One of the biggest battles (and headaches) I find is trying to keep friends and family’s systems safe and secure (not to mention those at work).
One of the easiest ways to help fight that good fight is to keep web-browsers updated and ensure that any third-party plug-ins (Flash, Shockwave, Java, Air, Silverlight, etc.) are also kept current and fully patched.
Of course, there are additional tips like firewalls, AV/AM software layers, OS updating, and maybe focused OS security overlays such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Malwarebytes Anti-Exploit (MAE).
But again, the primary infection vector for most of the home/SOHO users I support comes though their web-browser. Certainly avoiding dodgy sites is a good place to start with protecting yourself online, but how do you know a site is dodgy? And most average PC user’s have never heard about malvertising and malware served via ads on trusted websites.
So, my web-browser/plug-in advice (and support to them) remains constant,
- If your web-browsing experience can live without Flash and Shockwave, ditch them!
- Unless you need the Java framework specifically for business or school purposes, ditch it!
- If you must have Flash, Shockwave, or Java installed on your system, keep it patched and ensure the options offered allow for automatic self-updating of the application.
- Check often for updated versions of your browser. Firefox offers notices when new versions are available, Chrome/Chromium offers self/silent updating features, and Internet Explorer typically gets updated along with Windows patch releases.
- Stop by Qualys BrowserCheck regularly in each of your browsers. A great tip is to set their site as (one of) your browser home pages. That way it will remind you to check every time you launch.
- Install (sadly the on-line scan is discontinued) the Personal Software Inspector (PSI) from Secunia.
Need more convincing?
- Java Patch Plugs 19 Security Holes — Krebs on Security
- Flash Patch Targets Zero-Day Exploit — Krebs on Security
- Yet Another Emergency Flash Player Patch — Krebs on Security
- Yet Another Flash Patch Fixes Zero-Day Flaw — Krebs on Security (this was the 3rd Flash patch release in two weeks!)
And if you are uninformed or just curious how the browser exploit works, here are some timely articles that showcase the process/threat.
- Low Hanging Fruit: Flash Player - F-Secure Weblog
- Major malvertising campaign spreads Kovter Ad Fraud malware – Malwarebytes Unpacked blog (note: this one surprised even me as one of my browser home-pages is set to “chron.com” which is listed among the affected websites!)
- Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements - TrendLabs Security Intelligence Blog
- New Flash zero-day targets Windows, Mac users – ZDNet Zero Day blog
- A Closer Look at the Exploit Kit in CVE-2015-0313 Attack - TrendLabs Security Intelligence Blog
- Analyzing CVE-2015-0313 - The New Flash Player Zero Day - TrendLabs Security Intelligence Blog
- BEDEP Malware Tied To Adobe Zero-Days | Security Intelligence Blog - TrendLabs Security Intelligence Blog
- HanJuan EK fires third Flash Player 0day - Malwarebytes Unpacked blog
- Universal XSS flaw in fully patched Microsoft Internet Explorer exposed – ZDNet Zero Day blog
- Internet Explorer Cross-Site Scripting Vulnerability Now Public - TrendLabs Security Intelligence Blog
All this leaves commentaries like this much stronger in their warning cry…
Stay patched and stay safe!
--Claus Valca
4 comments:
Yes, keeping the browser updated is important. But yet so many people I run into get annoyed by the six-week update schedule of Mozilla. Some people turn off the updates (and then wonder why they have so many problems). I like that Chrome does the silent updates as it one less thing that requires my attention to maintain. But, yet again there are people who refuse to use Chrome for that very reason.
Getting back to Firefox, people are annoyed because the update breaks their add-ons. They are quick to blame Mozilla when in fact it is the add-on developers. These developers have about 4-months from when the Firefox release is in the Nightly stages to release. Of course the majority of the complains are from people using add-ons long abandoned by the developer.
@ FF Extension Guru - Yes! I've only had a few extensions not play well when an update comes down. I completely lean to having a more secure/updated browser over any inconvenience of a particular plug-in not working.
Way I see it, any developer providing an extension they really are committed to will maintain their product for compatibility.
If a developer fails to update it for build compatibility after a month or so then I'll jettison it and either find an alternative that will or just work around it.
I am very supporting of the Mozilla update schedule and am glad it keeps rolling on. I should keep an eye on the change log, but usually don't bother too much unless something "breaks".
I really like the way the Firefox Developer's build handles the update availability notifications. Have you had a chance to play with it? I've got it installed along side my primary public release Firefox build and shift between the two.
Cheers,
--Claus V.
Have not had a chance to play with the Developer Builds. Don't really have much free time on my hands as I use to.
@ Firefox Extension Guru - I'd say you are not really missing that much. It is really geared more to the audience that uses the "F12" tools.
I like keeping it close as though I don't do much website work, the performance tools that are normally used for monitoring page-element loading, also come in super-handy for troubleshooting network performance.
Cheers!
--Claus V.
Post a Comment