Tuesday, September 21, 2010

Adobe Flash Player version 10.1.85

On Sep 20, 2010, Adobe released Flash Player version 10.1.85, with critical security fixes for all platforms.
SecBrowsing has been warning users since. Note that Chrome auto-updates the bundled Flash plugin automatically, all you have to do is restart it.

The security advisory from Adobe is avaiable at http://www.adobe.com/support/security/bulletins/apsb10-22.html

Thursday, September 16, 2010

Apple Quicktime 7.6.8 for Windows

Apple Quicktime 7.6.8 was released yesterday. You can get it at http://www.apple.com/quicktime/download/

The release notes are here: http://support.apple.com/kb/HT4339. This release fixes a couple of vulnerabilities (CVE-2010-1818 and CVE-2010-1819), at least one of which was seen being exploited for a few days.

Metasploit has been hosting sample exploit code for 17 days now.

Monday, September 13, 2010

Adobe Flash zero-day vulnerability under attack

This report from ZDnet covers an Adobe Flash zero-day, labelled CVE-2010-2884.

Adobe's advisory: http://www.adobe.com/support/security/advisories/apsa10-03.html

Is there any way to protect yourself against this without blocking Flash, until you get the update (due Sept 27)?  I would try the --safe-plugins option, which runs all your plugins in a sandbox. It could break some features, like Flash might not be able to access your webcam or microphone anymore. If I get the chance I'll try this out and let you know if anything breaks.

Note that as of today, Sept 13, virtually all web users are vulnerable to zero-day exploits for 3 different browser plugins, for which no fix is available:

Friday, September 10, 2010

Get click-to-play on unsandboxed plugins

It seems that the latest developer version of Chrome (7.0.517.0) adds an option to auto-run plugins that are sandboxed, and prompt for the others. 

It can be enabled by The Tools menu, then "Preferences", "Under the hood", "Content settings". In "Plug-ins", you can select "Allow only sandboxed plug-ins"

Then, embedded objects that require a plug-in to run will be replaced with a button. There's also an infobar that lets you enable the plug-in for the whole page.

Quicktime 7.6.7 zero-day exploits in the wild

Quicktime's latest version (7.6.7) is currently being exploited by a known bug. All IE users on Windows are affected. The majority of the readers of this blog are Chrome users (since most of you come here via the Chrome extension), but, for completeness, I thought I'd write about this. There's no fix yet, so the only way to keep yourself safe is to disable the Quicktime plug-in from IE.

References: http://www.securecomputing.net.au/News/231511,active-exploits-targeting-apple-quicktime-zero-day.aspx?eid=7&edate=20100909&eaddr=

Wednesday, September 8, 2010

Protect yourself against today's (and future) PDF zero-days

3 months after the previous PDF zero-day in June 4, and 3 weeks after various critical security fixes, Adobe advices of a new zero-day exploit that's actively being exploited. "Zero-day" means that even if you have the latest version of Adobe Reader (9.3.4), there's sites out there that can hack you. A lot of users are affected (86% of Chrome users for example have the Adobe Reader plugin).

"Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date." Brian Krebs, however, points out that only 1/4 of the virus scanners catch this. My recommendations for viewing PDF files:
  1. [do this firstDisable the Adobe Reader plugin from your browser
  2. You'll still be able to view PDF files! When you encounter a PDF file that you trust it's safe to view, you can do the following:

Friday, September 3, 2010

Top browser plugins, and more statistics.

SecBrowsing allows users to report their plugins, by clicking on the "Send to server" button. We use the data to see if we are missing any important plugins with known security vulnerabilities. In this post, I've aggregated the reports for 1 month, producing some hopefully interesting statistics.

How many plugins are there?
  • Over 600 plugins (including different versions of the same plugin) were reported by over 3000 users , in the month of Aug 2010. That by itself was interesting to me.

How many plugins does a user have?
  • 50% of the users reported over 20 plugins. (This is the median. The average is 21 plugins.)
  • 25% of the users reported over 26 plugins.
  • 5% of the users reported over 30 plugins.
  • One user reported 52 plugins! 

Note that some plugins are reported multiple times: Java is reported twice, Realplayer 2-3 times, and Quicktime on Windows is reported 7 times. So the number of unique plugins is probably around 10 on average.

The most popular plugins
  • 38 plugins were reported by over 10% of the 3000 users.

They are listed here - after dropping some plug-ins that come bundled with Chrome.

  • 98%  Shockwave Flash
  • 83%  Silverlight Plug-In
  • 78%  Adobe Acrobat
  • 66%  QuickTime Plug-in
  • 61%  Microsoft® DRM
  • 45%  iTunes Application Detector
  • 44%  Windows Presentation Foundation
  • 42%  Google Earth Plugin
  • 39%  Picasa
  • 38%  Java(TM) Platform SE 6 U21
  • 36%  Microsoft® Windows Media Player Firefox Plugin
  • 31%  RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit)
  • 31%  Windows Live® Photo Gallery
  • 31%  Microsoft Office 2010
  • 28%  Java Deployment Toolkit
  • 26%  Shockwave for Director
  • 25%  Windows Media Player Plug-in Dynamic Link Library
  • 20%  Microsoft Office Live Plug-in for Firefox
  • 18%  DivX Web Player
  • 16%  Chrome IE Tab
  • 15%  VLC Multimedia Plug-in
  • 14%  2007 Microsoft Office system
  • 10%  Cooliris

Note: Cooliris and Chrome IE Tab are extensions that bundle NPAPI plugins. The rest are system-wide  NPAPI plugins.