One of the biggest battles (and headaches) I find is trying to keep friends and family’s systems safe and secure (not to mention those at work).
One of the easiest ways to help fight that good fight is to keep web-browsers updated and ensure that any third-party plug-ins (Flash, Shockwave, Java, Air, Silverlight, etc.) are also kept current and fully patched.
Of course, there are additional tips like firewalls, AV/AM software layers, OS updating, and maybe focused OS security overlays such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Malwarebytes Anti-Exploit (MAE).
But again, the primary infection vector for most of the home/SOHO users I support comes though their web-browser. Certainly avoiding dodgy sites is a good place to start with protecting yourself online, but how do you know a site is dodgy? And most average PC user’s have never heard about malvertising and malware served via ads on trusted websites.
So, my web-browser/plug-in advice (and support to them) remains constant,
- If your web-browsing experience can live without Flash and Shockwave, ditch them!
- Unless you need the Java framework specifically for business or school purposes, ditch it!
- If you must have Flash, Shockwave, or Java installed on your system, keep it patched and ensure the options offered allow for automatic self-updating of the application.
- Check often for updated versions of your browser. Firefox offers notices when new versions are available, Chrome/Chromium offers self/silent updating features, and Internet Explorer typically gets updated along with Windows patch releases.
- Stop by Qualys BrowserCheck regularly in each of your browsers. A great tip is to set their site as (one of) your browser home pages. That way it will remind you to check every time you launch.
- Install (sadly the on-line scan is discontinued) the Personal Software Inspector (PSI) from Secunia.
Need more convincing?
- Java Patch Plugs 19 Security Holes — Krebs on Security
- Flash Patch Targets Zero-Day Exploit — Krebs on Security
- Yet Another Emergency Flash Player Patch — Krebs on Security
- Yet Another Flash Patch Fixes Zero-Day Flaw — Krebs on Security (this was the 3rd Flash patch release in two weeks!)
And if you are uninformed or just curious how the browser exploit works, here are some timely articles that showcase the process/threat.
- Low Hanging Fruit: Flash Player - F-Secure Weblog
- Major malvertising campaign spreads Kovter Ad Fraud malware – Malwarebytes Unpacked blog (note: this one surprised even me as one of my browser home-pages is set to “chron.com” which is listed among the affected websites!)
- Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements - TrendLabs Security Intelligence Blog
- New Flash zero-day targets Windows, Mac users – ZDNet Zero Day blog
- A Closer Look at the Exploit Kit in CVE-2015-0313 Attack - TrendLabs Security Intelligence Blog
- Analyzing CVE-2015-0313 - The New Flash Player Zero Day - TrendLabs Security Intelligence Blog
- BEDEP Malware Tied To Adobe Zero-Days | Security Intelligence Blog - TrendLabs Security Intelligence Blog
- HanJuan EK fires third Flash Player 0day - Malwarebytes Unpacked blog
- Universal XSS flaw in fully patched Microsoft Internet Explorer exposed – ZDNet Zero Day blog
- Internet Explorer Cross-Site Scripting Vulnerability Now Public - TrendLabs Security Intelligence Blog
All this leaves commentaries like this much stronger in their warning cry…
Stay patched and stay safe!