Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Your browser may be up to date: But what about the PLUGINS?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
mogs Your browser may be up to date: But what about the PLUGINS?
Expert Contributor 2nd Dec, 2013 13:42
Ranking: 2265
Posts: 6,266
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK
Watch out when shopping online this Xmas, plead security pros who'd love to help

By John Leyden, 2nd December 2013

Two in five (39 per cent) of computers submitted for testing to a free browser security test from Qualys were affected by critical vulnerabilities, mostly related to browser plug-ins.

The findings, based on 1.4 million BrowserCheck computer scans, paint a picture of e-commerce buyers left wide open to attacks by cybercriminals just before the busiest online shopping period of the year. Browser vulnerabilities are routinely used to push malware at victims from compromised (often otherwise legitimate) websites through drive-by download attacks.

Chrome has close to 40 per cent of its instances afflicted with a critical vulnerability. Similar numbers apply to Firefox and Internet Explorer, which have 35 per cent and 41 per cent of their instances vulnerable to attacks. Safari (29 per cent) and Opera (34 per cent) came in as the best of a bad bunch, according to the figures from Qualys. The overall net population might be somewhat more secure because Qualys is looking at a sample of people who have taken the trouble to check their browser security.

Qualys CTO Wolfgang Kandek says that browser plug-ins were a bigger part of the problem than core security software.

"Browsers themselves are only partly to blame though; we see most of them quite up-to-date, with Chrome leading the pack with 90 per cent, Firefox at 85 per cent and Internet Explorer trailing with 75 per cent," Kandek explained. "The larger part of the problems are contributed by the plug-ins that we use to extend the capabilities of our browsers, led by Adobe Shockwave and followed by Oracle Java and Apple Quicktime."

The overall message is simple: consumers should patch up their computers (and particularly their browser plugins) if they don't want to or run a higher risk of getting pwned by banking trojans or spyware. There are various tools available.

Kandek has published further commentary on his findings - alongside a chart depicting the distribution of vulnerabilities between browsers - in a blog post here.

http://www.theregister.co.uk/2013/12/02/browser_in...

Check Your Browser
Qualys BrowserCheck will perform a security analysis of your browser and its plugins to identify any security issues. Learn More >

https://browsercheck.qualys.com/


--

mogs RE: Your browser may be up to date: But what about the PLUGINS?
Expert Contributor 5th Dec, 2013 12:34
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Is your browser ready for shopping season?

Qualys found nearly four in 10 browsers have at least one critical vulnerability, making online holiday shopping a very risky proposition.

By Tony Bradley | PC World | 05 December 13

The holiday season is officially underway. Your good cheer could quickly turn sour, though, if you don't secure your browser before shopping online. Research from Qualys found that almost 40 percent of all browsers have critical vulnerabilities that could enable cyber criminals access to your personal data.

Qualys CTO Wolfgang Kandek analyzed data gathered from more than 1.4 million Qualys BrowserCheck scans and discovered some alarming trends. Kandek found that 41 percent of Internet Explorer browsers, 35 percent of Firefox, and 40 percent of Chrome have at least one critical vulnerability.

In a blog post describing the research, Kandek also pointed out that the browser itself is only part of the problem: "The larger part of the problems are contributed by the plug-ins that we use to extend the capabilities of our browsers, led by Adobe Shockwave and followed by Oracle Java and Apple Quicktime."

There are some masochists in the world who revel in the experience of fighting through crowded parking lots and jostling through stores shoulder-to-shoulder with other stalwart shoppers, but shopping from the comfort of home is less stressful and often more efficient. Forrester predicts online holiday sales will reach $78 billion this year--a 15 percent increase over last year.

Shopping online, however, is one of the riskier things you can do from your browser. Completing a transaction typically requires providing a wealth of personal and sensitive information: name, address, email address, phone number, credit card number, credit card expiration, credit card CVV code, and more. If you stick to reputable retailers with secure, encrypted sites you can shop in relative safety, but if your browser has critical vulnerabilities that can be exploited by a cyber criminal, your information could easily fall into the wrong hands.

All of the major browsers apply updates automatically by default, so hopefully your browser is current with the latest patches. However, add-ons, extensions, and plug-ins are often forgotten. Before you dive in to online holiday shopping, take some time to update your browser and all of its plug-ins to make sure you're shopping securely.

http://www.pcadvisor.co.uk/news/security/3492306/i...

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: Your browser may be up to date: But what about the PLUGINS?
Handling Contributor 5th Dec, 2013 14:07
Score: 11309
Posts: 8,723
User Since: 4th Jan 2009
System Score: N/A
Location: UK
For those who have problems tracking their browser(s) plug in security this may help:

http://www.thewindowsclub.com/check-update-browser...

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
mogs RE: Your browser may be up to date: But what about the PLUGINS?
Expert Contributor 11th Dec, 2013 14:18
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Exploits no more! Firefox 26 blocks all Java plugins by default
Click-to-run activated even for latest version

By Neil McAllister, 10th December 2013

The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run.

The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java plugin beginning with Firefox 24, but decided to delay the change after dismayed users raised a stink.

Beginning with the version of Firefox that shipped on Tuesday, whenever the browser encounters a Java applet or a Java Web Start launcher, it first displays a dialog box asking for authorization before allowing the plugin to launch.

Users can also opt to click "Allow and Remember," which adds the current webpage to an internal whitelist so that Java code on it will run automatically in the future, without further human intervention.

Mozilla's move comes after a series of exploits made the Java plugin one of the most popular vectors for web-based malware attacks over the past few years. So many zero-day exploits targeting the plugin have been discovered, in fact, that the Firefox devs have opted to give all versions of Java the cold shoulder, including the most recent one.

Generally speaking, Mozilla plans to activate click-to-run for all plugins by default, although the Adobe Flash Player plugin has been given a pass so far, owing to the prevalence of Flash content on the web.

In addition to the change to the default Java plugin behavior, Firefox 26 includes a number of security patches, bug fixes, and minor new features. The official release notes are available here and a full list of changes in the release can be had here.

As usual, current Firefox installations can be upgraded to version 26 using the internal update mechanism, and installers for the latest release are available from the Firefox homepage.

http://www.theregister.co.uk/2013/12/10/firefox_26...

--
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability