Saturday, June 19, 2010

Beyond SecBrowsing with Secunia

I've tested Secunia PSI, a free vulnerable software manager. I recommend it.

What is Secunia
It extends beyond SecBrowsing's checks for out-of-date browser plugins, and identifies known vulnerabilities in software such as media players, office, IM, Skype, and other  applications that don't run in your browser.

Why
Malicious attachments, sent over email or IM, can attack your applications. Vulnerabilities in internet-connected apps such as IM clients or Skype may allow attackers to install malware on your machine without any interaction. You really don't want to run applications with known security holes on your machine.

A review
Last week I had the chance to try it out on a PC. It took a while to scan the machine (see say about 5 minutes) but it identified various software that were unpatched, such as OpenOffice, Skype and VLC. In an ideal world, Secunia would also update this software for me. Or Windows! Anyway, it looks like something is in the works already for this.

I was glad (and kind of surprised actually) to see that as soon as I was able to update a certain application, secunia picked it up immediately and even notified me that it was now up-to-date. On the downside, it took me a lot of time and effort to update all the software.

Take OpenOffice, for example. Secunia says it's unpatched, what next? Start -> Programs -> OpenOffice ... I see apps like Writer, Spreadsheets, but no "updater" or anything. I took an educated guess and opened one of the applications (Writer). Help -> Check for Updates ... yes, that's it. 20 minutes later or so it has downloaded and installed the new version. Why so slow!

In any case, Secunia also has links to their forum, I'm sure they explain how to update your applications. Or maybe you can Google it. Auto-update sure sounds exciting.

I installed Secunia on my brother's machine, hoping he will act upon the warnings. I told my father to install it too, but I really really doubt he can act upon the warnings. It all boils down to automatic, silent updates. This should be the responsibility of the Operating System (Ubuntu, Android, iPhone OS all do this, to a certain degree), but not OS X or Windows, which makes third-party apps such as Secunia essential.

So Windows users, try out Secunia.

Thursday, June 17, 2010

Latest Chrome brings sandboxed, auto-updated PDF support

With the latest Chrome version (developer channel for Windows and Mac for now: http://dev.chromium.org/getting-involved/dev-channel) Chrome provides native support for rendering PDF documents in a seamless, and more importantly, secure way: http://blog.chromium.org/2010/06/bringing-improved-pdf-support-to-google.html


According to the blogpost, PDF rendering will be contained within the security sandbox Chrome uses for web page rendering. Users will automatically receive the latest version of Chrome’s PDF support; they won’t have to worry about manually updating any plug-ins or programs.

The plug-in can be enabled by going to chrome://plugins/ and clicking on "Enable" for the "Chrome PDF Viewer" plug-in. While you are at it, I would recommend you disable any other PDF plugins.

Friday, June 11, 2010

Quicktime warnings on Mac Snow Leopard (10.6)

Executive summary: If you have Snow Leopard and Quicktime < 7.6.6, upgrade your OS to 10.6.3.

We've had quite a few reports on our extension homepage about Quicktime X, which is available only for Mac OS 10.6, and its incompatibility with Quicktime 7. The solution we offer (a link to download the latest version of Quicktime) is problematic.

A user reports:
Secbrowsing keeps telling me that I need to update my quicktime plugin for 7.6.3 to 7.6.4 though 7.6.4 is not available for my operating system OSX 10.6 (Snow Leopard).
One of our users has even shared a screenshot with us:



There's very little documentation about this on the web, so I thought I'd write something down about potential workarounds.

It seems like in 10.6.3, Quicktime 7 (and X) is bundled with the OS. This creates confusion when there's a security fix for Quicktime 7, but no apparent way to get the new version in OS 10.6.

I have not investigated previous security fixes (7.6.4, 7.6.5), but I have investigated 7.6.6:

The security fixes in 7.6.6 also went into the security fix for Snow Leopard: 10.6.3 http://support.apple.com/kb/HT4077. I've also verified that a newly bought 10.6 laptop reports "Quicktime 7.6.6" as a plugin in Chrome and Firefox. So if you have 7.6.5 or 7.6.3 or earlier on Snow Leopard, you can only get 7.6.6 by installing the Snow Leopard security updates.

Thursday, June 10, 2010

Security Update: Flash 10.1 r53

http://secbrowsing.appspot.com/ was just updated to point to version 10.1 r53, which fixes several critical security vulnerabilies.