Sunday, December 04, 2011

Check Carefully before Surfing (for safest performance)

image

cc image credit: flickr image by surfcrs

Been a lot of moving's in the browser plugin world lately.

Based on the number of home-user systems I’ve had the “pleasure” of cleaning recently, it seems that an overwhelming vector for infection is out-dated and vulnerable browser plugins. Nothing like an older version of Flash or Java to bring the sweet stench of PC decay and meltdown to a system.

Need more reading?

Linkz 4 Exploits to Malware - Journey Into Incident Response. Cory writes in that post…

Over the past year I’ve been conducting research to document attack vector artifacts. Vulnerabilities and the exploits that target them are one component to an attack vector. Some may have noticed I initially focused most of my efforts on vulnerabilities present in Adobe Reader and Java. I didn’t pick those applications by flipping a coin or doing “eeny, meeny, miny, moe”. It is not a coincidence I’m seeing exploit artifacts left on systems that target those applications. This has occurred because I pick vulnerabilities based on the exploits contained in exploit packs.

Exploit packs are toolkits that automate the exploitation of client-side vulnerabilities such as browsers, Adobe Reader, and Java. Mila Parkour over at Contagio maintains an excellent spreadsheet outlining the exploits available in different exploit packs on the market. The reference by itself is really informative.

Java is the largest malware target according to Microsoft - The H Security: News and Features

…it is not only exploits of old vulnerabilities that should concern Java users. As has been pointed out on Krebs on Security, a new exploit has emerged that is being built into automated attack tools. The critical vulnerability that this attacks has been addressed in an update, but only the very latest versions of Java are safe from this new exploit. If users are being slow at updating, very large numbers of them are likely to be at risk from this exploit.

Millions of Java Exploit Attempts: The Importance of Keeping All Software Up To Date - Microsoft Security Blog. Tim Rains comments…

Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years. This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.

While the latest versions of Flash and Java do seem to offer self-update checking ability, it has been my experience that those auto-updaters don’t always check as frequently as they should, or may not even offer an update as soon as it is available.  Don’t even get me started on Adobe Reader.  These features are improvements, but even when they do work, they still require the user to notice the update offer and respond correctly to get the version bump.

At the bare minimum it is good practice to regularly hop over to Secunia and run their free, web-based Secunia Online Software Inspector (OSI).  Hit the page, hit the green “Start” button, let Java do its thing and scan your system for insecure versions of software.

If you or a user can’t remember to regularly do that, Secunia also offers a more robust, installable version of their free Personal Software Inspector (PSI). This one will run as a service on your system constantly checking for and offering recommendations on fixing critical insecure applications.

For my own personal updating check-ins I regularly check in at the FileHippo.com Plugins Downloads site.  It’s just easier that way. (If you do RSS they also have a Browser Plug-ins Category Updates Feed). Please be aware that they will often include and/or only offer the very latest versions of these plugins, which may be in “beta” or non-mainstream channel release. Update accordingly to your comfort level.

In particular, some of the latest Flash 11 versions tagged “Beta” may result in moderately obtrusive “watermarking” of its beta/incubator status in certain Flash windows displays (most notably to me, YouTube windows). Not necessarily a deal-breaker but FYI if you run into it.

For “official source only” path, then here you go.

For information on the next levels of Java and Flash you may want to check out these links:

More stuff:

Looking for older Java 6.0.x or Flash 10.3.x series downloads from FileHippo? Can be an issue as they only seem to be offering the latest Java 7.0x and Flash 11.x (betas) from their pages.

The trick is to just hop to one of these older pages and check the right-sidebar which will list the ones for older versions you are looking for.

Just like a surfer maintains their board with wax to keep it protected and performing well before hitting the waves, a responsible web-surfer needs to keep their browser plugins patched and fresh before hitting the Web.

--Claus V.

No comments: