Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

80% of Browsers Found To Be At Risk of Attack

CmdrTaco posted more than 3 years ago | from the zomg-we're-all-gonna-die dept.

196

CWmike writes "About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said Thursday. The poor state of browser patching stunned Wolfgang Kandek, CTO of Qualys, which presented data from the company's free BrowserCheck service Wednesday at RSA. 'I really thought it would be lower,' Kandek said. BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, from Adobe's Flash to Windows Media Player. When browsers and plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component. In January 2011, about 80% of the machines were vulnerable. The most likely plug-in to require a patch: same as last year, Oracle's Java."

Sorry! There are no comments related to the filter you selected.

Slashvertisement (4, Insightful)

suso (153703) | more than 3 years ago | (#35234534)

Not getting enough hits? Slashvertisement can work for your company too. Call today!

Re:Slashvertisement (5, Informative)

tgeller (10260) | more than 3 years ago | (#35234686)

That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

Re:Slashvertisement (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35234980)

This is a slashvertisement, but at least it was for something useful this time. I just patched 3 browsers based on the results.

Plug-ins Bad. Here's ours (2)

Lunoria (1496339) | more than 3 years ago | (#35234550)

So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure. People need to update their software for security. That's not news.

Re:Plug-ins Bad. Here's ours (5, Informative)

bunratty (545641) | more than 3 years ago | (#35234940)

You can use Mozilla's Plugin Check [mozilla.com] . No installation required.

Re:Plug-ins Bad. Here's ours (0)

Anonymous Coward | more than 3 years ago | (#35235106)

Plugin Check doesn't recognise Gears or Media Player. What use is a plugin checker that doesn't recognise commonly installed plugins?

Re:Plug-ins Bad. Here's ours (2)

bunratty (545641) | more than 3 years ago | (#35235326)

Ah, The perfect is the enemy of the good. [famous-quotes.net] Could there possibly exist some things that are useful despite the fact that they are not perfect?

Re:Plug-ins Bad. Here's ours (2)

ColdWetDog (752185) | more than 3 years ago | (#35235330)

Plugin Check doesn't recognise Gears or Media Player. What use is a plugin checker that doesn't recognise commonly installed plugins?

This is a problem for both the official Mozilla plug in check and the current slashvertisement site. The official Mozilla site flags a much larger number of plugins including the hapless mess that is Java but misses several Google plugiins. Unfortunately it appears that plugin writers don't necessarily follow the guidelines for announcing themselves and further that Silverlight comes back as outdated in both checks even though I've pulled the download directly from Microsoft's site, installed it and rebooted the machine.

If nothing else, this points to a huge problem for modern browsers. If there is no mechanism for automatically and accurately keeping tabs of the various components than no one, but no one is going to have a fully patched machine.

Re:Plug-ins Bad. Here's ours (1)

Darkness404 (1287218) | more than 3 years ago | (#35235690)

Which is why properly maintained repositories are so useful. However they are often incomplete (as in the case with Ubuntu), super-restricted (as in the case of Apple), or a mess (as in the case with Android).

Re:Plug-ins Bad. Here's ours (2)

jnpcl (1929302) | more than 3 years ago | (#35235442)

I dunno, who should I trust here? http://i.imgur.com/Pey3f.jpg [imgur.com]

I would have thought this closer to 100% (3, Insightful)

mswhippingboy (754599) | more than 3 years ago | (#35234562)

Since new exploits are identified each day.

Re:I would have thought this closer to 100% (4, Insightful)

SudoGhost (1779150) | more than 3 years ago | (#35234612)

I would have thought it closer to 100% since about 100% of browsers are used by people, which are the biggest security flaws in any system.

Re:I would have thought this closer to 100% (4, Informative)

Skarecrow77 (1714214) | more than 3 years ago | (#35234956)

My wife has a shirt that says "Social engineering" on the front, and on the back it says "Because there is no patch for human stupidity".

My wife is awesome.

Re:I would have thought this closer to 100% (0)

Anonymous Coward | more than 3 years ago | (#35235292)

I know she's awesome, two. She thinks I am, three. Just kidding. Or am I?

Re:I would have thought this closer to 100% (0)

Anonymous Coward | more than 3 years ago | (#35235444)

oh, I thought gay marriages are illegal..

Re:I would have thought this closer to 100% (0)

Anonymous Coward | more than 3 years ago | (#35235712)

I want one like that.

Re:I would have thought this closer to 100% (2, Funny)

Anonymous Coward | more than 3 years ago | (#35235194)

Nah, 80% is correct. the remaining 20% of browsers are Opera, which is not known to be used by people.

Re:I would have thought this closer to 100% (1)

Imrik (148191) | more than 3 years ago | (#35235352)

It only counts exploits that have been patched.

Re:I would have thought this closer to 100% (3, Funny)

Kenja (541830) | more than 3 years ago | (#35234752)

Lynx is still pretty safe!

Re:I would have thought this closer to 100% (0)

commodore64_love (1445365) | more than 3 years ago | (#35234852)

I'm one of those who doesn't do updates. Mainly because I've read too many horror stories of updates making computers unbootable, or breaking the software, or whatever.

Instead I wait a month-or-so until I'm sure there's no negative outcomes being reported by the press.

Re:I would have thought this closer to 100% (-1, Troll)

theaveng (1243528) | more than 3 years ago | (#35234958)

I'm one of those who doesn't do updates. Mainly because I've read too many horror stories of updates making computers unbootable, or breaking the software, or whatever.

Instead I wait a month-or-so until I'm sure there's no negative outcomes being reported by the press.

I'm not surprised. The only thing worse than your Stupidity is your Shitty Grammar. Do us all a favor and just shut the hell up

You're too lazy to bother taking five minutes to understand what you're reading, or to put it into any sort of context. Which also explains why you keep making so many factually incorrect statements (about the law, banking, retailing, etc) that you could simply look up and accurately understand if you were so busy watching sitting on the couch watching ripped off entertainment and lamely trying to excuse it away by pretending that you, and only you, have good taste. You might be surprised at how transparent you are, seen from outside of your mom's basement. Maybe if you asked her for a bigger allowance, you could actually pay for some of what you're desparately trying to come up with ways to justify rippipng off.

You're just making the mistake of assuming that you're smarter than you actually are, and that we aren't on to you. Which is typical of kids like you. You'll grow out of it.

Re:I would have thought this closer to 100% (0)

Anonymous Coward | more than 3 years ago | (#35235058)

Methinks parent is stalking GP.

Re:I would have thought this closer to 100% (2)

osgeek (239988) | more than 3 years ago | (#35235168)

Look, man, if you have an opinion just express it. Don't keep these things all bottled up inside where they can fester.

Tell us what you really think about the guy and you'll feel better.

All this sugar coating to avoid hurting his feelings isn't doing either of you any favors.

Re:I would have thought this closer to 100% (0)

Anonymous Coward | more than 3 years ago | (#35235240)

Irony.

Your sig vs your attack on the GP.

Re:I would have thought this closer to 100% (0)

Anonymous Coward | more than 3 years ago | (#35235356)

nobody is going to hack you over your dialup from a hotel anyway. Their exploit would take too long since your slow connection is taken by your constant downloading of TV shows over that connection that you always brag about.

Re:I would have thought this closer to 100% (3, Funny)

VGPowerlord (621254) | more than 3 years ago | (#35235422)

I'm one of those who doesn't do updates. Mainly because I've read too many horror stories of updates making computers unbootable, or breaking the software, or whatever.

Instead I wait a month-or-so until I'm sure there's no negative outcomes being reported by the press.

I wasn't aware that the Commodore 64 had updates.

Isn't that? (4, Funny)

Wolvenhaven (1521217) | more than 3 years ago | (#35234578)

The exact percentage of IE marketshare?

Re:Isn't that? (1)

elrous0 (869638) | more than 3 years ago | (#35234838)

Actually, I run Firefox and discovered recently that auto-update had stopped working for some reason. When I tried to update through Firefox, it reported that I had the latest version. When I did a manual check, I saw that I was running version 3.6.6. Checked the site and the latest version is actually 3.6.13. Had to download and install manually. Not sure what the problem was there, but just goes to show that even a technical user running Firefox can get out-of-date.

Re:Isn't that? (1)

ColdWetDog (752185) | more than 3 years ago | (#35234986)

The scanning tool doesn't help all that much either. It still insists that my Flash version is out of date, even though it's current (note to snarks, yes it's Flash, yes it's not all that secure even at the current patch level), it still insists that DivX is out of date, even though it's current (op cit).

Not terribly impressive. Initially it complained that FF was behind (and I had the same issue as elrous) and that Flash, Silverlight, DixX and Flip4Mac were also older versions. Except that I've not used the latter three plugins in months so there is little vulnerability there. Basically just another vendor trying to harp their wares with the interesting factoid of Firefox's problems.

Re:Isn't that? (0)

Anonymous Coward | more than 3 years ago | (#35235050)

Yeah, back in 2006. Today it's around 44% [wikipedia.org] (thank god).

Uhmm NO (4, Informative)

Monty845 (739787) | more than 3 years ago | (#35234608)

So first I needed to enable javascript for the site. Now it wants me to allow some random website to install a plugin so that it can tell me if my security is up to date... yeah if it can't detect a security vulnerability without me going through a bunch of hoops and ALLOWING it to install on my system, I'm going with the whole thing is BS.

Re:Uhmm NO (1)

MozeeToby (1163751) | more than 3 years ago | (#35234714)

My thoughts exactly. So does having Javascript, flash, pdf, and Java disabled put me in the special 20%? Seems to me that their statistic should read 80% of those susceptible to social engineering have insecure browsers because no one should install random plugins from random companies without a much better reason than 'check your security'. Their webpage and software model appears to be practically identical to a million scareware, 'Anti-virus' products out there.

Re:Uhmm NO (1)

Tolkien (664315) | more than 3 years ago | (#35235348)

Would you rather they use malicious means of installing their checker so that you don't have to go through the tedious hoops of pressing your mouse button a few times? It might help their point, but it won't help their credibility.

Re:Uhmm NO (1)

Anonymous Coward | more than 3 years ago | (#35234832)

Worse than that:

"Install Qualys Browsercheck?

It can Access:

All data on your computer and the websites that you visit."

Re:Uhmm NO (1)

The MAZZTer (911996) | more than 3 years ago | (#35234876)

It is certainly possible to check plugin versions through JS alone, though from reading mozilla blogs I understand it's tricky since not all plugins report their version numbers the same way. Mozilla's Plugin Check. [mozilla.com]

Re:Uhmm NO (0)

Anonymous Coward | more than 3 years ago | (#35235226)

I'm running Opera, no Java. It worked fine and didn't ask to install anything.

Re:Uhmm NO (1)

elashish14 (1302231) | more than 3 years ago | (#35235646)

Then Jesus proclaimed, "Behold, I will now compromise the security of this OpenBSD installation. Here you see the machine. It is fresh, clean, secure. Now, turn around. Turn around..."

Java?!?!? (1)

Anonymous Coward | more than 3 years ago | (#35234614)

Java was supposed to run in its own sandbox and therefore wouldn't be a security issue according to the original SUN PR bullshit.

Kiddies, remember, in the future someone will say "we have a write once run everywhere language that is secure!" and you can look back on Java and say, "Nuh ahh! It existed before!" and then when you post on the future version of Slashdot pointing this fact out, you will be modded down - just like the people who pointed out that BASIC was supposed to be write once - run everywhere and that didn't pan out.

History repeats itself - especially in IT.

Remember that when you think you're smarter than others .....

Didn't proof read b/c Slashdot's scripts are too goddam slow!

Re:Java?!?!? (3, Informative)

mswhippingboy (754599) | more than 3 years ago | (#35234988)

Java was supposed to run in its own sandbox and therefore wouldn't be a security issue according to the original SUN PR bullshit.

This is actually true. However, when user just mindlessly click through the security dialog on unsigned applets that warn that resources outside the sandbox may be accessed it defeats the whole sandbox protection mechanism.

I guess it gets back to the old adage "Make it foolproof and only a fool will use it.".

Re:Java?!?!? (1)

gad_zuki! (70830) | more than 3 years ago | (#35235142)

You don't need to click on anything. The malware java exploits I've seen in the wild simply load up as applets. The malware writers get them signed with stolen keys. No need for the user to do anything. Blaming the user is common here, but its shit software owned by a shit company, and has a shitty security record.

Considering most people have no need for java the best advice isn't update, its uninstall it.

Re:Java?!?!? (0)

mswhippingboy (754599) | more than 3 years ago | (#35235282)

I'm sure your right. Just one thing I don't understand though. If it's so shitty, can you explain why it has been and continues to be (increasingly) the most widely used language/platform on the planet?

I assume you have a different language/platform that you prefer. Care to share it with us? I'm sure it is the 100% perfect language that no one here on /. can find flaws with.

Re:Java?!?!? (1)

Zelgadiss (213127) | more than 3 years ago | (#35235244)

Java was supposed to be the safe (but painfully slow) way to run "web apps" after the giant clusterfuck that was ActiveX.

But over the years it seems it too have "growth" into a security risk.

I wonder if Javascript will suffer the same fate one day.

Self-selecting for failure (3, Interesting)

RobertB-DC (622190) | more than 3 years ago | (#35234626)

So eight out of 10 browsers running the test failed it? That's not terribly surprising, since I have to install a plugin to run the test.

I don't know Qualys from Quantas, so I'm highly unlikely to install their plugin just to find out whether my browser has vulnerabilities. In fact, I'm not terribly likely to install any plugins at all (though I'm enjoying Ghostery [ghostery.com] immensely).

Now, let's assume for a moment that I'm the type to install any plugin that asks nicely and looks shiny. Gee, is it any surprise that Qualys' plugin isn't the first one I've accepted? And is it any surprise that I've got other issues?

This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

Re:Self-selecting for failure (1)

NotBorg (829820) | more than 3 years ago | (#35235694)

This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

This. (QFT)

Also, it seems the plug-in only scans software versions. It doesn't actually test if penetration is actually possible. If blocked by firewall, AV, sandboxing, system policies, etc, the test still flags you as vulnerable. It probably doesn't take into account the likelihood of a particular vulnerability of being exploited. Some "holes" have a rather obscure set of conditions that must be present for them to work.

But I suppose at the end of the day it only takes one fucked up plugin to bitch slap you in the face: Adobe Flash. (You don't need another plugin to test what version you have either.)

Lynx FTW (0)

antifoidulus (807088) | more than 3 years ago | (#35234654)

Whew, doesn't look like there are any Lynx vulnerabilities so I'm safe!

Did I pass? (0)

Anonymous Coward | more than 3 years ago | (#35234688)

I guess this means that my browser passed:

Qualys BrowserCheck is not supported with your current browser, operating system or both.

Updating Java (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35234692)

Perhaps people would be more keen to update their Java version if the installer didn't keep trying to spring a surprise 'Install Yahoo! Toolbar' move on them on EVERY patch.

Re:Updating Java (1)

Vlad_the_Inhaler (32958) | more than 3 years ago | (#35235124)

My reason is different.
When I am browsing with Windows - which is not very often - it is with XP without Admin rights. Up comes a warning saying 'There is a new Java version available'. Well, I don't have the rights so I switch to an account *with* rights and . . . nothing. Ok, I go to Settings/Java and tell it to upgrade. It ignores me.

Ok, I could go to the Oracle site and download the JVM directly, but wtf does the standard update mechanism simply not work? It did once.

I tried installing once without Admin rights and it happily downloaded the update to some place I never found before telling me that it was not able to do the update. If I go into XP in the first place it is normally because I want to do something specific which I can't get to work on Linux. I really can't be bothered trying to work out why some stupid software package feels it can't update itself.

Re:Updating Java (0)

Anonymous Coward | more than 3 years ago | (#35235520)

If only java didn't install a service AND autostart entry on windows each time it is updated, that relies on other vulnerable services... Why do I need to spend several minutes to clean up after the update each time?

Re:Updating Java (0)

Anonymous Coward | more than 3 years ago | (#35235280)

Or the Java ‘quick’ starter for that matter. It comes back after every update.

Old versions kept with Java (2)

SmilingBoy (686281) | more than 3 years ago | (#35234724)

One issue with Java seems to be that it keeps old versions (or at least it used to). I used a laptop at work that had been in the cupboard for half a year. It had (roughly, can't remember exactly): Java 1.5 update 12 - Java 1.6 - Java 1.6 update 2 - Java 1.6 update 3 - Java 1.6 update 6 - Java 1.6 update 7. Why this is the case, I have no idea. Doesn't seem right though!

Many users cannot update (0)

Anonymous Coward | more than 3 years ago | (#35234726)

In my experience, your average user has a machine that is quite a few years old (end of life performance wise).
If pressure to upgrade was successful once, it long since passed the point where they needed to upgrade the OS and computer before they could update their browser.
Amidst the stability problems of a home computer that hasn't been formatted periodically (or ever), only select browsers (and only specific versions of them) can run successfully.

I've come across this a lot since the latest bout of cool features for web came along. It is difficult to fix the problems caused by lingering dated hardware.

My proposal: the One Macbook Per Child program.

Java, obvious (3, Insightful)

Bobfrankly1 (1043848) | more than 3 years ago | (#35234730)

The most likely plug-in to require a patch: same as last year, Oracle's Java."

Of course, this has nothing to do with the fact that new versions of Java tend to break existing java based applications and utilities. You can use the new version of Java, or you can use the older one that works with your mission critical enterprise tools.

Re:Java, obvious (0)

Anonymous Coward | more than 3 years ago | (#35234774)

Yup, we don't ever patch Java or update it 'cuz our Java stuff always breaks. Java is just to damn brittle!

Re:Java, obvious (1)

Desler (1608317) | more than 3 years ago | (#35234888)

So the mantra should be: "Write once, break every new version", right?

Re:Java, obvious (4, Interesting)

mswhippingboy (754599) | more than 3 years ago | (#35235212)

While I don't doubt the sincerity of your post, I certainly have had a different experience. I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break. I know of one recent upgrade that broke Eclipse, but it was quickly regressed and the problem was really in Eclipse, not Java.

I guess I've just been lucky.

Re:Java, obvious (1)

Bobfrankly1 (1043848) | more than 3 years ago | (#35235300)

I know we have to keep our java below a certain version for our Citrix remote portal. There are some other apps that are affected, but that's by far the most important one for us.

Re:Java, obvious (1)

mswhippingboy (754599) | more than 3 years ago | (#35235598)

Ok, I see your point. Vendor supplied applications almost always specify a particular Java version. Sometimes it's because they do something out of the ordinary (such as using JNI to get outside the JVM), or sometimes it's just that they've only tested and certified it to work with a particular version. However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

Re:Java, obvious (1)

Calsar (1166209) | more than 3 years ago | (#35235612)

Are there really enterprise apps that are 15 years old? Java wasn't even a server side technology back then, the only thing you do was write applets. The applets I wrote using JDK 1.0 stopped working several versions of Java ago.

Re:Java, obvious (1)

Hydian (904114) | more than 3 years ago | (#35235624)

We ran into a particular version that when installed would not allow IE to use plug-ins for other versions of Java. I believe it was version 6, update 20, but it's been a while so I'm not positive anymore.

Re:Java, obvious (0)

Anonymous Coward | more than 3 years ago | (#35235706)

I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break.

J2EE is only 11 years old, bro. Is this like having 10 years of C# experience back in 2005?

Irony: it is a plugin (1)

MobyDisk (75490) | more than 3 years ago | (#35234746)

You have to appreciate the irony that the test requires a plug-in. For all I know, the test is the virus. I assumed it would be a series of javascripts that tested vulnerabilities.

False positives? (1)

dgatwood (11270) | more than 3 years ago | (#35234756)

I wonder how much of this is due to vendors deliberately not bumping the version numbers when they put in a security patch?

Not vulnerable (0)

Anonymous Coward | more than 3 years ago | (#35234776)

I resisted the "Install Plugin" ruse. Consequently no vulnerability was found.

Mozilla has one too (2)

gQuigs (913879) | more than 3 years ago | (#35234786)

Re:Mozilla has one too (1)

hduff (570443) | more than 3 years ago | (#35234982)

So both sites tell me that Shockwave and Java are out-of-date (using Mageia1-alpha1 and FF4beta11) and I update them with the files they provide links to AND it now says I' still out-of-date.

Derp?

Mandatory Access Controls or Sandboxing (1)

metrix007 (200091) | more than 3 years ago | (#35234788)

SO, at present the most secure browsers on Windows are Chrome and IE8+

Why?

Because they make use of Windows Integrity Controls, a type of MAC which means if a low level process is exploited it has no access to the rest of the user account.

As much as people laud Opera they are really behind the fucking curve on this one, and I don't know what Mozilla's excuse is. With the excess beta's they really don't have one.

It should be noted out before hairyfeet gets in that while Firefox and Opera do not make use of WIC, this is not the same as running a browser as root and leaving the whole system vulnerable as he has tried to state before [slashdot.org] . If you run as a basic user and keep your browser up to date then you are reasonable secure, just not as secure as Chrome or IE in the event of an attack.

On linux it is a different story, as with SELINUX, RSBAC, Grsecurity or any of the other frameworks you can restrict the helper processes as you see fit, and restrict excatly what directories or objects they have write read or execute permission to. It would be nice if the browser makers hopped on board and added some native support though.

Re:Mandatory Access Controls or Sandboxing (1)

tuppe666 (904118) | more than 3 years ago | (#35235114)

SO, at present the most secure browsers on Windows are Chrome and IE8+

I'd love to see you back this claim up. Windows Integrity Controls are used only in a small share of Windows Users, Internet Explorers integration with Windows will mean that Internet Explorer 8 and its insecurities will continue until users update or move away from XP. Perhaps if Windows was not so closely tied to the machine, easy to install and offered cheaper than the price of a second hand car separately the would be more secure.

Re:Mandatory Access Controls or Sandboxing (0)

metrix007 (200091) | more than 3 years ago | (#35235210)

Not sure what point your making. I was assuming Vista and up for my statement. To clarify, Chrome and IE8+ are the most secure browsers on versions of Windows Vista and after due to making use of WIC and/or sandboxing.

Re:Mandatory Access Controls or Sandboxing (2)

gad_zuki! (70830) | more than 3 years ago | (#35235230)

The problem with these sandboxed browsers is that their plugins are not sandboxed, generally.

I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

I think IE8 is doing well on these tests because if you're using IE you might be a corporate user who's computer is regularly updated by the system admin.

Both these browsers running an insecure version of Java means instant exploit. The best advice is run any browser you want, but get rid of Java and use an alternate PDF reader.

Browsers themselves are now pretty secure, its the damn plugins causing all the issues. At least Google understands this and has a sandboxed secure pdf reader in Chrome. If only they would disable the java plugin by default or make it throw a UAC prompt everytime it needs to run. Java sitting there on the browser ready to run any applet is absolute madness.

Re:Mandatory Access Controls or Sandboxing (1)

VGPowerlord (621254) | more than 3 years ago | (#35235556)

I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

Chrome also integrates Adobe Flash... but unless Google is updating Flash whenever Adobe issues an update, it's less secure than the versions that use a standalone plugin.

Re:Mandatory Access Controls or Sandboxing (1)

mlts (1038732) | more than 3 years ago | (#35235578)

The more browsers use the operating system security abilities, be it WIC, jail(), AppArmor, SELinux, or any other mechanism that reduces the privs a Web browser under, the better.

The battle for control of most PCs is going to be fought at the browser and browser add-on level. This is one front that really needs defense in depth, from browser add-ons being in a separate context from other objects, to a browser tab or window not being able to access other windows, to a browser not being able to get normal user (or even worse, root/sysadmin/QSECOFR context.)

Kudos to Chrome for working on advances with keeping things separated/sandboxed. A Flash or other scripted app that can record keystrokes only can record those typed in its window of the Web browser, and can't record anything if the user is using another window or another program.

Re:Mandatory Access Controls or Sandboxing (1)

mlts (1038732) | more than 3 years ago | (#35235632)

Correction: Kudos to Google for using OS controls for additional security.

Yes, using OS specific security constructs makes a Web browser less portable across platforms, but it might be that some OS security mechanism may be the only thing standing in the way of browser compromise turning into complete machine pwnage.

On a larger scale, it might be time for OS makers to have some standardized security mechanisms, where a program can take advantage of them regardless if it runs on Windows, OS X, AIX, or OpenVMS.

Not sure of header (1)

hesaigo999ca (786966) | more than 3 years ago | (#35234818)

With a heading like this, too much is left to the imagination, I thought 80% of browsers out there in use are vulnerable, and if that is all, I would say redundancy is useless. Stating the obvious, such as any application made by man, will be error prone....so any browser running out there, is obviously flawed, no news here, move along...

Corporate -vs- home users? (2)

MobyDisk (75490) | more than 3 years ago | (#35234846)

I wonder what the percentages are for corporate users compared with home users. I bet home users are better: My current employer requires out machines to have a *particular* version of Java installed. The internal corporate web site doesn't work on anything newer, or older. Unfortunately this seems to be the norm, not the exception.

I'm constantly amazed at how these internal apps are some of the poorest maintained software. Training applications, time sheets, desktop sharing, CRMs ... consistently the poorest quality tools I encounter.

BrowserCheck not supported on my system (0)

koinu (472851) | more than 3 years ago | (#35234866)

Qualys BrowserCheck is not supported with your current browser, operating system or both. See supported versions below.

And now? Am I safe?

Firefox terrible in this regard (1)

Anonymous Coward | more than 3 years ago | (#35234874)

Simple patch updates have serious regression issues, such that extensions no longer work. I've been stuck on a particular version for months now, because one of my extensions won't work with the new version, and this has NEVER been addressed, either by Mozilla or the extension developer.

For fuck sake, if you want me to update, don't fuck my shit up..

Re:Firefox terrible in this regard (1)

tuppe666 (904118) | more than 3 years ago | (#35235392)

Which Extensions don't work. I have been shocked that I have been able to run a beta copy of Firefox for months with my plug-ins working, considering these are not under Mozilla control I find it remarkable. In fact the extensions page tells you if the plugin works with your version of Firefox. I suspect if your dunning 3.6.* everything works :).

Install Plugin to Check Your Browser (0)

Anonymous Coward | more than 3 years ago | (#35234942)

That's what the header of their web page says. Oh sure. I'll do that right away.

Not even remotely surprised (3, Insightful)

jimicus (737525) | more than 3 years ago | (#35234962)

I've been saying this for some time: Windows (and to a lesser extent OS X) needs an API so updates are centralised, configured and installed from a single interface.

OS X has the app store. Linux distributions have repositories. Both of these solve this problem very neatly, and it's a lot easier to keep everything up to date. But I don't think centralised distribution is necessary - just an API call so you can say to the operating system "this is the name of the application, this is an RSS feed where updates are published, this is the key with which updates will be signed, this is how frequently you should check for updates" would probably solve most of the problems.

The mess we have right now is the reason why there is always something on a PC that needs updating.

Re:Not even remotely surprised (0)

Anonymous Coward | more than 3 years ago | (#35235344)

You don't need a centralized repository. You just need applications that can update themselves. This has been on the rise on OS X for awhile, since before the app store. OS X apps could use Sparkle to handle automatic updates. Windows doesn't need a central repository, it just needs something like Sparkle.

Re:Not even remotely surprised (1)

mdielmann (514750) | more than 3 years ago | (#35235546)

A lot of the Windows apps I use are auto-updating (preferably on app start), and it's one of the features I look for. Also, Windows 7 Update carries drivers from third parties as optional components, which is (potentially) handy. After all, if you're going to check for updates to your OS, it helps if you check for updates to the components that directly interface with your OS.

Re:Not even remotely surprised (1)

mlts (1038732) | more than 3 years ago | (#35235682)

I'll take the repos where the Web browser can scan both default and user specified repositories for updates over having every single program, plugin, and code chunkie having a separate update mechanism.

With so many update mechanisms, there are so many links that can become weak links in a security chain that program security becomes unwieldy. If a blackhat manages to compromise some browser addon's update mechanism, and the addon can get user (or even admin) context, it means the blackhat just obtained themselves a multi-million PC botnet with users unable to do anything about it.

The only thing that should update applications should be the OS, other than application data (levels in games, zones for a MMO, etc.) Why have every single program reinvent the wheel, as opposed to having a hardened OS mechanism do the dirty work.

This is the nice thing about repos, Apple's App Store, and Windows 8's store. If I want to tell a user to download an app, they just type it in on the store search, and download it. No website compromise, no Trojanized executables. It also increases the "hmm, I shouldn't really do this" barrier with websites asking a user to install dubious applications manually, as opposed to through a repo/store.

So, repos keep the chance of getting Trojans down, which is one of the bigger vectors of compromise. Leave the application updates to the OS.

Re:Not even remotely surprised (0)

Anonymous Coward | more than 3 years ago | (#35235548)

I use OS X at home and am constantly in wonderment at the design of the software update system...

Why is it that the "Software Update" program that's built into the OS doesn't also check the versions of the software installed via App Store?

Why is it that all the programs I have (VLC, Firefox, etc...) all have their own update system?

Why do I need to pop into a shell to update my command line tools via apt-get ?

It's like the worst of all worlds. The rest of the OS is pretty nice.

Java needs to update better... (1)

toxickitty (1758282) | more than 3 years ago | (#35234974)

Java is a horrible piece of crap when updating. I've been running it on Vista and now Windows 7 for ages and the auto update NEVER WORKS. I have to manually update every time. It's really squarely Java's fault. Also if anyone happens to know how to fix it I always get "Failed to download required installation files.". I've had no luck in trying to find the cause of it.

Plugins don't auto update (1)

sandytaru (1158959) | more than 3 years ago | (#35235006)

Java and Adobe's problem is the same - it asks permission to update instead of doing it silently. Heck, the last Reader update required a system reboot. Compare that to AdBlock or NoScript, which updates without you having to do anything and lets you know after the fact. I can force out Windows updates on the systems I manage, but I can't force users to update their Java, and the icon will sometimes sit there for weeks or months before they even bother to mention it.

Re:Plugins don't auto update (1)

Locke2005 (849178) | more than 3 years ago | (#35235204)

They both need to ask permission because their updates so frequently fail. Nothing like doing the same automatic update over and over again to bring your computer to a crawl.

Not bad, actually (0)

Anonymous Coward | more than 3 years ago | (#35235036)

Well, that was a surprise: I've been checking Adobe almost weekly for updates to Acrobat Reader 9.4 for Linux. Adobe's web site always tells me it's the latest. But this tool directs me to Adobe's FTP (not HTTP) where I find--low and behold--there is a 9.4.1 and it's been out since September. So what's wrong with Adobe's download? Lazy site maintenance? As for Java, I also check this weekly. Last Monday, the 14th, the latest was 1.6.0_22. Today I see that 1.6.0_23 was released on the 14th. I'm pleased. Besides, this patching beats working. :)

WTF? (2)

The Grim Reefer2 (1195989) | more than 3 years ago | (#35235052)

I went to the Browser Check [qualys.com] link and was told that I have to enable Java and refresh the page. So to check my browsers security I first have to lower my current security settings? Now I see how they got their numbers.

Re:WTF? (0)

Anonymous Coward | more than 3 years ago | (#35235536)

They also want you to install their custom plugin. LOL.

80% of users can't be trusted (2)

ArhcAngel (247594) | more than 3 years ago | (#35235136)

to stay away from web sites that steal their data.

Secunia PSI (1)

Anonymous Coward | more than 3 years ago | (#35235208)

Use Secunia PSI to auto-update your software, including many commonly used plugins:

http://secunia.com/vulnerability_scanning/personal/

100% of web browsers are vulnerable (1)

blair1q (305137) | more than 3 years ago | (#35235238)

Anyone who imagines we've found all the exploits already is a moron.

has trouble with nspluginwrapper (2)

AdamWill (604569) | more than 3 years ago | (#35235264)

If you have Flash installed via nspluginwrapper, it shows two Flash entries, one saying "10.2.152 Up to Date", but the other saying "10.2 Potential Threat", with an explanation that it couldn't figure out the version precisely enough to be sure what it was. It counts this as a security threat. So that's a false positive right there.

Better statistic (1)

JustAnotherIdiot (1980292) | more than 3 years ago | (#35235434)

100% of machines used by idiots are at risk of attack when they try to claim their prize for being the 1000th visitor.

USA 2011 (0)

westlake (615356) | more than 3 years ago | (#35235560)

"About eight out of every 10 Web browsers run by consumers are vulnerable to attack [CC] by exploits of already-patched bugs, a security expert said Thursday.

The venue is worth a mention: RSA Conference 2011 - San Francisco [rsaconference.com]

This not a second-tier event.

Speakers include former President Bill Clinton, General Keith B. Alexander, Commander, U.S. Cyber Command, William Lynn III, Deputy Secretary of Defense...

In Open Source from Qualys:

BlindElephant Web Application Fingerprinter [sourceforge.net]

Does an error equal secure? (1)

Hydian (904114) | more than 3 years ago | (#35235580)

If it gives you an error when you try to run it, does that mean that you are secure or vulnerable?

What is this crap (0)

Anonymous Coward | more than 3 years ago | (#35235636)

So in order to test my system, I need to re-enable javascript, cookies and plugins and download an unknown untrusted plugin?

I'm afraid I must decline...

The scan is not even close to accurate (0)

Anonymous Coward | more than 3 years ago | (#35235644)

I tried the Qualys BrowserCheck. It misidentified the Mozilla browser version and the Java Runtime version and claimed they were old versions with vulnerabilities. In fact the browser is the latest version and JRE is a newer version without known vulnerabilities. It correctly identified the Flash version but failed to notify me that simply running Flash makes my entire www experience one huge vulnerability in itself ha ha ha.

It's worth remembering that an OS with system-wide package management almost negates these kinds of issues anyway (though browser plug-ins may remain a problem depending on how you obtained them).

Lame product unless you're that rare person who runs Windows and cares about security but also keeps forgetting to do anything about it.

Consumers (1)

McTickles (1812316) | more than 3 years ago | (#35235770)

what exactly do they "consume" using a web browser?
I doubt I can actually download food ...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?