impossible to sandbox, and its cross-platform capabilities means you can write an exploit once, and it will work on every OS. Only 14% of users were fully up-to-date with Java.
  
• All browsers are working on various defenses against these attacks, including sandboxing, warning about out-of-date plugins, or bundling some plugins so they can auto-update them. Ian talks extensively about the blacklist approaches (such as Google Safe Browsing on Firefox, Safari and Chrome, and SmartScreen Filter for IE8) to mitigate against zero-days, and social engineering malware.
  
• There's approximately 500,000 URLs in the Google Safe Browsing lists at any time, and the lists are delivered to hundreds of millions of users.
  
• About 50% of users ignore the phishing or malware warnings on Chrome, even though Google has very high confidence when it adds something on the lists, since it uses virtual machines to verify eg malicious websites.

Full video here

SecBrowsing becoming an official part of Chrome

Last month the Chrome team announced a number of security features regarding plug-ins, including the integration of the SecBrowsing features in the browser.  Here's the relevant snippet from the blog post (http://blog.chromium.org/2010/06/improving-plug-in-security.html): 

Protection from out-of-date plug-ins: Medium-term, Google Chrome will start refusing to run certain out-of-date plug-ins (and help the user update).

The blog post enumerates all the current and upcoming security features in Chrome regarding plugins: 

• More powerful plug-in controls
• Autoupdate for Adobe Flash Player
• Integrated, sandboxed PDF viewing
• Protection from out-of-date plug-ins
• Warning before running infrequently used plug-ins
• A next generation plug-in API

As of Chrome v6.0.466.0 (developer channel as of July 15, 2010), SecBrowsing is partly integrated in Chrome. In "about:plugins", any plugins missing security updates are shown with a warning and a link to get the latest version. There is no active warning anywhere yet, but that's definitely coming up soon.

Beyond SecBrowsing with Secunia

I've tested Secunia PSI, a free vulnerable software manager. I recommend it.

What is Secunia
It extends beyond SecBrowsing's checks for out-of-date browser plugins, and identifies known vulnerabilities in software such as media players, office, IM, Skype, and other  applications that don't run in your browser.

Why
Malicious attachments, sent over email or IM, can attack your applications. Vulnerabilities in internet-connected apps such as IM clients or Skype may allow attackers to install malware on your machine without any interaction. You really don't want to run applications with known security holes on your machine.

A review
Last week I had the chance to try it out on a PC. It took a while to scan the machine (see say about 5 minutes) but it identified various software that were unpatched, such as OpenOffice, Skype and VLC. In an ideal world, Secunia would also update this software for me. Or Windows! Anyway, it looks like something is in the works already for this.

I was glad (and kind of surprised actually) to see that as soon as I was able to update a certain application, secunia picked it up immediately and even notified me that it was now up-to-date. On the downside, it took me a lot of time and effort to update all the software.

Take OpenOffice, for example. Secunia says it's unpatched, what next? Start -> Programs -> OpenOffice ... I see apps like Writer, Spreadsheets, but no "updater" or anything. I took an educated guess and opened one of the applications (Writer). Help -> Check for Updates ... yes, that's it. 20 minutes later or so it has downloaded and installed the new version. Why so slow!

In any case, Secunia also has links to their forum, I'm sure they explain how to update your applications. Or maybe you can Google it. Auto-update sure sounds exciting.

I installed Secunia on my brother's machine, hoping he will act upon the warnings. I told my father to install it too, but I really really doubt he can act upon the warnings. It all boils down to automatic, silent updates. This should be the responsibility of the Operating System (Ubuntu, Android, iPhone OS all do this, to a certain degree), but not OS X or Windows, which makes third-party apps such as Secunia essential.

So Windows users, try out Secunia.

Latest Chrome brings sandboxed, auto-updated PDF support

With the latest Chrome version (developer channel for Windows and Mac for now: http://dev.chromium.org/getting-involved/dev-channel) Chrome provides native support for rendering PDF documents in a seamless, and more importantly, secure way: http://blog.chromium.org/2010/06/bringing-improved-pdf-support-to-google.html


According to the blogpost, PDF rendering will be contained within the security sandbox Chrome uses for web page rendering. Users will automatically receive the latest version of Chrome’s PDF support; they won’t have to worry about manually updating any plug-ins or programs.

The plug-in can be enabled by going to chrome://plugins/ and clicking on "Enable" for the "Chrome PDF Viewer" plug-in. While you are at it, I would recommend you disable any other PDF plugins.

Quicktime warnings on Mac Snow Leopard (10.6)

Executive summary: If you have Snow Leopard and Quicktime < 7.6.6, upgrade your OS to 10.6.3.

We've had quite a few reports on our extension homepage about Quicktime X, which is available only for Mac OS 10.6, and its incompatibility with Quicktime 7. The solution we offer (a link to download the latest version of Quicktime) is problematic.

A user reports:

Secbrowsing keeps telling me that I need to update my quicktime plugin for 7.6.3 to 7.6.4 though 7.6.4 is not available for my operating system OSX 10.6 (Snow Leopard).

One of our users has even shared a screenshot with us:

There's very little documentation about this on the web, so I thought I'd write something down about potential workarounds.

It seems like in 10.6.3, Quicktime 7 (and X) is bundled with the OS. This creates confusion when there's a security fix for Quicktime 7, but no apparent way to get the new version in OS 10.6.

I have not investigated previous security fixes (7.6.4, 7.6.5), but I have investigated 7.6.6:

The security fixes in 7.6.6 also went into the security fix for Snow Leopard: 10.6.3 http://support.apple.com/kb/HT4077. I've also verified that a newly bought 10.6 laptop reports "Quicktime 7.6.6" as a plugin in Chrome and Firefox. So if you have 7.6.5 or 7.6.3 or earlier on Snow Leopard, you can only get 7.6.6 by installing the Snow Leopard security updates.

Security Update: Flash 10.1 r53

http://secbrowsing.appspot.com/ was just updated to point to version 10.1 r53, which fixes several critical security vulnerabilies.

Flash and PDF zero-day, expect a new version soon.

http://www.zdnet.com/blog/security/adobe-warns-of-flash-pdf-zero-day-attacks/6606?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+zdnet/security+(ZDNet+Zero+Day)

Really, disable PDF from your browser. Also consider allowing Flash only for select websites ...

How to update / disable / uninstall Shockwave for Director

On Aug 24, 2010 a new set of critical vulnerabilities was fixed for Shockwave for Director. [http://www.adobe.com/support/security/bulletins/apsb10-20.html].

To Update Shockwave for Director:

• You can download the latest version at http://get.adobe.com/shockwave/
• The latest version is 11.5.8, and SecBrowsing can now detect this version accurately.

To disable Shockwave for Director:
On all platforms, in Google Chrome, you can disable the plugin:

• Type "about:plugins" (without the quotes) in your browser window
• Click "disable" on the plugin named "Adobe Shockwave for Director" (not Flash)

To uninstall Shockwave for Director:
Windows:

• Control Panel
• Add/Remove Programs
• Find Shockwave for Director (not Flash) and uninstall it. If you have an "ActiveX" and a "plugin" it's because they ship two different products, one for IE and one for Firefox/Chrome, so remove them both.

Mac:

• The installer also contains the uninstaller: 
• Save the uninstaller to your desktop and launch it (Shockwave_Uninstaller)

Some common questions I get asked about Shockwave:

• Do I have Shockwave for Director?
• Probably. According to Adobe, over "450 million desktops have installed Adobe Shockwave Player".
• Shockwave is the same Flash? 
• No. Adobe Flash is what we all know as Flash. Adobe Shockwave Player or Shockwave for Director is something else - completely unrelated.
• If I uninstall Shockwave, will my browsing experience be affected?
• Probably not, for the most part. See the discussion below from users who list a few sites that require Shockwave.
• Why does SecBrowsing keep telling me my Shockwave is out of date? I'm sure I just updated it.
• This is no longer the case as of 11.5.8. Please restart your browser, and the warning will go away.

Providing Warnings for Adobe Acrobat

We've recently started tracking version information for Adobe Reader. Versions before 9.3.2 did not export their version number so it was difficult to tell if the installed plugin was out-of-date or not. This means that if you're running a version of Reader older than 9.3.2 and using our Chrome Extension, you'll see an out-of-date message.

As mentioned in a previous post, older versions of Adobe Reader have critical security problems. Please download and install the newest version from http://get.adobe.com/reader. Note that you may need to launch Reader and run the Updater manually to force the upgrade from 9.3.0 to 9.3.2.

New Security Problems in Adobe Reader, new version.

According to a new security bulletin by Adobe, there's critical security problems in Adobe Reader, and you should update immediately to Adobe Reader 9.3.2 or 8.2.2


Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here:
http://get.adobe.com/reader/.

A Java vulnerability & update

Yesterday, Oracle announced a new update for Java which fixes the serious vulnerabilities announced earlier this month. All Java versions prior to version 6 U20 are vulnerable and are being exploited in the wild.

For more information see: http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

Download the latest version of Java here: http://java.sun.com/javase/downloads/index.jsp

New QuickTime and Java vulnerabilities & updates

Yesterday, Apple announced multiple vulnerabilities in QuickTime and provided a new update (7.6.6).  This update fixes vulnerabilities which, "may lead to an unexpected application termination or arbitrary code execution". For more information see Apple's announcement: http://support.apple.com/kb/HT4104.

Java also announced that they found and fixed 27 new security related bugs in their newest version of Java (6 U19). From Oracle's website: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products.". For more information see: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

We have updated SecBrowsing to warn users that run earlier, vulnerable versions of QuickTime and Java plugins in their browser.

How to disable plugins in Chrome

Disable specific plugins

1. Type "about:plugins" in the address bar of Chrome, and hit enter.
2. In the list of plugins that appears, disable the ones you don't recognize and need. 

[Advanced] Disable all plugins, and allow specific sites only

1. Click the Tools (wrench) menu.
2. Options.
3. Under the Hood.
4. Content settings in the "Privacy" section.
5. Plug-ins tab.
6. Select "Do not allow any site to use plug-ins." You can make exceptions for specific websites by clicking Exceptions.
7. Click Close to save your setting.

New Adobe Reader vulnerability, open Adobe Reader -> Help -> Update.

Quoting http://www.adobe.com/support/security/bulletins/apsb10-07.html

A critical vulnerability has been identified in Adobe Reader 9.3 and Acrobat 9.3 for Windows, Macintosh and UNIX, [...] As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users [...] update to Adobe Reader 9.3.1.

Note that this allows any website you visit to take over your machine, it's not required that you eg open a bad PDF file that was emailed to you, websites embed evil PDFs all the time (especially hacked websites).

SecBrowsing does not track Adobe Reader yet because its version is not exposed in the browser. So please go ahead and update Adobe Reader manually:

• Launch Adobe Reader
• Help
• Check for Updates

New Flash player vulnerability, v10.0.45.2 released

Quoting Adobe Security Bulletin,

a critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.
Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2

I think this translates to "any website with a malicious flash object can make requests to websites with private information such as email, bank accounts etc". I might be wrong. But unauthorized cross-domain requests are not good. At least the vulnerability does not allow arbitrary code execution, but these days, if you can take over the browser, you are almost as good as taking over the machine itself.

Secbrowsing points to version 10.0.45.2.

New Chrome extension hides the icon if all is good.

The most requested feature for our Chrome extension was to hide the icon if all was good. Today Noe pushed a version of the extension that does that. The icon moved from the toolbar inside the address bar. It's a bit less visible, but it does not take up valuable space if you are up-to-date.

Important: If you don't see any icon, do not worry: You are up-to-date.
If you want to verify that SecBrowsing is installed, click wrench > Extensions.

Here's how it will look like if your have an out-of-date plugin:

As always, click on the red icon to get to http://secbrowsing.appspot.com/ with directions on how to update your plugins.

Better plugin version detection thanks to Firefox 3.6

Up until a few days ago, in order to find and parse plugin versions in JavaScript one had to write a pretty complex function that also involved a lot of guesswork, as you can see in our source code.

As of Firefox 3.6, however, websites can access the plugin version in the simplest way possible:

navigator.plugins[i].version

This means SecBrowsing can use this version when available and correctly detect plugins we cannot detect now correctly, such as

• Adobe Reader
• Shockwave for Director
• RealPlayer 

We can also try to get this functionality into Google Chrome, so SecBrowsing can be accurate for Chrome as well. Stay tuned.

New Internet Explorer security vulnerability

IE uses, you should visit this link and update your security settings http://www.microsoft.com/technet/security/advisory/980088.mspx

From the bulletin:

Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location.

Which means, for example, that if you can figure out the user's user name, you can read their address book from your website: "C:\Documents and Settings\user_name\Application Data\Microsoft\Address Book\user_name.wab".

Take a second and disable Javascript from Acrobat Reader

Secbrowsing does not yet track the versions of the Adobe Reader plugin, because Reader does not expose its version to websites. We plan to find a way to track the version soon. In the meantime, please:

• Update Acrobat Reader
• Disable Acrobat Javascript

Update Acrobat Reader

1. Launch Adobe Reader
2. Select Help > Check for Updates
3. Exit Adobe Reader
4. Repeat

You might have to repeat this process a few times if you have missed a lot of updates. Keep asking Reader to check for updates, even after it has installed some. If you have 9.1.1 and the latest version is 9.1.3 you need to run the update process twice.

Disable Acrobat Javascript

Also, please disable JavaScript for Reader. Many of the security releases of Reader fix vulnerabilities that involve its JavaScript engine.

1. Launch Acrobat or Adobe Reader.
   
2. Select Edit > Preferences
   
3. Select the JavaScript Category
   
4. Uncheck the 'Enable Acrobat JavaScript' option
   
5. Click OK
   

More about disabling Javascript, from Adobe. HowtoGeek also has a screenshot.

Check your plugins right within iGoogle

Aiming for the smallest iGoogle gadget ever (in terms of screen real estate), today we made SecBrowsing available for your iGoogle homepage:



Go ahead and add it to your Google homepage

RealPlayer Versioning (and did I mention you should update it?)

Realplayer was recently updated to address a number of vulnerabilities

In theory the RealPlayer AutoUpdate should run and get you up-to-date, according to their privacy page: A background update check may happen automatically and without advanced notification if RealNetworks deems a critical update is required, such as for urgent security patches and bug fixes.

In practice, if you know what realsched.exe is, and you've disabled it, you should go and update RealPlayer yourself, from the application itself or by downloading a fresh copy at at Real.com

It's not trivial for me at least to understand how SecBrowsing can help users identify if they are running a vulnerable version right now. Their versioning system is quite confusing. Here's a snippet of the vulnerability report from RealPlayer for Windows
Not vulnerable:

• RealPlayer SP 1.0.2 - 1.0.5

Vulnerable

• RealPlayer SP 1.0.0 and 1.0.1
  
• RealPlayer 11 (11.0.5 and higher)
  
• RealPlayer 11 (11.0.1 - 11.0.4)
  
• RealPlayer 11 (11.0.0)
  
• RealPlayer 10.5 (6.0.12.1675)
  
• RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741)
  
• RealPlayer 10
  
• RealPlayer Enterprise
  

I downloaded a fresh copy of RealPlayer yesterday, installed it on Windows Vista, checked the reported version, and it came back as 6.0.12.448. It's not one of the reported vulnerable versions, I guess, but it's also not "greater than" them in the typical sense.

Which makes Mozilla's effort in building a Plugin Directory with version history a more viable solution to our "latest good version" solution. Mozilla also offers APIs to this service, for other browsers to use even, which is great.

I'm still skeptical on whether we'll be able to identify all these arbitrary versions from the browsers without some help, going forward at least, from the plugin vendors.

New Shockwave security update

Brian Krebs reports on a new vulnerability, this time on Shockwave. He also describes how Shockwave is different from Flash. Here's the report from Adobe.

My personal recommendation is to actually uninstall Shockwave and just keep Flash, unless you really remember using it.

Download the latest version here

Note to SecBrowsing users
SecBrowsing was just updated to point users to version 11.5.6. Unfortunately, on Windows, the plugin still reports "11.5" as its version, so it's impossible to identify the vulnerable version (11.5.2) from the safe one (11.5.6).

Until we have a nicer way of showing users that we can't detect the version correctly, I've decided to keep pointing users to the latest version, even if they have already installed it.

If you have installed Shockwave 11.5.6 (released Jan 19, 2010), please ignore the warning, you do not need to reinstall it.

You can check your exact version on Adobe's website. If you are out-of-date, please download the latest version here.

Firefox 3.6 with Plugin Check -- and what's missing

Firefox 3.6 is out, with a link to the Firefox Plugin Check page on the "Addons -> Plugins" tool.

The Firefox Plugin Check webpage works in a very similar fashion as SecBrowsing, giving you links to download the latest versions of plugins that are old.

The plugin check is also integrated into Firefox in another way. Blair McBride explains that "Whenever you load a page that uses a plugin that is out of date, you’ll get a warning". I expect this to dramatically reduce the ratio of Firefox users with out-of-date plugins.

There's a significant improvement that still remains to be done, however: Notice on the screenshot how Adobe Acrobat's version is detected inside Firefox. The browser itself appears to be able to detect the plugin version. On the updater page, however, the version is not detected.

The list of plugins with unknown versions is unfortunately usually long, meaning that there's still a lot of vulnerable attack vectors against the browser. Acrobat Reader in particular has been targeted a lot lately.

SecBrowsing suffers from the same issue: Reader does not expose its version to HTML pages. Deeper integration into the browser is needed for both the Firefox Plugin Check and SecBrowsing to be helpful with such plugins. I plan to post more on this in the future.

How to secure plugins in Chrome

Google Chrome has the capability to run its plugins in its sandbox. However that option is not enabled by default. Personally I don't agree with this choice but read the disclaimer about how that's not the opinion of my employer.

I strongly recommend using the safe-plugins option for Chrome. Here's instructions on how to create a shortcut for a "safe chrome" on Windows:

• Copy the launcher icon (from the desktop, taskbar, or start menu)
• Paste it on the desktop, rename it if you wish.
  
• Right-click on the new icon, select "Properties"
• Change the target so it ends like this:
• ...\Application\chrome.exe" --safe-plugins

New Silverlight version out

Latest version of the Microsoft Silverlight Plug-In: 3.0.50106.0

Release notes: http://support.microsoft.com/kb/979202

According to the notes "this update includes functional, performance, reliability, and security improvements", however particular security improvements are not mentioned.

Get it from http://secbrowsing.appspot.com/

New Java out (non-security release)

Java 6 update 18 (1.6.0_18) is out.

According to the release notes, no security fixes in this version.

Link is available on http://secbrowsing.appspot.com/