Unpatched Web Browsers Prevalent on the Internet

[ronjor]

Quote:

Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk from growing threats from diligent hackers, according to a new study published by researchers in Switzerland.

Article

[ccsito]

AV not up to date. OS not up to date. So what else is new?

[Dogbiscuit]

Quote:

But the problem of out-of-date browsers pales in comparison to the quagmire of plug-ins, which add extra functionality to the browser, such as Adobe's Flash and Apple's QuickTime multimedia program.

Interesting idea about adding a feature to the browser that would verify if plug-ins are up-to-date.

Running under Ubuntu, most software including browser plug-ins gets updated automatically, IIRC. One of the advantages of running Linux.

[dw426]

Quote:

Originally Posted by Dogbiscuit

Interesting idea about adding a feature to the browser that would verify if plug-ins are up-to-date.

Running under Ubuntu, most software including browser plug-ins gets updated automatically, IIRC. One of the advantages of running Linux.

Please correct me if I'm mistaken, but doesn't Secunia's PSI program watch for installed plugins also?

[Dogbiscuit]

It does.

It may not be all that much of a disadvantage using something like Secunia PSI in Windows.

Since the article was about users who fail to update, I was pointing out that out of the box, with Ubuntu, the OS has by default an automatic mechanism to update most all software. Those users probably would not be likely to add software like Secunia PSI in Windows if they don't even bother to update their browsers, hence the advantage of an automatic updating feature for most all software (including browser plug-ins) in the OS, turned on by default. And while Ubuntu is likely not used by those same types of users, the point is that that feature in Windows might, if it could be implemented, go a long way toward solving the problem of so many unpatched systems, browsers, plug-ins, applications, etc.

[Carver]

59.1 percent. I just downloaded Opera 9.51, I use Firefox 3, Thunderbird is unpached when a patch comes out for thunderbird/or a new version I will download it. I don't like to be vulnerable because I was lazy to update and a update is availeable.

[dw426]

Quote:

Originally Posted by Dogbiscuit

It does.

It may not be all that much of a disadvantage using something like Secunia PSI in Windows.

Since the article was about users who fail to update, I was pointing out that out of the box, with Ubuntu, the OS has by default an automatic mechanism to update most all software. Those users probably would not be likely to add software like Secunia PSI in Windows if they don't even bother to update their browsers, hence the advantage of an automatic updating feature for most all software (including browser plug-ins) in the OS, turned on by default. And while Ubuntu is likely not used by those same types of users, the point is that that feature in Windows might, if it could be implemented, go a long way toward solving the problem of so many unpatched systems, browsers, plug-ins, applications, etc.

I agree, such an automatic option would go a long way. I think, however, that due to the increasing dangers we face on the internet, that some of these software solutions, say, SpywareBlaster and the like, need to give up on the "software is free but automatic updates is not" idea. It was a silly idea to begin with (IMHO), and your average computer user can't be counted on to manually update his/her software on a daily basis.

And now, considering how dangerous malware and viruses are getting, not staying on top of updates can mean destroyed data, loss of financial control, among other things, not only for the person who didn't update, but for whomever else they sent files to and what have you. It is simply essential at this point that ALL software, not just security apps, have an automated update feature that is turned on by default. If that means some of the software we take for granted goes from free to paid, so be it. The costs of what some of this new malware can do alone for some people far exceeds the price of software.

[MikeBCda]

I've only one problem with auto-updates, and that's with apps that load with Windows, like my firewall (Comodo) and a few other things. Too many of them, if I've enabled auto-updates, assume and/or can't reliably check that I'm connected to the internet, and kick back error messages if they can't get through (I'm on a DSL PPPoE account, and connect/disconnect as appropriate, same as when I was on dialup).

I think one essential feature of auto-updates, especially if they become nearly universal (and I certainly won't argue with the need for that), is the ability to specify your type of connection. My avast a-v does that, but to the best of my memory none of the rest of my "arsenal" does -- typically the only option I can feed the updater is when and how often to check for updates.

[dw426]

Quote:

Originally Posted by MikeBCda

I've only one problem with auto-updates, and that's with apps that load with Windows, like my firewall (Comodo) and a few other things. Too many of them, if I've enabled auto-updates, assume and/or can't reliably check that I'm connected to the internet, and kick back error messages if they can't get through (I'm on a DSL PPPoE account, and connect/disconnect as appropriate, same as when I was on dialup).

I think one essential feature of auto-updates, especially if they become nearly universal (and I certainly won't argue with the need for that), is the ability to specify your type of connection. My avast a-v does that, but to the best of my memory none of the rest of my "arsenal" does -- typically the only option I can feed the updater is when and how often to check for updates.

I can see how the errors popping up are a bit annoying, but at least they bugger off after a minute or two. Having an option to specify connection is nice, but I kind of think they should do away with specifying how often to check and simply send the update as soon as it is released. If you specify it to check too often, it has the possibility of slowing other things you are doing up, and, of course if you don't let it check often enough, you run the risk of getting infected with something that you didn't update to protect against yet.

I just don't think that it is safe enough to leave updates in the hands of users anymore.

[lodore]

the problem with autoupdating is that 1. there could be some issues with the patch. 1. users see the auto update thing and click later because they want to use the computer now and say later everytime it comes up.

[dw426]

Quote:

Originally Posted by lodore

the problem with autoupdating is that 1. there could be some issues with the patch. 1. users see the auto update thing and click later because they want to use the computer now and say later everytime it comes up.

You have a good point in regards to issues with the patch, but as far as clicking later, not even that option should be available. Take for instance SAS Pro and Avast, they update themselves in the background and, with the exception to Avast, without a single popup. That is exactly how updates should be done these days. Updates to issues with a previous patch can be done in the same manner (in most cases, not all of course depending on the severity of the issues).

[Rmus]

Quote:

What the researchers found is that although software vendors provide patches for security problems, it can take days, weeks or months before people update their applications. In the meantime, those users are at risk.

It would have been helpful if the article could have elaborated on the "at risk" and given some suggestions for us poor souls biting our nails while waiting for the update, wondering if we dare log onto the internet in the meantime.

Quote:

Web browsers are often a weak link in the security chain, as software vulnerabilities can make it easy for hackers to gain control of a PC. When that happens, hackers can perform malicious acts such as stealing personal data or turning PCs into spam-spewing drones.

All but the alert reader could be left with the idea that without a secured browser and/or plugins, he is at terrible risk. It would be helpful if the article could discuss, or at least point to discussions of some "strong links" in the security chain. No security chain should be dependent solely on the browser to protect against web-based attacks. Yet that is what is implied here.

Quote:

...remainder at risk from growing threats from diligent hackers...

... hackers can perform malicious acts such as stealing personal data or turning PCs into spam-spewing drones.

We are left in limbo on this, since no specific attacks are mentioned, which would give the reader some basis for deciding whether or not he is protected by other means.

With a little digging, it's not too difficult to find out what is going on.

Legitimate sites serving up stealthy attacks
http://www.securityfocus.com/news/11501

Quote:

The actual malicious code served to visitors by the sites compromised by the Random JS Toolkit attempts to exploit computers using 13 different vulnerabilities, the company said. The Trojan horse program steals the victim's login credentials to access online banks.

(a trojan horse program is a malicious executable installed on the victim's computer by this attack)

New Variant of Crimeware Toolkit Infecting More Than 10,000 US Websites in December
http://www.finjan.com/Pressrelease.a...Lan=1819&lan=3

Quote:

The attack, which Finjan has designated "random js toolkit," is an extremely elusive crimeware Trojan that infects an end user's machine and sends data from the machine via the Internet to the Trojan's "master", a cybercriminal.

Thousands of More Hacked Websites
http://www.shadowserver.org/wiki/pmw...endar.20080424

Quote:

Successful exploit attempts coming from nihaorr1.com will result in the download of test.exe from the website. This is another password stealer like the one we found last time.

In another recent article on unpatched browsers, Brian Krebs (of WashingtonPost.com) was quoted and he referred to an earlier blog he wrote:

The Importance of the Limited User, Revisited
http://blog.washingtonpost.com/secur...e_limited.html

Quote:

If you use a computer powered by Microsoft Windows to surf the Web, check your e-mail and so forth, the single most important step you can take to protect your machine from viruses, worms and hackers is to use a "limited user" account for everyday computer use.

...the limited-user account does not have the right to install programs or change system settings. As a result, when malicious Web sites try to use security weaknesses in the operating system or your Web browser to conduct "drive-by" spyware and malware installs, for example, that installation process fails.

This in no way takes away from the importance of having a secured browser, but simply resets the priorities. When vulnerabilities in applications are exploited (weak links), you want something in place in the chain to take up the slack (strong link).

Besides running as Limited User, there are many other solutions that provide the same protection. Some are discussed in the Anti-Malware Software Forum.

[tlu]

@Rmus: Interesting links, Rich - thanks!

However, the quote from the Washington Post blog

Quote:

...the limited-user account does not have the right to install programs or change system settings.

is not precise. It's true that a limited user cannot install programs that need write permission to c:\, c:\Windows, c:\Program Files and most parts of the registry and that applies to most types of malware. Thus, all critical parts of Windows are safe against modification. However, user-mode malware (e.g. a keylogger) can install itself into c:\Documents and Settings\<user>\... and to one of the autostarts where the user has write permission. That's why I recommend the combination LUA+ SRP and kafu in order to make the protection perfect.

[Rmus]

Quote:

Originally Posted by tlu

@Rmus: Interesting links, Rich - thanks!

However, the quote from the Washington Post blog

is not precise.

Yes, Thomas, subsequent to reading that, I've done a couple of tests, and also
have PMed you about the latest Storm exploit.

At this moment, I'm referring people to the "LUA not being enough" thread for further information.

thanks.

----
rich