Forgot your password?
typodupeerror

80% of Browsers Found To Be At Risk of Attack 196

Posted by CmdrTaco
from the zomg-we're-all-gonna-die dept.
CWmike writes "About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said Thursday. The poor state of browser patching stunned Wolfgang Kandek, CTO of Qualys, which presented data from the company's free BrowserCheck service Wednesday at RSA. 'I really thought it would be lower,' Kandek said. BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, from Adobe's Flash to Windows Media Player. When browsers and plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component. In January 2011, about 80% of the machines were vulnerable. The most likely plug-in to require a patch: same as last year, Oracle's Java."
This discussion has been archived. No new comments can be posted.

80% of Browsers Found To Be At Risk of Attack

Comments Filter:
  • Slashvertisement (Score:5, Insightful)

    by suso (153703) * on Thursday February 17, 2011 @02:02PM (#35234534) Homepage Journal

    Not getting enough hits? Slashvertisement can work for your company too. Call today!

    • Re:Slashvertisement (Score:5, Informative)

      by tgeller (10260) on Thursday February 17, 2011 @02:12PM (#35234686) Homepage
      That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.
      • That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

        I thought your observations may have merit so I went to Company A's [companya.com] website but I didn't see any nifty new tools ... though it does have a picture of a cute little dog. ;-)

        • by jrumney (197329)
          They do have a plugni to install though. So your browser is guaranteed to be vulnerable after visiting their site - just in case you were feeling left out of the 80% majority.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      This is a slashvertisement, but at least it was for something useful this time. I just patched 3 browsers based on the results.

  • So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure. People need to update their software for security. That's not news.
    • by bunratty (545641) on Thursday February 17, 2011 @02:28PM (#35234940)
      You can use Mozilla's Plugin Check [mozilla.com]. No installation required.
    • by Yvan256 (722131)

      I didn't have to download or install anything when I did the test. I even browse with Java and plug-ins disabled.

      I clicked, it said "Safari 5.0.3, up to date", done. Took about 3 seconds.

      I'm guessing different browsers and operating systems require different things.

    • So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure.

      It didn't install a plugin for me. In fact, after seeing people complain here about the plugin I check the FAQs:
      https://community.qualys.com/docs/DOC-1542#s1 [qualys.com]

      It seems that only Windows users need a pluging. On my Kubuntu system it was all Javascript (I suppose, what else could it be?). So the answer to your "Why must I install an insecure plugin" question seems to be: "Because you are using Windows".

  • by mswhippingboy (754599) on Thursday February 17, 2011 @02:04PM (#35234562)
    Since new exploits are identified each day.
  • Isn't that? (Score:5, Funny)

    by Wolvenhaven (1521217) on Thursday February 17, 2011 @02:05PM (#35234578) Homepage
    The exact percentage of IE marketshare?
    • by elrous0 (869638) *

      Actually, I run Firefox and discovered recently that auto-update had stopped working for some reason. When I tried to update through Firefox, it reported that I had the latest version. When I did a manual check, I saw that I was running version 3.6.6. Checked the site and the latest version is actually 3.6.13. Had to download and install manually. Not sure what the problem was there, but just goes to show that even a technical user running Firefox can get out-of-date.

      • The scanning tool doesn't help all that much either. It still insists that my Flash version is out of date, even though it's current (note to snarks, yes it's Flash, yes it's not all that secure even at the current patch level), it still insists that DivX is out of date, even though it's current (op cit).

        Not terribly impressive. Initially it complained that FF was behind (and I had the same issue as elrous) and that Flash, Silverlight, DixX and Flip4Mac were also older versions. Except that I've not
  • Uhmm NO (Score:5, Informative)

    by Monty845 (739787) on Thursday February 17, 2011 @02:07PM (#35234608)
    So first I needed to enable javascript for the site. Now it wants me to allow some random website to install a plugin so that it can tell me if my security is up to date... yeah if it can't detect a security vulnerability without me going through a bunch of hoops and ALLOWING it to install on my system, I'm going with the whole thing is BS.
    • My thoughts exactly. So does having Javascript, flash, pdf, and Java disabled put me in the special 20%? Seems to me that their statistic should read 80% of those susceptible to social engineering have insecure browsers because no one should install random plugins from random companies without a much better reason than 'check your security'. Their webpage and software model appears to be practically identical to a million scareware, 'Anti-virus' products out there.

      • by Tolkien (664315)
        Would you rather they use malicious means of installing their checker so that you don't have to go through the tedious hoops of pressing your mouse button a few times? It might help their point, but it won't help their credibility.
        • by lennier (44736)

          Would you rather they use malicious means of installing their checker so that you don't have to go through the tedious hoops of pressing your mouse button a few times?

          What part of 'installing a random browser plugin' isn't already malicious means?

    • It is certainly possible to check plugin versions through JS alone, though from reading mozilla blogs I understand it's tricky since not all plugins report their version numbers the same way. Mozilla's Plugin Check. [mozilla.com]
    • Then Jesus proclaimed, "Behold, I will now compromise the security of this OpenBSD installation. Here you see the machine. It is fresh, clean, secure. Now, turn around. Turn around..."

  • by RobertB-DC (622190) * on Thursday February 17, 2011 @02:08PM (#35234626) Homepage Journal

    So eight out of 10 browsers running the test failed it? That's not terribly surprising, since I have to install a plugin to run the test.

    I don't know Qualys from Quantas, so I'm highly unlikely to install their plugin just to find out whether my browser has vulnerabilities. In fact, I'm not terribly likely to install any plugins at all (though I'm enjoying Ghostery [ghostery.com] immensely).

    Now, let's assume for a moment that I'm the type to install any plugin that asks nicely and looks shiny. Gee, is it any surprise that Qualys' plugin isn't the first one I've accepted? And is it any surprise that I've got other issues?

    This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

    • by NotBorg (829820)

      This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

      This. (QFT)

      Also, it seems the plug-in only scans software versions. It doesn't actually test if penetration is actually possible. If blocked by firewall, AV, sandboxing, system policies, etc, the test still flags you as vulnerable. It probably doesn't take into account the likelihood of a particular vulnerability of being exploited. Some "holes" have a rather obscure set of con

  • Updating Java (Score:5, Insightful)

    by Anonymous Coward on Thursday February 17, 2011 @02:12PM (#35234692)

    Perhaps people would be more keen to update their Java version if the installer didn't keep trying to spring a surprise 'Install Yahoo! Toolbar' move on them on EVERY patch.

    • My reason is different.
      When I am browsing with Windows - which is not very often - it is with XP without Admin rights. Up comes a warning saying 'There is a new Java version available'. Well, I don't have the rights so I switch to an account *with* rights and . . . nothing. Ok, I go to Settings/Java and tell it to upgrade. It ignores me.

      Ok, I could go to the Oracle site and download the JVM directly, but wtf does the standard update mechanism simply not work? It did once.

      I tried installing once without

  • by SmilingBoy (686281) on Thursday February 17, 2011 @02:14PM (#35234724)
    One issue with Java seems to be that it keeps old versions (or at least it used to). I used a laptop at work that had been in the cupboard for half a year. It had (roughly, can't remember exactly): Java 1.5 update 12 - Java 1.6 - Java 1.6 update 2 - Java 1.6 update 3 - Java 1.6 update 6 - Java 1.6 update 7. Why this is the case, I have no idea. Doesn't seem right though!
    • by Vekseid (1528215)

      This nonsense stopped around 6.16 or so, but yes until then it was freaking annoying. Java updates will remove old versions now.

  • Java, obvious (Score:4, Insightful)

    by Bobfrankly1 (1043848) on Thursday February 17, 2011 @02:14PM (#35234730)

    The most likely plug-in to require a patch: same as last year, Oracle's Java."

    Of course, this has nothing to do with the fact that new versions of Java tend to break existing java based applications and utilities. You can use the new version of Java, or you can use the older one that works with your mission critical enterprise tools.

    • Re:Java, obvious (Score:5, Interesting)

      by mswhippingboy (754599) on Thursday February 17, 2011 @02:46PM (#35235212)

      While I don't doubt the sincerity of your post, I certainly have had a different experience. I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break. I know of one recent upgrade that broke Eclipse, but it was quickly regressed and the problem was really in Eclipse, not Java.

      I guess I've just been lucky.

      • I know we have to keep our java below a certain version for our Citrix remote portal. There are some other apps that are affected, but that's by far the most important one for us.
        • Ok, I see your point. Vendor supplied applications almost always specify a particular Java version. Sometimes it's because they do something out of the ordinary (such as using JNI to get outside the JVM), or sometimes it's just that they've only tested and certified it to work with a particular version. However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.
          • by lennier (44736)

            However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

            'Should' is a wonderful word which, in IT, means 'won't'.

            • However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

              'Should' is a wonderful word which, in IT, means 'won't'.

              No, it means should in IT, just like it does everywhere else. It does not however, mean "always" which, in the case of Java I suppose is where the bar is set.

              I suppose it's ok for a new version of Windows, Linux or OSX to break existing applications. It's fine for new versions of .Net, Cocoa, GTK, QT or other frameworks to break old applications. It expected that new versions of VB, Python or Ruby might cause problems for existing applications. However, if the latest version of the JRE causes problems for

      • We have a mainframe application which relies on something from Java, some classes I think. An update to Java around three years ago broke that application for the clients which had appled the update. Two or three levels later (4-5 months?) it started working again.

      • by Amouth (879122)

        lets see

        JRE 1.6 Build 17

        forced disabled on MD2withRSA - now i understand you shouldn't be using it BUT alot of older apps used it including a lot of embedded web services that used SSL (aka switches, routers, printers)

        they gave zero option to enable it's usage in any case starting with that update. that broke a lot of shit right there.

        • I'm not here to make excuses for Snoracle's screw ups. Any time a new version of software (anybody's) is installed, there is a chance things will break. I agree, in this case it was an obvious dumb move to push out a new version without at least flagging it in bright red letters and supplying work arounds. It was noted in the release notes for u17 (http://www.oracle.com/technetwork/java/javase/6u17-141447.html), but who reads those and who can control the clients anyway.

          I understand why that had to make th

          • by Amouth (879122)

            In any case, this is a certificate/security issue and not a language/platform issue which was the original point I was trying to make.

            It started as a "certificate/security" issue and became a "language" issue when they forced a change in what was expectable commands without recourse.

            and sorry i do not believe in "don't upgrade" as a viable recourse as you are just leaving that user wide open for future problems.

            they need the ability for the USER not the application to request that that the program or app be run in a specific version of the JVM so that you can allow proper backwards compatibility while allowing the user to keep up todate

      • by BlueBlade (123303)

        I know some of our older RSA cards on our IBM servers don't work with anything over (IIRC) Java 6.3. So we have to keep machines around with older Java version to get the remote-control feature working.

        I've also seen some doc sharing sites one of our client is using (pharmacology related) that are sensitive to which Java version you run.

        I know I've seen other instances which I can't recall right now. Java's portable and compatible with everything, except when it isn't :P .

      • by lennier (44736)

        I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break.

        You've not been running Galaxy CommVault, then.

  • You have to appreciate the irony that the test requires a plug-in. For all I know, the test is the virus. I assumed it would be a series of javascripts that tested vulnerabilities.

  • I wonder how much of this is due to vendors deliberately not bumping the version numbers when they put in a security patch?

  • by gQuigs (913879) on Thursday February 17, 2011 @02:18PM (#35234786) Homepage
    • by hduff (570443)

      So both sites tell me that Shockwave and Java are out-of-date (using Mageia1-alpha1 and FF4beta11) and I update them with the files they provide links to AND it now says I' still out-of-date.

      Derp?

      • Hmmm... Are you running Firefox beta portable? In any case, here's my experience: I have: Firefox 3.6, Firefox 4 beta portable and Pale Moon portable. When I go to Plugin Check and update, only Firefox 3.6 gets updated. If I recall correctly, I manually copied the Flash DLL from my User > Application Data > Mozilla > plugins into Firefox 4 beta port. and Pale Moon port. "plugins" folder. Now all of them are up-to-date. Someone else may explain it better but the gist of the solution is that the rele
  • SO, at present the most secure browsers on Windows are Chrome and IE8+

    Why?

    Because they make use of Windows Integrity Controls, a type of MAC which means if a low level process is exploited it has no access to the rest of the user account.

    As much as people laud Opera they are really behind the fucking curve on this one, and I don't know what Mozilla's excuse is. With the excess beta's they really don't have one.

    It should be noted out before hairyfeet gets in that while Firefox and Opera do not make u

    • by gad_zuki! (70830)

      The problem with these sandboxed browsers is that their plugins are not sandboxed, generally.

      I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

      I think IE8 is doing well on these tests because if you're using IE you might be a corporate user who's computer is regularly updated by the system admin.

      Both these browsers running an insecure version of Java means instant exploit. The best advice is run any browser you want, but ge

      • I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

        Chrome also integrates Adobe Flash... but unless Google is updating Flash whenever Adobe issues an update, it's less secure than the versions that use a standalone plugin.

        • by Amouth (879122)

          but unless Google is updating Flash whenever Adobe issues an update, it's less secure than the versions that use a standalone plugin.

          except that Google's version is Sandboxed where the standalone plugin isn't.. so while the flash part might be exploitable - too what ends is far different.

      • by cbhacking (979169)

        Unless a plugin automatically adds an exception for itself (which some *cough*Flash*cough* do) it will either prompt you for permission to run outside the sandbox, or will run within it. I remove permissions for Flash to do this and it still usually works just fine.

    • by mlts (1038732) *

      The more browsers use the operating system security abilities, be it WIC, jail(), AppArmor, SELinux, or any other mechanism that reduces the privs a Web browser under, the better.

      The battle for control of most PCs is going to be fought at the browser and browser add-on level. This is one front that really needs defense in depth, from browser add-ons being in a separate context from other objects, to a browser tab or window not being able to access other windows, to a browser not being able to get normal us

      • by mlts (1038732) *

        Correction: Kudos to Google for using OS controls for additional security.

        Yes, using OS specific security constructs makes a Web browser less portable across platforms, but it might be that some OS security mechanism may be the only thing standing in the way of browser compromise turning into complete machine pwnage.

        On a larger scale, it might be time for OS makers to have some standardized security mechanisms, where a program can take advantage of them regardless if it runs on Windows, OS X, AIX, or OpenV

    • by cbhacking (979169)

      Strictly speaking, IE7 also includes Protected Mode (MIC sandbox). That's only relevant on Vista though - Win7 comes with IE8 and XP is incapable of MIC.

  • With a heading like this, too much is left to the imagination, I thought 80% of browsers out there in use are vulnerable, and if that is all, I would say redundancy is useless. Stating the obvious, such as any application made by man, will be error prone....so any browser running out there, is obviously flawed, no news here, move along...

  • by MobyDisk (75490) on Thursday February 17, 2011 @02:22PM (#35234846) Homepage

    I wonder what the percentages are for corporate users compared with home users. I bet home users are better: My current employer requires out machines to have a *particular* version of Java installed. The internal corporate web site doesn't work on anything newer, or older. Unfortunately this seems to be the norm, not the exception.

    I'm constantly amazed at how these internal apps are some of the poorest maintained software. Training applications, time sheets, desktop sharing, CRMs ... consistently the poorest quality tools I encounter.

    • by Asic Eng (193332)
      Same in our company. The problem is that frequently the users have no say at all. If the SW needed to be sold, then customers would simply refuse to buy such low quality - for internal tools the users are forced to use the crap.
      • by Salvo (8037)

        Users shouldn't have a say, The IT dept. should have the say.
        Unfortunately, bean counters and upper management have more of a say than those who actually know all the issues. System sales reps use buzzwords to impress the management, or provide kickbacks for bean counters, lumping the IT dept. with an overpriced piece of crap that any competent sysadmin could roll themselves in a weekend (as long as they didn't get interruptions from Clueless Users) using a Linux system, Apache and MySQL.
        It's all well and g

  • by jimicus (737525) on Thursday February 17, 2011 @02:30PM (#35234962)

    I've been saying this for some time: Windows (and to a lesser extent OS X) needs an API so updates are centralised, configured and installed from a single interface.

    OS X has the app store. Linux distributions have repositories. Both of these solve this problem very neatly, and it's a lot easier to keep everything up to date. But I don't think centralised distribution is necessary - just an API call so you can say to the operating system "this is the name of the application, this is an RSS feed where updates are published, this is the key with which updates will be signed, this is how frequently you should check for updates" would probably solve most of the problems.

    The mess we have right now is the reason why there is always something on a PC that needs updating.

    • by BitZtream (692029)

      So you want Sparkle/WinSparkle to be an OS library.

      Sparkle might have happened previous to the OS X AppStore since the guy who writes it is an Apple employee but thats probably shot now.

      I wouldn't expect anyone to make much effort in this direction though, it offers no profits and requires extra work.

      • by jimicus (737525)

        Something like that, yes. I hadn't heard of Sparkle, but it looks like it's roughly the right idea.

        The reason it needs to be in the OS is because if it isn't, there's precious little chance of third-party software supporting it. Not only would it reduce these risks, but it could hook into Active Directory for enterprises.

        Though existing companies providing network management software would probably have something to say about that.

  • by The Grim Reefer2 (1195989) on Thursday February 17, 2011 @02:36PM (#35235052)

    I went to the Browser Check [qualys.com] link and was told that I have to enable Java and refresh the page. So to check my browsers security I first have to lower my current security settings? Now I see how they got their numbers.

  • by ArhcAngel (247594) on Thursday February 17, 2011 @02:42PM (#35235136)

    to stay away from web sites that steal their data.

  • Anyone who imagines we've found all the exploits already is a moron.

  • by AdamWill (604569) on Thursday February 17, 2011 @02:50PM (#35235264) Homepage

    If you have Flash installed via nspluginwrapper, it shows two Flash entries, one saying "10.2.152 Up to Date", but the other saying "10.2 Potential Threat", with an explanation that it couldn't figure out the version precisely enough to be sure what it was. It counts this as a security threat. So that's a false positive right there.

  • Mozilla has a free plugin check that you can use to see not only if you're up to date on the most common plugins but also if any of yours that are out of date suffer from an known exploit you should fix immediately. It's free, and there's no extra plugin (yeah, BrowserCheck...what the) to install: http://www.mozilla.com/en-US/plugincheck/ [mozilla.com].

Passwords are implemented as a result of insecurity.

Working...