cc image credit: flickr image by surfcrs
Been a lot of moving's in the browser plugin world lately.
Based on the number of home-user systems I’ve had the “pleasure” of cleaning recently, it seems that an overwhelming vector for infection is out-dated and vulnerable browser plugins. Nothing like an older version of Flash or Java to bring the sweet stench of PC decay and meltdown to a system.
Need more reading?
Linkz 4 Exploits to Malware - Journey Into Incident Response. Cory writes in that post…
Over the past year I’ve been conducting research to document attack vector artifacts. Vulnerabilities and the exploits that target them are one component to an attack vector. Some may have noticed I initially focused most of my efforts on vulnerabilities present in Adobe Reader and Java. I didn’t pick those applications by flipping a coin or doing “eeny, meeny, miny, moe”. It is not a coincidence I’m seeing exploit artifacts left on systems that target those applications. This has occurred because I pick vulnerabilities based on the exploits contained in exploit packs.
Exploit packs are toolkits that automate the exploitation of client-side vulnerabilities such as browsers, Adobe Reader, and Java. Mila Parkour over at Contagio maintains an excellent spreadsheet outlining the exploits available in different exploit packs on the market. The reference by itself is really informative.
Java is the largest malware target according to Microsoft - The H Security: News and Features
…it is not only exploits of old vulnerabilities that should concern Java users. As has been pointed out on Krebs on Security, a new exploit has emerged that is being built into automated attack tools. The critical vulnerability that this attacks has been addressed in an update, but only the very latest versions of Java are safe from this new exploit. If users are being slow at updating, very large numbers of them are likely to be at risk from this exploit.
Millions of Java Exploit Attempts: The Importance of Keeping All Software Up To Date - Microsoft Security Blog. Tim Rains comments…
Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years. This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.
While the latest versions of Flash and Java do seem to offer self-update checking ability, it has been my experience that those auto-updaters don’t always check as frequently as they should, or may not even offer an update as soon as it is available. Don’t even get me started on Adobe Reader. These features are improvements, but even when they do work, they still require the user to notice the update offer and respond correctly to get the version bump.
At the bare minimum it is good practice to regularly hop over to Secunia and run their free, web-based Secunia Online Software Inspector (OSI). Hit the page, hit the green “Start” button, let Java do its thing and scan your system for insecure versions of software.
If you or a user can’t remember to regularly do that, Secunia also offers a more robust, installable version of their free Personal Software Inspector (PSI). This one will run as a service on your system constantly checking for and offering recommendations on fixing critical insecure applications.
For my own personal updating check-ins I regularly check in at the FileHippo.com Plugins Downloads site. It’s just easier that way. (If you do RSS they also have a Browser Plug-ins Category Updates Feed). Please be aware that they will often include and/or only offer the very latest versions of these plugins, which may be in “beta” or non-mainstream channel release. Update accordingly to your comfort level.
In particular, some of the latest Flash 11 versions tagged “Beta” may result in moderately obtrusive “watermarking” of its beta/incubator status in certain Flash windows displays (most notably to me, YouTube windows). Not necessarily a deal-breaker but FYI if you run into it.
- Adobe Air - FileHippo mirror site.
- Flash Player - FileHippo mirror site. (be sure to get both the IE “ActiveX” and the “Non-IE” versions)
- Shockwave Player - FileHippo mirror site.
- Java Runtime Environment - FileHippo mirror site. (if you run x64, grab and install both the x32 and x64 versions)
For “official source only” path, then here you go.
- Adobe - Flash Player Version - This page will tell you what version of Flash you are running and what the latest versions are.
- Adobe - Install Adobe Flash Player - Note depending on your browser usage, you may need to check the page in both IE and Firefox to get all the platform versions you need.
- Troubleshoot Flash Player installation | Windows - Links to both the update page as well as the direct manual download links for most current level of both versions; Flash Player 10 ActiveX and Flash Player 10 Plugin.
- Adobe - Test Adobe Shockwave Player - this page will play and display a Shockwave file which then tells you your currently installed version of Shockwave. Write it down then go to this page Adobe - Adobe Shockwave Player to see what the latest version actually is. If this one is newer, download and install (just watch out for the offered “bonus” software install and uncheck the box if you don’t want it.
- To confirm you have the freshest Java beans, pop over to this Verify Java Version page and see what fortune you get. Need an update? Well then my bedraggled friend, stop in at All Java Downloads to pick from the buffet. You likely will be focusing on the Windows 32-bit and 64-bit versions. To keep it simple, you just need to check in at Download Free Java Software.
For information on the next levels of Java and Flash you may want to check out these links:
- Adobe releases Flash 11 and Air 3 betas - BetaNews
- First Flash 11 beta brings 64-bit support to Linux... finally - ArsTechnica
- Java 7.0 released. - SANS ISC Diary post
- Java SE 7 Update 1 Released - Oracle download page
- Install a different version of Adobe Flash Player - Adobe
- Archived Flash Player versions - Adobe
- I am a developer, designer, or advanced user that creates or tests Flash content. How can I run debugger or alternate versions of Flash Player in Google Chrome? - Adobe
Looking for older Java 6.0.x or Flash 10.3.x series downloads from FileHippo? Can be an issue as they only seem to be offering the latest Java 7.0x and Flash 11.x (betas) from their pages.
The trick is to just hop to one of these older pages and check the right-sidebar which will list the ones for older versions you are looking for.
- Download Flash Player 10.3.183.10 (IE) - FileHippo.com
- Download Flash Player 10.3.183.10 (Non-IE) - FileHippo.com
- Download Java Runtime Environment 18.104.22.168 (32-bit) - FileHippo.com
- Download Java Runtime Environment 22.214.171.124 (64-bit) - FileHippo.com
Just like a surfer maintains their board with wax to keep it protected and performing well before hitting the waves, a responsible web-surfer needs to keep their browser plugins patched and fresh before hitting the Web.