Flash 10.1.102 released

Adobe Flash 10.1.102 was released on Nov 4, 2010: http://www.adobe.com/support/security/bulletins/apsb10-26.html. Google Chrome was also updated to update the bundled Flash.

A number of vulnerabilities were fixed, at least one of which was reportedly used by malicious websites to install malware.

SecBrowsing was updated to point to the latest version.

Updating Flash

If your Flash version in Chrome is out-of-date, one of a few things could be happening:

• You have not restarted Chrome in a while. If you just restart, you should get the latest version.
• You are on the beta or the developer channel. If you don't know what this is, you are probably not on them. If you are, please wait a few days. Chrome will ask you to update itself. Sometimes Flash for dev channel is released a few days later than stable.
• You are not using the bundled Flash plugin that ships with Chrome. Type "about:plugins" and then "Details" on the top-right. Find the Flash files you use, and enable the bundled Flash, which is typically the most up-to-date.

If you also use Flash in Firefox or Safari, use one of these browsers and get the latest version at http://get.adobe.com/flashplayer/.

Resources:
Chrome bunding Flash: http://blog.chromium.org/2010/03/bringing-improved-support-for-adobe.html

Protect yourself against new Flash and Reader zero-day.

Flash and Reader are under attack, and a fix is not due until  November 9, 2010. What you could do until then:

Flash

• Either disable the plugin, or
• Use click-to-play in Chrome dev channel.

Reader

• Protecting yourself against today's and future zero-days for Reader is relevant again

Advisory at
http://www.adobe.com/support/security/advisories/apsa10-05.html

Shockwave for Director 11.5.9.615

A new version of Shockwave for Director was released today, with critical security fixes.  SecBrowsing was just updated to point to the latest secure version, 11.5.9.615.

http://www.adobe.com/support/security/bulletins/apsb10-25.html

New RealPlayer vulnerabilities and versions

The open question is, how can either a website or even the actual browser detect if the RealPlayer version installed is vulnerable.


I've tried to make sense of their vulnerability matrix in the past, but I think I'm going to give up this time:

http://service.real.com/realplayer/security/10152010_player/en/

If you can help me understand it, I'd be grateful!

My personal recommendation is to at least disable it and only enable it if you run into a website that needs it.

Critical 0-day vulnerability in Adobe Shockwave for Director -- disable now

There's a zero-day vulnerability with code sample available. In the past, that usually lead to active exploits within a few days.

The only defense right now is to disable Shockwave:

• Type about:plugins, hit enter.
• Find "Shockwave for Director" (no, not Shockwave Flash)
• If you can't find it, good! Otherwise, click "Disable".

Adobe has released an advisory but there's no patch to download yet
http://www.adobe.com/support/security/advisories/apsa10-04.html

In a previous post I was counting over 1 vulnerability per week:
http://secbrowsing.blogspot.com/2010/08/one-security-hole-per-week-for-obscure.html

In an even older post I tried to answer some common questions such as "What is Shockwave for Director?"
http://secbrowsing.blogspot.com/2010/05/how-to-uninstall-shockwave-and-other.html

Java 6u22 released

The release contains "a collection of patches for multiple security vulnerabilities". The advisory from Oracle is available at
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

SecBrowsing was updated to warn if you are running a vulnerable version.

Adobe reader 9.4.0 released

SecBrowsing was just updated to point to Adobe Reader 9.4.0, which was released a couple of days ago, and is available at http://get.adobe.com/reader/.

Many security vulnerabilities were fixed. The advisory from Adobe is available here: http://goo.gl/RCiD.

Adobe Flash Player version 10.1.85

On Sep 20, 2010, Adobe released Flash Player version 10.1.85, with critical security fixes for all platforms.
SecBrowsing has been warning users since. Note that Chrome auto-updates the bundled Flash plugin automatically, all you have to do is restart it.

The security advisory from Adobe is avaiable at http://www.adobe.com/support/security/bulletins/apsb10-22.html

Apple Quicktime 7.6.8 for Windows

Apple Quicktime 7.6.8 was released yesterday. You can get it at http://www.apple.com/quicktime/download/

The release notes are here: http://support.apple.com/kb/HT4339. This release fixes a couple of vulnerabilities (CVE-2010-1818 and CVE-2010-1819), at least one of which was seen being exploited for a few days.

Metasploit has been hosting sample exploit code for 17 days now.

Adobe Flash zero-day vulnerability under attack

This report from ZDnet covers an Adobe Flash zero-day, labelled CVE-2010-2884.

Adobe's advisory: http://www.adobe.com/support/security/advisories/apsa10-03.html

Is there any way to protect yourself against this without blocking Flash, until you get the update (due Sept 27)?  I would try the --safe-plugins option, which runs all your plugins in a sandbox. It could break some features, like Flash might not be able to access your webcam or microphone anymore. If I get the chance I'll try this out and let you know if anything breaks.

Note that as of today, Sept 13, virtually all web users are vulnerable to zero-day exploits for 3 different browser plugins, for which no fix is available:

• Quicktime 7.6.7 for IE
• Adobe Reader 9.3.4 for all platforms
• Adobe Flash 10.1.82 for all platforms

Get click-to-play on unsandboxed plugins

It seems that the latest developer version of Chrome (7.0.517.0) adds an option to auto-run plugins that are sandboxed, and prompt for the others. 

It can be enabled by The Tools menu, then "Preferences", "Under the hood", "Content settings". In "Plug-ins", you can select "Allow only sandboxed plug-ins"

Then, embedded objects that require a plug-in to run will be replaced with a button. There's also an infobar that lets you enable the plug-in for the whole page.

Quicktime 7.6.7 zero-day exploits in the wild

Quicktime's latest version (7.6.7) is currently being exploited by a known bug. All IE users on Windows are affected. The majority of the readers of this blog are Chrome users (since most of you come here via the Chrome extension), but, for completeness, I thought I'd write about this. There's no fix yet, so the only way to keep yourself safe is to disable the Quicktime plug-in from IE.

References: http://www.securecomputing.net.au/News/231511,active-exploits-targeting-apple-quicktime-zero-day.aspx?eid=7&edate=20100909&eaddr=

Protect yourself against today's (and future) PDF zero-days

3 months after the previous PDF zero-day in June 4, and 3 weeks after various critical security fixes, Adobe advices of a new zero-day exploit that's actively being exploited. "Zero-day" means that even if you have the latest version of Adobe Reader (9.3.4), there's sites out there that can hack you. A lot of users are affected (86% of Chrome users for example have the Adobe Reader plugin).

"Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date." Brian Krebs, however, points out that only 1/4 of the virus scanners catch this. My recommendations for viewing PDF files:

1. [do this first] Disable the Adobe Reader plugin from your browser. 
2. You'll still be able to view PDF files! When you encounter a PDF file that you trust it's safe to view, you can do the following:
• [safest] Upload the PDFs to Google Docs and view its image there. Google has a Chrome extension that does this automatically for you.
• [safe] If you use Google Chrome,  turn on its built-in (and sandboxed) PDF Viewer. There haven't been any reports of breakouts from the Chrome sandbox.
• [safe] Use alternative PDF viewers. Preview on Mac, or for Windows,  Brian Krebs suggests FoxIt, Sumatra or Nitro PDF. On Linux, I've used evince and kpdf in the past. There's also xpdf. All of these are usually less targeted.
• [risky]  Download it in your desktop, and open it in Adobe Reader. This is still dangerous,  but at least random hacked pages won't auto-load invisible PDFs. If you do this, at least disable Javascript from Adobe Reader.

Top browser plugins, and more statistics.

SecBrowsing allows users to report their plugins, by clicking on the "Send to server" button. We use the data to see if we are missing any important plugins with known security vulnerabilities. In this post, I've aggregated the reports for 1 month, producing some hopefully interesting statistics.

How many plugins are there?

• Over 600 plugins (including different versions of the same plugin) were reported by over 3000 users , in the month of Aug 2010. That by itself was interesting to me.

How many plugins does a user have?

• 50% of the users reported over 20 plugins. (This is the median. The average is 21 plugins.)
• 25% of the users reported over 26 plugins.
• 5% of the users reported over 30 plugins.
• One user reported 52 plugins! 

Note that some plugins are reported multiple times: Java is reported twice, Realplayer 2-3 times, and Quicktime on Windows is reported 7 times. So the number of unique plugins is probably around 10 on average.

The most popular plugins

• 38 plugins were reported by over 10% of the 3000 users.

They are listed here - after dropping some plug-ins that come bundled with Chrome.

• 98%  Shockwave Flash
• 83%  Silverlight Plug-In
• 78%  Adobe Acrobat
• 66%  QuickTime Plug-in
• 61%  Microsoft® DRM
• 45%  iTunes Application Detector
• 44%  Windows Presentation Foundation
• 42%  Google Earth Plugin
• 39%  Picasa
• 38%  Java(TM) Platform SE 6 U21
• 36%  Microsoft® Windows Media Player Firefox Plugin
• 31%  RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit)
• 31%  Windows Live® Photo Gallery
• 31%  Microsoft Office 2010
• 28%  Java Deployment Toolkit 6.0.210.7
• 26%  Shockwave for Director
• 25%  Windows Media Player Plug-in Dynamic Link Library
• 20%  Microsoft Office Live Plug-in for Firefox
• 18%  DivX Web Player
• 16%  Chrome IE Tab
• 15%  VLC Multimedia Plug-in
• 14%  2007 Microsoft Office system
• 10%  Cooliris

Note: Cooliris and Chrome IE Tab are extensions that bundle NPAPI plugins. The rest are system-wide  NPAPI plugins.

RealPlayer 6.0.12.775, fixes various vulnerabilites.

Today there's a new version of RealPlayer that fixes a bunch of critical vulnerabilies. The latest version is 6.0.12.775, although it's not always straightforward. One of the vulnerabilities is is CVE-20and I'm trying to understand this snippet10-2996, which was fixed today, but was reported 16 months ago:

• 2009-04-15 - Vulnerability reported to vendor
• 2010-08-26 - Coordinated public release of advisory

Overall, the vulnerabilites fixed in this version are:

• CVE-2010-2996, reported 2009-04-15
• CVE-2010-3001, reported 2009-12-04 
• CVE-2010-0116, reported 2010-02-11
• CVE-2010-0117, reported 2010-02-18
• CVE-2010-0120, reported 2010-02-23
• CVE-2010-3001, unknown date yet.

Secbrowsing can help you get the latest version. Disabling the plugin is also an option

Shockwave plugin v11.5.8, fixes 20 vulnerabilities from the past 15 weeks.

Adobe has released a version of Shockwave plugin today, Aug 24, 2010, that fixes 20 critical vulnerabilities in the plug-in: http://www.adobe.com/support/security/bulletins/apsb10-20.html. That's more than 1 vulnerability per week, since the last update of this plugin, on May 11, 2010, just 15 weeks ago. In a previous post we have some answers to common questions such as "What is Shockwave?"

Here's a timeline of the vulnerability reports that went into the latest release:

• May 11, 2010: 
• Shockwave 11.5.7 is released
• Unknown date: As of Aug 24, I could not find details for these vulnerability reports: 
• CVE-2010-2863
• CVE-2010-2864
• CVE-2010-2865
• CVE-2010-2868
• CVE-2010-2869
• CVE-2010-2880
• CVE-2010-2881
• CVE-2010-2882
• May 27, 2010: 
• CVE-2010-2866
• CVE-2010-2867
• CVE-2010-2870 example 
• Jun 30, 2010: 
• CVE-2010-2871
• CVE-2010-2872
• CVE-2010-2873
• CVE-2010-2874 example
• Jul 7, 2010: 
• CVE-2010-2875 example
• Jul 20, 2010: 
• CVE-2010-2876 example
• Aug 11, 2010:  
• CVE-2010-2877
• CVE-2010-2878
• CVE-2010-2879 example
• Aug 24, 2010: 
• Shockwave 11.5.8 is released

In this release, the plugin correctly identifies itself as v11.5.8 in Javascript, so SecBrowsing will start warning about Shockwave again, but once you update, the warning will go away.

---
Why update and disable plugins?
Exploits in the browser and its plugins are the most common way people's computers get malware. It happens simply by browsing to a site, without any user interaction. It can be triggered by

• Randomly browsing the web, landing on a site that has been hacked.
• Browsing a site that runs a malicious banner ad. The ad only needs to run for a few minutes on a popular site to get thousands of people infected.
• Following a URL sent by a friend, whose email/IM account was compromised. This can also be a targeted attack against your organization.

Most plugins have a really bad security history, and are not required for most websites. Disabling them is many times a good option.

Chrome's bundled Flash results in much faster update

Chrome's bundling of Flash resulted in a dramatic drop of out-of-date users after the latest update, according to our stats.

On Aug 10, 2010, Adobe released a security update for Flash. On the same day, Chrome shipped the security update to the bundled Flash plugin as well. SecBrowsing started warning about the new version of Flash, as well as the new version of the Quicktime plugin (7.6.7) on Aug 13, 2010.

We compared the number of users with up-to-date Flash, as well as the traffic to our site around the past two releases of Flash (10.1.82 on Aug 10 and 10.1.53 on June 10), and the difference is significant in both cases.

Visitors with out-of-date Flash

Graph 1: Percentage of users running out-of-date Flash on the last two security releases. For the latest release, within 2 days, fewer than 30% of Chrome users were running an out-of-date Flash.  In comparison, it took 14 days for this to happen in the previous release.

Total visitors

This method is less accurate, because many visitors came to the site because of either Flash or Quicktime (see below)  -- but the results are still significantly different than before. 

Graph 2: The relative traffic to our site around the two releases of Flash. For the first release (of 10.5.53), it took 16 days for traffic to come down to within 25% of normal, but for the latest one (of 10.1.82), only 6 days. This would have been even lower if there wasn't an update for Quicktime about on the same day (about 40% of Chrome users also have Quicktime installed).  

Notes

We track visits to http://secbrowsing.appspot.com/. 98% of the website's traffic is "direct", i.e. from users of the SecBrowsing extension (when the extension shows a warning, users click on the "red plugin" which brings them to the website). Neither the website nor the extension track the visitors' plugins, with the exception of Flash, which is tracked by Google Analytics by default. (tip: you can try to reproduce Graph 1 on your site, if you use Google Analytics).

The traffic to the site is very steady, except when a new plugin version is released. About 50% of visitors are new and 50% are returning, and this ratio has remained stable since the beginning of 2010.



Disclaimer
I work on Google's Security team -- the views expressed on this blog are personal. 

How to update Adobe Reader

Update, Sept 10: Download the latest version of Adobe Reader (9.3.4) here.

Usually secbrowsing links to the installer of the latest version for vulnerable plugins. However, the latest version Adobe Reader (9.3.4) is not always available for download directly until August 31, 2010.

Meanwhile, please update your Reader plugin, using one of the following two options:

Trigger an update yourself:

• Open Adobe Reader 
• Start -> All Applications -> Adobe Reader -> Adobe Reader
• Click on the "Help" menu
• Click on the "Check for Updates" menu item.

Or, download the incremental patch for 9.3.3:

• Download the incremental patch (9.3.3 to 9.3.4) here   
• Install the incremental patch by running it directly.
• If your current version of Adobe Reader is older than 9.3.3, you need to download it and install it  first at http://get.adobe.com/reader/

All versions of Adobe Reader 9.3.3 (and earlier versions) have critical vulnerabilities: http://www.adobe.com/support/security/bulletins/apsb10-17.html.

Comments and questions are welcome as always.

On Backward compatibility and security bugs

One of the 6 critical vulnerabilities reported on Aug 12, 2010 for Adobe Flash is CVE-2010-0209. US-CERT shares some interesting details:

Adobe Flash supports two main types of ActionScript, which is the scripting language for Flash. ActionScript 3.0 is supported by the ActionScript Virtual Machine 2 (AVM2), while previous versions are supported by the ActionScript Virtual Machine 1 (AVM1). Flash 9 and later provide both AVM versions for compatibility with both ActionScript varieties. The AVM1 implementation provided with Flash 10.1 contains a vulnerability...

Backward compatibility is the source of the security bug in this case. If the developers had only to maintain AVM2, this bug would have not emerged. Apparently, backward compatibility is a common source of security problems. In the first chapter of the book Beautiful Security, the author explains how the developers' psychology often contributes to overlook the security of the functionality that's only there for backward compatibility. In some cases, it's also just the accumulation of code. More code means more bugs, simply because the rate with which developers generate bugs is pretty much constant.

Some more examples
In general, supporting old formats is only a source for more security bugs -- even if, in theory, libraries that handle these old formats have matured. CVE-2010-0041 and CVE-2010-0042 from a recent iOS vulnerability report are caused by libraries handling BMP and TIFF images respectively. Another vulnerability in Adobe Reader for Windows, Mac and Unix (CVE-2010-0188) was again related to how Adobe Reader handles TIFF images.

Browser plugins

In a sense, a lot of the web browser plugins today are still around for backward compatibility. Many websites were built to stream audio or video with RealPlayer, Windows Media Player, or Quicktime. These days, most websites use Flash instead. 

In the new operating systems that have been introduced in the past 3 years, such as Apple's iOS, Android and ChromeOS, browser plugins are either completely unsupported or there is only limited support for them. You are probably familiar with the Apple/Adobe debate on Flash on iOS, and that Android, Chrome and ChromeOS support/bundle Flash. 

No matter what your position is on Flash's role on the web today, if you take Flash out of the picture, there is very low demand for porting the traditional plugins (Java, Windows Media, Shockwave, RealPlayer, DivX, Silverlight, Quicktime) to the modern OSes. Either via native apps, or by means of HTML5, services find ways to reach their audiences. 

Backward compatibility is everywhere

Old code (by definition) accumulates as time goes on. Why do Adobe Reader and iOS have support for TIFF, a standard first developed in the 1980s? Probably because nobody was encouraged to take the time to analyze its (lack of) usage, and support a case that it should no longer be supported. 

Even if your iOS, Android or future ChromeOS device is in theory a brand new OS, it is bundling code that's quite old, and is only getting older.

If you are a developer, think of dropping features that are only there for backward compatibility. Try to make a case that nobody uses them. My favorite argument is that, once we drop them, if users need them, they'll ask for them. How many iPhone would complain if their browser could not render BMP images? And out of the myriads of feature requests for the iPhone, how far on the top would this complaint rank?

If you can't eliminate old features, can you make them load on-demand? Maybe the user needs to run the program with a different configuration in order to get the old features. This way, you can protect the majority of users and still support the minority's needs. How many Flash movies run only on AVM1? Is it mostly sites built in 1995, and are these movies mostly their "intros"? In that case, disabling AVM1 could be thought of as a pretty good feature, actually :). 

As a user, take a minute and uninstall old software, old plug-ins and old browsers from your system. And keep the rest up-to-date with security updates.