Unpatched Web Browsers Prevalent on the Internet

Discussion in 'other security issues & news' started by ronjor, Jul 1, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,796
    Location:
    Texas
    Article
     
  2. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    AV not up to date. OS not up to date. So what else is new? :rolleyes:
     
  3. Dogbiscuit

    Dogbiscuit Guest

    Interesting idea about adding a feature to the browser that would verify if plug-ins are up-to-date.

    Running under Ubuntu, most software including browser plug-ins gets updated automatically, IIRC. One of the advantages of running Linux.
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Please correct me if I'm mistaken, but doesn't Secunia's PSI program watch for installed plugins also?
     
  5. Dogbiscuit

    Dogbiscuit Guest

    It does.

    It may not be all that much of a disadvantage using something like Secunia PSI in Windows.

    Since the article was about users who fail to update, I was pointing out that out of the box, with Ubuntu, the OS has by default an automatic mechanism to update most all software. Those users probably would not be likely to add software like Secunia PSI in Windows if they don't even bother to update their browsers, hence the advantage of an automatic updating feature for most all software (including browser plug-ins) in the OS, turned on by default. And while Ubuntu is likely not used by those same types of users, the point is that that feature in Windows might, if it could be implemented, go a long way toward solving the problem of so many unpatched systems, browsers, plug-ins, applications, etc.
     
    Last edited by a moderator: Jul 1, 2008
  6. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    59.1 percent. I just downloaded Opera 9.51, I use Firefox 3, Thunderbird is unpached when a patch comes out for thunderbird/or a new version I will download it. I don't like to be vulnerable because I was lazy to update and a update is availeable.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I agree, such an automatic option would go a long way. I think, however, that due to the increasing dangers we face on the internet, that some of these software solutions, say, SpywareBlaster and the like, need to give up on the "software is free but automatic updates is not" idea. It was a silly idea to begin with (IMHO), and your average computer user can't be counted on to manually update his/her software on a daily basis.

    And now, considering how dangerous malware and viruses are getting, not staying on top of updates can mean destroyed data, loss of financial control, among other things, not only for the person who didn't update, but for whomever else they sent files to and what have you. It is simply essential at this point that ALL software, not just security apps, have an automated update feature that is turned on by default. If that means some of the software we take for granted goes from free to paid, so be it. The costs of what some of this new malware can do alone for some people far exceeds the price of software.
     
  8. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I've only one problem with auto-updates, and that's with apps that load with Windows, like my firewall (Comodo) and a few other things. Too many of them, if I've enabled auto-updates, assume and/or can't reliably check that I'm connected to the internet, and kick back error messages if they can't get through (I'm on a DSL PPPoE account, and connect/disconnect as appropriate, same as when I was on dialup).

    I think one essential feature of auto-updates, especially if they become nearly universal (and I certainly won't argue with the need for that), is the ability to specify your type of connection. My avast a-v does that, but to the best of my memory none of the rest of my "arsenal" does -- typically the only option I can feed the updater is when and how often to check for updates.
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I can see how the errors popping up are a bit annoying, but at least they bugger off after a minute or two. Having an option to specify connection is nice, but I kind of think they should do away with specifying how often to check and simply send the update as soon as it is released. If you specify it to check too often, it has the possibility of slowing other things you are doing up, and, of course if you don't let it check often enough, you run the risk of getting infected with something that you didn't update to protect against yet.

    I just don't think that it is safe enough to leave updates in the hands of users anymore.
     
  10. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    the problem with autoupdating is that 1. there could be some issues with the patch. 1. users see the auto update thing and click later because they want to use the computer now and say later everytime it comes up.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    You have a good point in regards to issues with the patch, but as far as clicking later, not even that option should be available. Take for instance SAS Pro and Avast, they update themselves in the background and, with the exception to Avast, without a single popup. That is exactly how updates should be done these days. Updates to issues with a previous patch can be done in the same manner (in most cases, not all of course depending on the severity of the issues).
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It would have been helpful if the article could have elaborated on the "at risk" and given some suggestions for us poor souls biting our nails while waiting for the update, wondering if we dare log onto the internet in the meantime.

    All but the alert reader could be left with the idea that without a secured browser and/or plugins, he is at terrible risk. It would be helpful if the article could discuss, or at least point to discussions of some "strong links" in the security chain. No security chain should be dependent solely on the browser to protect against web-based attacks. Yet that is what is implied here.

    We are left in limbo on this, since no specific attacks are mentioned, which would give the reader some basis for deciding whether or not he is protected by other means.

    With a little digging, it's not too difficult to find out what is going on.

    Legitimate sites serving up stealthy attacks
    http://www.securityfocus.com/news/11501
    (a trojan horse program is a malicious executable installed on the victim's computer by this attack)

    New Variant of Crimeware Toolkit Infecting More Than 10,000 US Websites in December
    http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
    Thousands of More Hacked Websites
    http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424
    In another recent article on unpatched browsers, Brian Krebs (of WashingtonPost.com) was quoted and he referred to an earlier blog he wrote:

    The Importance of the Limited User, Revisited
    http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html
    This in no way takes away from the importance of having a secured browser, but simply resets the priorities. When vulnerabilities in applications are exploited (weak links), you want something in place in the chain to take up the slack (strong link).

    Besides running as Limited User, there are many other solutions that provide the same protection. Some are discussed in the Anti-Malware Software Forum.
     
  13. tlu

    tlu Guest

    @Rmus: Interesting links, Rich - thanks!

    However, the quote from the Washington Post blog
    is not precise. It's true that a limited user cannot install programs that need write permission to c:\, c:\Windows, c:\Program Files and most parts of the registry and that applies to most types of malware. Thus, all critical parts of Windows are safe against modification. However, user-mode malware (e.g. a keylogger) can install itself into c:\Documents and Settings\<user>\... and to one of the autostarts where the user has write permission. That's why I recommend the combination LUA+ SRP and kafu in order to make the protection perfect.:)
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, Thomas, subsequent to reading that, I've done a couple of tests, and also
    have PMed you about the latest Storm exploit.

    At this moment, I'm referring people to the "LUA not being enough" thread for further information.

    thanks.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.