Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Secure Browsing and inactive plugins

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as resolved.
dzedler Secure Browsing and inactive plugins
Member 21st Dec, 2010 23:30
Ranking: 0
Posts: 5
User Since: 21st Dec, 2010
System Score: N/A
Location: DE
Hi,

first of all thanks for this wonderful program. Just installed V2.0.0.1003 and I am not sure if the issue I see also existed in the last version. I installed VLC media player but did not install the ActiveX plugin nor the Netscape-compatible plugin. Nevertheless the Secure Browsing area shows all installed we browsers as vulnerable because of VLC. I just verified with about:plugins in Opera and the Add-On management in Internet Explorer that VLC is not installed as a browser plugin.

Maybe you should check for registered plugins/addons rather then referencing installed programs that possibly could also be used as a browser plugin.

Kind regards,
Daniel

Post "RE: Secure Browsing and inactive plugins" has been selected as an answer.
dogbert2 RE: Secure Browsing and inactive plugins
Member 21st Dec, 2010 23:40
Score: 9
Posts: 10
User Since: 15th Jul 2009
System Score: N/A
Location: N/A
In trying the secure browsing section in PSI 2.0 (you have to check the box under configuration to get it to appear), I can confirm that VLC comes back as Insecure (even though I have installed version 1.1.5, which is the latest for this application) on all installed browsers (though FireFox 4 isn't showing up, perhaps due to it still being in beta).

Probably a minor fix/tweak is needed to correct this (probably in the database at secunia).
Was this reply relevant?
+0
-1
Anthony Wells RE: Secure Browsing and inactive plugins
Expert Contributor 22nd Dec, 2010 00:04
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

The reason that this "false positive" occurs with or without the Ff plug-in installed and is shown in all browsers is explained by Secunia in this thread :-

http://secunia.com/community/forum/thread/show/613...

Take care

anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
dzedler RE: Secure Browsing and inactive plugins
Member 22nd Dec, 2010 00:17
Score: 0
Posts: 5
User Since: 21st Dec 2010
System Score: N/A
Location: DE
Last edited on 22nd Dec, 2010 00:19
@dogbert2: There is a known security issue in the latest VLC version so the detection Insecure for the program itself is correct.

@Anthony: Thanks for the link. Although I now know that it is just at it is designed it is not acceptable for me and makes the Secure Browsing information useless.

Kind regards,
Daniel
Was this reply relevant?
+0
-0
Anthony Wells RE: Secure Browsing and inactive plugins
Expert Contributor 22nd Dec, 2010 00:33
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Daniel ,

Secure browsing is aimed at "advanced" users to advise them/you on potential danger in your browser(s) ; it's entirely up to you how you use that advice . Now you are up to date on the circumstances of the faulty detection caused by incompatibility between the PSI detection rules and the VLC player , that info and the rest you get is valid and is far from useless . This is one of the very few false positives thrown up by the PSI .

No point in cutting of your nose to spite your face , as they say :)

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-3
dzedler RE: Secure Browsing and inactive plugins
Member 22nd Dec, 2010 11:57
Score: 0
Posts: 5
User Since: 21st Dec 2010
System Score: N/A
Location: DE
Anthony,

I know that this information is targeted at advanced users, believe me, I am an advanced user, working as lead infrastructure engineer in a company with 4500 employees.

There is no need for such a view when it does not help filtering out which browser can be used in a secure way but still leaves it to the users looking up every single issue and trying to find out if those issues make their web browser vulnerable.

Just read the four points for the description what the page is meant to illustrate, especially point 3. If PSI does not look at the actual plugins then PSI misleads the user, in this case shows something vulnerable that is not.

If I have to doubt the information provided by the page it is useless!

Furthermore it might lead an unexperienced user to underestimate the criticality of a vulnerability. Let's say I have two browsers each listed with the same vulnerable plugin. From what I am told by PSI it does not make any difference which browser I take, so I decide to use browser A for the time being. What I do not know is that the vulnerability can not be exposed in browser B because the vulnerability just does not exist there (ActiveX vs. Netscape style) or is not even existing because the plugin is not installed at all. In this case PSI might mislead (more or less advanced) users to us the more vulnerable browser.

Please keep in mind that many people who just think that they are experienced also tend to use those information. Worse, they do not know what is shown here in essence: the software installed on the computer and not the vulnerabilities present in a browser, but the last is what PSI pretends to do.

Kind regards,
Daniel
Was this reply relevant?
+0
-0
Anthony Wells RE: Secure Browsing and inactive plugins
Expert Contributor 22nd Dec, 2010 13:12
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 22nd Dec, 2010 13:19
Daniel ,

The only things 100% sure are daeth and taxes ; so no browser is 100% secure when in use .

The most secure browser may be less secure in inexperienced hands compared to one that is known and cherished by a contented user .

Your computer is not 100% secure because the PSI gives you an all clear , not least because it is not 100% accurate itself .

Your second paragraph relates to both points two and three in the "secure browsing" module ; verify is top advice and is the raison d'etre .

The argument betwwen ActiveX and NPAPI is eternal and should never have happened had the likes of Steve Gibson been listened to at the time .

Your value judgement based on ClassicPlatonic argument concerning the usefulness of the Secure Browsing data - which contains a known and accepted flaw - is simply your opinion and not mine - so rather than extend an already long thread , perhaps we can agree to disagree .

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-1
This user no longer exists RE: Secure Browsing and inactive plugins
Member 23rd Dec, 2010 13:09
Hi,

Thank you for your feedback.

I have forwarded your feedback to our developers, who will consider it for a future version.

If you have any further comments or suggestions, please let me know.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer