Friday, August 27, 2010

RealPlayer 6.0.12.775, fixes various vulnerabilites.

Today there's a new version of RealPlayer that fixes a bunch of critical vulnerabilies. The latest version is 6.0.12.775, although it's not always straightforward. One of the vulnerabilities is is CVE-20and I'm trying to understand this snippet10-2996, which was fixed today, but was reported 16 months ago:
  • 2009-04-15 - Vulnerability reported to vendor
  • 2010-08-26 - Coordinated public release of advisory
Overall, the vulnerabilites fixed in this version are:
Secbrowsing can help you get the latest version. Disabling the plugin is also an option

Tuesday, August 24, 2010

Shockwave plugin v11.5.8, fixes 20 vulnerabilities from the past 15 weeks.

Adobe has released a version of Shockwave plugin today, Aug 24, 2010, that fixes 20 critical vulnerabilities in the plug-in: http://www.adobe.com/support/security/bulletins/apsb10-20.html. That's more than 1 vulnerability per week, since the last update of this plugin, on May 11, 2010, just 15 weeks ago. In a previous post we have some answers to common questions such as "What is Shockwave?"

Here's a timeline of the vulnerability reports that went into the latest release:
  • May 11, 2010: 
    • Shockwave 11.5.7 is released
  • Unknown date: As of Aug 24, I could not find details for these vulnerability reports: 
    • CVE-2010-2863
    • CVE-2010-2864
    • CVE-2010-2865
    • CVE-2010-2868
    • CVE-2010-2869
    • CVE-2010-2880
    • CVE-2010-2881
    • CVE-2010-2882
  • May 27, 2010
    • CVE-2010-2866
    • CVE-2010-2867
    • CVE-2010-2870 example 
  • Jun 30, 2010
    • CVE-2010-2871
    • CVE-2010-2872
    • CVE-2010-2873
    • CVE-2010-2874 example
  • Jul 7, 2010
  • Jul 20, 2010: 
  • Aug 11, 2010:  
    • CVE-2010-2877
    • CVE-2010-2878
    • CVE-2010-2879 example
  • Aug 24, 2010: 
    • Shockwave 11.5.8 is released
In this release, the plugin correctly identifies itself as v11.5.8 in Javascript, so SecBrowsing will start warning about Shockwave again, but once you update, the warning will go away.


---
Why update and disable plugins?
Exploits in the browser and its plugins are the most common way people's computers get malware. It happens simply by browsing to a site, without any user interaction. It can be triggered by
  • Randomly browsing the web, landing on a site that has been hacked.
  • Browsing a site that runs a malicious banner ad. The ad only needs to run for a few minutes on a popular site to get thousands of people infected.
  • Following a URL sent by a friend, whose email/IM account was compromised. This can also be a targeted attack against your organization.
Most plugins have a really bad security history, and are not required for most websites. Disabling them is many times a good option.

Sunday, August 22, 2010

Chrome's bundled Flash results in much faster update

Chrome's bundling of Flash resulted in a dramatic drop of out-of-date users after the latest update, according to our stats.

On Aug 10, 2010, Adobe released a security update for Flash. On the same day, Chrome shipped the security update to the bundled Flash plugin as well. SecBrowsing started warning about the new version of Flash, as well as the new version of the Quicktime plugin (7.6.7) on Aug 13, 2010.

We compared the number of users with up-to-date Flash, as well as the traffic to our site around the past two releases of Flash (10.1.82 on Aug 10 and 10.1.53 on June 10), and the difference is significant in both cases.

Visitors with out-of-date Flash


Graph 1: Percentage of users running out-of-date Flash on the last two security releases. For the latest release, within 2 days, fewer than 30% of Chrome users were running an out-of-date Flash.  In comparison, it took 14 days for this to happen in the previous release.

Total visitors

This method is less accurate, because many visitors came to the site because of either Flash or Quicktime (see below)  -- but the results are still significantly different than before. 



Graph 2: The relative traffic to our site around the two releases of Flash. For the first release (of 10.5.53), it took 16 days for traffic to come down to within 25% of normal, but for the latest one (of 10.1.82), only 6 days. This would have been even lower if there wasn't an update for Quicktime about on the same day (about 40% of Chrome users also have Quicktime installed).  


Notes

We track visits to http://secbrowsing.appspot.com/. 98% of the website's traffic is "direct", i.e. from users of the SecBrowsing extension (when the extension shows a warning, users click on the "red plugin" which brings them to the website). Neither the website nor the extension track the visitors' plugins, with the exception of Flash, which is tracked by Google Analytics by default. (tip: you can try to reproduce Graph 1 on your site, if you use Google Analytics).

The traffic to the site is very steady, except when a new plugin version is released. About 50% of visitors are new and 50% are returning, and this ratio has remained stable since the beginning of 2010.



Disclaimer
I work on Google's Security team -- the views expressed on this blog are personal. 

Thursday, August 19, 2010

How to update Adobe Reader

Update, Sept 10: Download the latest version of Adobe Reader (9.3.4) here.

Usually secbrowsing links to the installer of the latest version for vulnerable plugins. However, the latest version Adobe Reader (9.3.4) is not always available for download directly until August 31, 2010.

Meanwhile, please update your Reader plugin, using one of the following two options:

Trigger an update yourself:
  • Open Adobe Reader 
    • Start -> All Applications -> Adobe Reader -> Adobe Reader
  • Click on the "Help" menu
  • Click on the "Check for Updates" menu item.
Or, download the incremental patch for 9.3.3:
  • Download the incremental patch (9.3.3 to 9.3.4) here   
  • Install the incremental patch by running it directly.
  • If your current version of Adobe Reader is older than 9.3.3, you need to download it and install it  first at http://get.adobe.com/reader/
All versions of Adobe Reader 9.3.3 (and earlier versions) have critical vulnerabilities: http://www.adobe.com/support/security/bulletins/apsb10-17.html.

Comments and questions are welcome as always.

Monday, August 16, 2010

On Backward compatibility and security bugs

One of the 6 critical vulnerabilities reported on Aug 12, 2010 for Adobe Flash is CVE-2010-0209. US-CERT shares some interesting details:

Adobe Flash supports two main types of ActionScript, which is the scripting language for Flash. ActionScript 3.0 is supported by the ActionScript Virtual Machine 2 (AVM2), while previous versions are supported by the ActionScript Virtual Machine 1 (AVM1). Flash 9 and later provide both AVM versions for compatibility with both ActionScript varieties. The AVM1 implementation provided with Flash 10.1 contains a vulnerability...


Backward compatibility is the source of the security bug in this case. If the developers had only to maintain AVM2, this bug would have not emerged. Apparently, backward compatibility is a common source of security problems. In the first chapter of the book Beautiful Security, the author explains how the developers' psychology often contributes to overlook the security of the functionality that's only there for backward compatibility. In some cases, it's also just the accumulation of code. More code means more bugs, simply because the rate with which developers generate bugs is pretty much constant.

Some more examples
In general, supporting old formats is only a source for more security bugs -- even if, in theory, libraries that handle these old formats have matured. CVE-2010-0041 and CVE-2010-0042 from a recent iOS vulnerability report are caused by libraries handling BMP and TIFF images respectively. Another vulnerability in Adobe Reader for Windows, Mac and Unix (CVE-2010-0188) was again related to how Adobe Reader handles TIFF images.

Browser plugins
In a sense, a lot of the web browser plugins today are still around for backward compatibility. Many websites were built to stream audio or video with RealPlayer, Windows Media Player, or Quicktime. These days, most websites use Flash instead. 

In the new operating systems that have been introduced in the past 3 years, such as Apple's iOS, Android and ChromeOS, browser plugins are either completely unsupported or there is only limited support for them. You are probably familiar with the Apple/Adobe debate on Flash on iOS, and that Android, Chrome and ChromeOS support/bundle Flash. 

No matter what your position is on Flash's role on the web today, if you take Flash out of the picture, there is very low demand for porting the traditional plugins (Java, Windows Media, Shockwave, RealPlayer, DivX, Silverlight, Quicktime) to the modern OSes. Either via native apps, or by means of HTML5, services find ways to reach their audiences. 

Backward compatibility is everywhere
Old code (by definition) accumulates as time goes on. Why do Adobe Reader and iOS have support for TIFF, a standard first developed in the 1980s? Probably because nobody was encouraged to take the time to analyze its (lack of) usage, and support a case that it should no longer be supported. 
Even if your iOS, Android or future ChromeOS device is in theory a brand new OS, it is bundling code that's quite old, and is only getting older.

If you are a developer, think of dropping features that are only there for backward compatibility. Try to make a case that nobody uses them. My favorite argument is that, once we drop them, if users need them, they'll ask for them. How many iPhone would complain if their browser could not render BMP images? And out of the myriads of feature requests for the iPhone, how far on the top would this complaint rank?

If you can't eliminate old features, can you make them load on-demand? Maybe the user needs to run the program with a different configuration in order to get the old features. This way, you can protect the majority of users and still support the minority's needs. How many Flash movies run only on AVM1? Is it mostly sites built in 1995, and are these movies mostly their "intros"? In that case, disabling AVM1 could be thought of as a pretty good feature, actually :). 

As a user, take a minute and uninstall old software, old plug-ins and old browsers from your system. And keep the rest up-to-date with security updates.

Friday, August 13, 2010

Quicktime 7.6.7 security update for Windows

For 39% of all Chrome users on Windows who have the Quicktime plug-in install, it's time to update  -- version 7.6.7 fixes a critical security problem that allows all websites to take over your machine: http://support.apple.com/kb/HT4290

Download the latest version here http://www.apple.com/quicktime/download/ (no, don't give them your email, it's not required).

Or just disable the plugin and only enable it on pages you trust to show you Quicktime movies. Why have arbitrary pages including arbitrary third-party widgets attempt to show you (potentially malicious) movies?

The SecBrowsing page and our Chrome extension are already warning users with vulnerable versions. Chrome's "about:plugins" page should also show a warning, soon (Chrome beta, v6 and later).

Update: I expect this to be exploited pretty soon, as Metasploit has released sample exploit code already.