New Adobe Reader vulnerability, open Adobe Reader -> Help -> Update.

Quoting http://www.adobe.com/support/security/bulletins/apsb10-07.html

A critical vulnerability has been identified in Adobe Reader 9.3 and Acrobat 9.3 for Windows, Macintosh and UNIX, [...] As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users [...] update to Adobe Reader 9.3.1.

Note that this allows any website you visit to take over your machine, it's not required that you eg open a bad PDF file that was emailed to you, websites embed evil PDFs all the time (especially hacked websites).

SecBrowsing does not track Adobe Reader yet because its version is not exposed in the browser. So please go ahead and update Adobe Reader manually:

• Launch Adobe Reader
• Help
• Check for Updates

New Flash player vulnerability, v10.0.45.2 released

Quoting Adobe Security Bulletin,

a critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.
Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2

I think this translates to "any website with a malicious flash object can make requests to websites with private information such as email, bank accounts etc". I might be wrong. But unauthorized cross-domain requests are not good. At least the vulnerability does not allow arbitrary code execution, but these days, if you can take over the browser, you are almost as good as taking over the machine itself.

Secbrowsing points to version 10.0.45.2.

New Chrome extension hides the icon if all is good.

The most requested feature for our Chrome extension was to hide the icon if all was good. Today Noe pushed a version of the extension that does that. The icon moved from the toolbar inside the address bar. It's a bit less visible, but it does not take up valuable space if you are up-to-date.

Important: If you don't see any icon, do not worry: You are up-to-date.
If you want to verify that SecBrowsing is installed, click wrench > Extensions.

Here's how it will look like if your have an out-of-date plugin:

As always, click on the red icon to get to http://secbrowsing.appspot.com/ with directions on how to update your plugins.

Better plugin version detection thanks to Firefox 3.6

Up until a few days ago, in order to find and parse plugin versions in JavaScript one had to write a pretty complex function that also involved a lot of guesswork, as you can see in our source code.

As of Firefox 3.6, however, websites can access the plugin version in the simplest way possible:

navigator.plugins[i].version

This means SecBrowsing can use this version when available and correctly detect plugins we cannot detect now correctly, such as

• Adobe Reader
• Shockwave for Director
• RealPlayer 

We can also try to get this functionality into Google Chrome, so SecBrowsing can be accurate for Chrome as well. Stay tuned.

New Internet Explorer security vulnerability

IE uses, you should visit this link and update your security settings http://www.microsoft.com/technet/security/advisory/980088.mspx

From the bulletin:

Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location.

Which means, for example, that if you can figure out the user's user name, you can read their address book from your website: "C:\Documents and Settings\user_name\Application Data\Microsoft\Address Book\user_name.wab".

Take a second and disable Javascript from Acrobat Reader

Secbrowsing does not yet track the versions of the Adobe Reader plugin, because Reader does not expose its version to websites. We plan to find a way to track the version soon. In the meantime, please:

• Update Acrobat Reader
• Disable Acrobat Javascript

Update Acrobat Reader

1. Launch Adobe Reader
2. Select Help > Check for Updates
3. Exit Adobe Reader
4. Repeat

You might have to repeat this process a few times if you have missed a lot of updates. Keep asking Reader to check for updates, even after it has installed some. If you have 9.1.1 and the latest version is 9.1.3 you need to run the update process twice.

Disable Acrobat Javascript

Also, please disable JavaScript for Reader. Many of the security releases of Reader fix vulnerabilities that involve its JavaScript engine.

1. Launch Acrobat or Adobe Reader.
   
2. Select Edit > Preferences
   
3. Select the JavaScript Category
   
4. Uncheck the 'Enable Acrobat JavaScript' option
   
5. Click OK
   

More about disabling Javascript, from Adobe. HowtoGeek also has a screenshot.

Check your plugins right within iGoogle

Aiming for the smallest iGoogle gadget ever (in terms of screen real estate), today we made SecBrowsing available for your iGoogle homepage:



Go ahead and add it to your Google homepage

RealPlayer Versioning (and did I mention you should update it?)

Realplayer was recently updated to address a number of vulnerabilities

In theory the RealPlayer AutoUpdate should run and get you up-to-date, according to their privacy page: A background update check may happen automatically and without advanced notification if RealNetworks deems a critical update is required, such as for urgent security patches and bug fixes.

In practice, if you know what realsched.exe is, and you've disabled it, you should go and update RealPlayer yourself, from the application itself or by downloading a fresh copy at at Real.com

It's not trivial for me at least to understand how SecBrowsing can help users identify if they are running a vulnerable version right now. Their versioning system is quite confusing. Here's a snippet of the vulnerability report from RealPlayer for Windows
Not vulnerable:

• RealPlayer SP 1.0.2 - 1.0.5

Vulnerable

• RealPlayer SP 1.0.0 and 1.0.1
  
• RealPlayer 11 (11.0.5 and higher)
  
• RealPlayer 11 (11.0.1 - 11.0.4)
  
• RealPlayer 11 (11.0.0)
  
• RealPlayer 10.5 (6.0.12.1675)
  
• RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741)
  
• RealPlayer 10
  
• RealPlayer Enterprise
  

I downloaded a fresh copy of RealPlayer yesterday, installed it on Windows Vista, checked the reported version, and it came back as 6.0.12.448. It's not one of the reported vulnerable versions, I guess, but it's also not "greater than" them in the typical sense.

Which makes Mozilla's effort in building a Plugin Directory with version history a more viable solution to our "latest good version" solution. Mozilla also offers APIs to this service, for other browsers to use even, which is great.

I'm still skeptical on whether we'll be able to identify all these arbitrary versions from the browsers without some help, going forward at least, from the plugin vendors.

New Shockwave security update

Brian Krebs reports on a new vulnerability, this time on Shockwave. He also describes how Shockwave is different from Flash. Here's the report from Adobe.

My personal recommendation is to actually uninstall Shockwave and just keep Flash, unless you really remember using it.

Download the latest version here

Note to SecBrowsing users
SecBrowsing was just updated to point users to version 11.5.6. Unfortunately, on Windows, the plugin still reports "11.5" as its version, so it's impossible to identify the vulnerable version (11.5.2) from the safe one (11.5.6).

Until we have a nicer way of showing users that we can't detect the version correctly, I've decided to keep pointing users to the latest version, even if they have already installed it.

If you have installed Shockwave 11.5.6 (released Jan 19, 2010), please ignore the warning, you do not need to reinstall it.

You can check your exact version on Adobe's website. If you are out-of-date, please download the latest version here.

Firefox 3.6 with Plugin Check -- and what's missing

Firefox 3.6 is out, with a link to the Firefox Plugin Check page on the "Addons -> Plugins" tool.

The Firefox Plugin Check webpage works in a very similar fashion as SecBrowsing, giving you links to download the latest versions of plugins that are old.

The plugin check is also integrated into Firefox in another way. Blair McBride explains that "Whenever you load a page that uses a plugin that is out of date, you’ll get a warning". I expect this to dramatically reduce the ratio of Firefox users with out-of-date plugins.

There's a significant improvement that still remains to be done, however: Notice on the screenshot how Adobe Acrobat's version is detected inside Firefox. The browser itself appears to be able to detect the plugin version. On the updater page, however, the version is not detected.

The list of plugins with unknown versions is unfortunately usually long, meaning that there's still a lot of vulnerable attack vectors against the browser. Acrobat Reader in particular has been targeted a lot lately.

SecBrowsing suffers from the same issue: Reader does not expose its version to HTML pages. Deeper integration into the browser is needed for both the Firefox Plugin Check and SecBrowsing to be helpful with such plugins. I plan to post more on this in the future.

How to secure plugins in Chrome

Google Chrome has the capability to run its plugins in its sandbox. However that option is not enabled by default. Personally I don't agree with this choice but read the disclaimer about how that's not the opinion of my employer.

I strongly recommend using the safe-plugins option for Chrome. Here's instructions on how to create a shortcut for a "safe chrome" on Windows:

• Copy the launcher icon (from the desktop, taskbar, or start menu)
• Paste it on the desktop, rename it if you wish.
  
• Right-click on the new icon, select "Properties"
• Change the target so it ends like this:
• ...\Application\chrome.exe" --safe-plugins

New Silverlight version out

Latest version of the Microsoft Silverlight Plug-In: 3.0.50106.0

Release notes: http://support.microsoft.com/kb/979202

According to the notes "this update includes functional, performance, reliability, and security improvements", however particular security improvements are not mentioned.

Get it from http://secbrowsing.appspot.com/

New Java out (non-security release)

Java 6 update 18 (1.6.0_18) is out.

According to the release notes, no security fixes in this version.

Link is available on http://secbrowsing.appspot.com/