Data released this week, by Qualys, a security industry leader in vulnerability assessment and management, at the RSA Conference in San Francisco, continues to indicate that Browser plug-ins are frequently outdated and easily attackable.
Analysis of scanned data captured from 200,000+ Qualys BrowserCheck users’ worldwide, indicates that approximately 70% had a least one plug-in vulnerability.
No great surprise that Sun Java, and Adobe Flash and Reader, led the pack.
This research suggests, that you can load up your Internet Browser with every security add-on you like, but if there’s even one security hole – you’re still at risk.
Regular readers will remember that we’ve previously reviewed and recommended Qualys BrowserCheck, which will check your Web Browser for selected security holes in both the browser, and browser plug-ins.
BrowserCheck is itself a plug-ins, and like most plug-ins, it’s very easy to install. Simply visit the Qualys site; install the plug-in, revisit the Qualys site (if necessary) – and you’re all set to launch the test.
My first test run was on Internet Explorer 8, as the following screen captures show.
As the scan results indicate – my Internet Explorer 8 is in terrible shape. I should point out however, that I never use any version of Internet Explorer.
With Firefox running, the results looked like this.
It seems I’ve been bad, and not kept my java Runtime updated – the very plug which is most likely to be hacked! The only defense I have (and it’s a poor one at that), is – this is a test machine which is rarely connected to the Internet. As well, my PDF reader has an update available.
Continuing with the test, I clicked on the “Fix it” button which immediately took me to the Java update site so that I could download the latest version of Java Runtime.
Following the installation of the Java update, I reran the test to ensure the vulnerable condition had been closed.
Fast facts: The following items are detected:
Windows OS support expiration
Browser version (IE 6.0+, Firefox 3.0+, Chrome 4.0+)
Adobe Flash Player
Adobe Reader 5.x and above
Adobe Shockwave Player
Microsoft Windows Media Player
Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
Additionally, you can test your currently installed Browser for security holes, by taking the free Browser Security test offered by Scanit, a technology company which provides services ranging from high-tech penetration testing over application source code review, risk assessments and management-level security audits, to security courses.
The test is fairly comprehensive and supports Internet Explorer, Mozilla Browsers (Firefox), and Opera. Additional components check for vulnerabilities in selected plug-ins, including Flash and QuickTime.
To test your Browser go to Browser Security test, and follow the simple instructions.
Note: This morning, I had some difficulty loading the Scanit site. Hopefully, this is not permanent.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.