80% of Browsers Found To Be At Risk of Attack

CWmike writes "About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said Thursday. The poor state of browser patching stunned Wolfgang Kandek, CTO of Qualys, which presented data from the company's free BrowserCheck service Wednesday at RSA. 'I really thought it would be lower,' Kandek said. BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, from Adobe's Flash to Windows Media Player. When browsers and plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component. In January 2011, about 80% of the machines were vulnerable. The most likely plug-in to require a patch: same as last year, Oracle's Java."

Slashvertisement

[suso]

Not getting enough hits? Slashvertisement can work for your company too. Call today!

Re:Slashvertisement

[tgeller]

That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

Re:Slashvertisement

This is a slashvertisement, but at least it was for something useful this time. I just patched 3 browsers based on the results.

Re:Slashvertisement

[WrongSizeGlass]

That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

I thought your observations may have merit so I went to Company A's website but I didn't see any nifty new tools ... though it does have a picture of a cute little dog. ;-)

Re:Slashvertisement

I thought this was a slashvertisement for Google Chrome. Always up to date, even if you don't know it.

Re:Slashvertisement

[jrumney]

They do have a plugni to install though. So your browser is guaranteed to be vulnerable after visiting their site - just in case you were feeling left out of the 80% majority.

Plug-ins Bad. Here's ours

[Lunoria]

So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure. People need to update their software for security. That's not news.

Re:Plug-ins Bad. Here's ours

[bunratty]

You can use Mozilla's Plugin Check. No installation required.

Re:Plug-ins Bad. Here's ours

Plugin Check doesn't recognise Gears or Media Player. What use is a plugin checker that doesn't recognise commonly installed plugins?

Re:Plug-ins Bad. Here's ours

[bunratty]

Ah, The perfect is the enemy of the good. Could there possibly exist some things that are useful despite the fact that they are not perfect?

Re:Plug-ins Bad. Here's ours

[ColdWetDog]

Plugin Check doesn't recognise Gears or Media Player. What use is a plugin checker that doesn't recognise commonly installed plugins?

This is a problem for both the official Mozilla plug in check and the current slashvertisement site. The official Mozilla site flags a much larger number of plugins including the hapless mess that is Java but misses several Google plugiins. Unfortunately it appears that plugin writers don't necessarily follow the guidelines for announcing themselves and further that Silverlight comes back as outdated in both checks even though I've pulled the download directly from Microsoft's site, installed it and rebooted the machine.

If nothing else, this points to a huge problem for modern browsers. If there is no mechanism for automatically and accurately keeping tabs of the various components than no one, but no one is going to have a fully patched machine.

Re:Plug-ins Bad. Here's ours

[jnpcl]

I dunno, who should I trust here? http://i.imgur.com/Pey3f.jpg

Re:Plug-ins Bad. Here's ours

[Darkness404]

Which is why properly maintained repositories are so useful. However they are often incomplete (as in the case with Ubuntu), super-restricted (as in the case of Apple), or a mess (as in the case with Android).

Re:Plug-ins Bad. Here's ours

[Yvan256]

I didn't have to download or install anything when I did the test. I even browse with Java and plug-ins disabled.

I clicked, it said "Safari 5.0.3, up to date", done. Took about 3 seconds.

I'm guessing different browsers and operating systems require different things.

Re:Plug-ins Bad. Here's ours

[dotancohen]

So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure.

It didn't install a plugin for me. In fact, after seeing people complain here about the plugin I check the FAQs:
https://community.qualys.com/docs/DOC-1542#s1

It seems that only Windows users need a pluging. On my Kubuntu system it was all Javascript (I suppose, what else could it be?). So the answer to your "Why must I install an insecure plugin" question seems to be: "Because you are using Windows".

Re:Plug-ins Bad. Here's ours

[thsths]

Unfortunately it appears that plugin writers don't necessarily follow the guidelines for announcing themselves and further that Silverlight comes back as outdated in both checks even though I've pulled the download directly from Microsoft's site, installed it and rebooted the machine.

It is quite common to offer outdated plugins for update - the most recent version may only be available via the (usually pretty dire) update mechanism. Adobe does it, Oracle does it, why shouldn't Microsoft do it? In fact I know that they do it, certainly with some of the application bundles.

Re:Plug-ins Bad. Here's ours

[Decker-Mage]

Slight modification required there dotancohen. It is only Windows (l)users in combination with certain browsers. I exclusively use Opera these days (no extensions/plug-ins) and neither plug-in nor download was required for the test. Perfect Green "Up to Date" button. But, perhaps, we should not let (admittedly one) fact get in the way of a good bashing.

I will not ever go out into the vastness of the WWW with an extension or other modification present unless it was during a session with a virtual machine that will be immediately destroyed after completion of the session. Loading up on extensions/plug-ins, even with the best intentions, is only marginally less dangerous that wandering the web with no firewall at all. Hmmm,... if you use a really exotic OS/Browser combination (say Mosaic on an Amiga?) it might even be orders or magnitude safer.

Re:Plug-ins Bad. Here's ours

[RockDoctor]

In fact, ... I check the FAQs:

HERETIC !

BURN THE HERETIC!

Re:Plug-ins Bad. Here's ours

[dotancohen]

Although there exists browsers on Windows that don't require a plugin, _only_ Windows requires a plugin. Therefore, the only component that I could confidently assume exist in the OP's installation is Windows.

It's funny: I don't usually bash Windows. I didn't even mean to this time!

Re:Plug-ins Bad. Here's ours

[Decker-Mage]

Windows, or a malfunctioning device between keyboard and chair ;-). Noted and thanks!

I would have thought this closer to 100%

[mswhippingboy]

Since new exploits are identified each day.

Re:I would have thought this closer to 100%

[SudoGhost]

I would have thought it closer to 100% since about 100% of browsers are used by people, which are the biggest security flaws in any system.

Re:I would have thought this closer to 100%

[Kenja]

Lynx is still pretty safe!

Re:I would have thought this closer to 100%

[Skarecrow77]

My wife has a shirt that says "Social engineering" on the front, and on the back it says "Because there is no patch for human stupidity".

My wife is awesome.

Re:I would have thought this closer to 100%

Methinks parent is stalking GP.

Re:I would have thought this closer to 100%

[osgeek]

Look, man, if you have an opinion just express it. Don't keep these things all bottled up inside where they can fester.

Tell us what you really think about the guy and you'll feel better.

All this sugar coating to avoid hurting his feelings isn't doing either of you any favors.

Re:I would have thought this closer to 100%

Nah, 80% is correct. the remaining 20% of browsers are Opera, which is not known to be used by people.

Re:I would have thought this closer to 100%

Irony.

Your sig vs your attack on the GP.

Re:I would have thought this closer to 100%

I know she's awesome, two. She thinks I am, three. Just kidding. Or am I?

Re:I would have thought this closer to 100%

[Imrik]

It only counts exploits that have been patched.

Re:I would have thought this closer to 100%

nobody is going to hack you over your dialup from a hotel anyway. Their exploit would take too long since your slow connection is taken by your constant downloading of TV shows over that connection that you always brag about.

Re:I would have thought this closer to 100%

[VGPowerlord]

I'm one of those who doesn't do updates. Mainly because I've read too many horror stories of updates making computers unbootable, or breaking the software, or whatever.

Instead I wait a month-or-so until I'm sure there's no negative outcomes being reported by the press.

I wasn't aware that the Commodore 64 had updates.

Re:I would have thought this closer to 100%

oh, I thought gay marriages are illegal..

Re:I would have thought this closer to 100%

I want one like that.

Re:I would have thought this closer to 100%

[e9th]

Is your version susceptible to this?

Re:I would have thought this closer to 100%

[Amouth]

"you can't fix stupid" - Ron White

Re:I would have thought this closer to 100%

[WrongSizeGlass]

Did you know that 'theaveng' is an anagram for 'negative' if you swap an 'i' for the 'h'? Well, it is. Yes, I know that it's meaningless, but it's more entertaining than some of his posts.

Re:I would have thought this closer to 100%

oh, I thought gay marriages are illegal..

Not in civilized countries.

Re:I would have thought this closer to 100%

[severoon]

"80% of Browsers Found To Be At Risk of Attack. In other news, Chrome marketshare up to 20%." :-)

Isn't that?

[Wolvenhaven]

The exact percentage of IE marketshare?

Re:Isn't that?

[elrous0]

Actually, I run Firefox and discovered recently that auto-update had stopped working for some reason. When I tried to update through Firefox, it reported that I had the latest version. When I did a manual check, I saw that I was running version 3.6.6. Checked the site and the latest version is actually 3.6.13. Had to download and install manually. Not sure what the problem was there, but just goes to show that even a technical user running Firefox can get out-of-date.

Re:Isn't that?

[ColdWetDog]

The scanning tool doesn't help all that much either. It still insists that my Flash version is out of date, even though it's current (note to snarks, yes it's Flash, yes it's not all that secure even at the current patch level), it still insists that DivX is out of date, even though it's current (op cit).

Not terribly impressive. Initially it complained that FF was behind (and I had the same issue as elrous) and that Flash, Silverlight, DixX and Flip4Mac were also older versions. Except that I've not used the latter three plugins in months so there is little vulnerability there. Basically just another vendor trying to harp their wares with the interesting factoid of Firefox's problems.

Re:Isn't that?

Yeah, back in 2006. Today it's around 44% (thank god).

Uhmm NO

[Monty845]

So first I needed to enable javascript for the site. Now it wants me to allow some random website to install a plugin so that it can tell me if my security is up to date... yeah if it can't detect a security vulnerability without me going through a bunch of hoops and ALLOWING it to install on my system, I'm going with the whole thing is BS.

Re:Uhmm NO

[MozeeToby]

My thoughts exactly. So does having Javascript, flash, pdf, and Java disabled put me in the special 20%? Seems to me that their statistic should read 80% of those susceptible to social engineering have insecure browsers because no one should install random plugins from random companies without a much better reason than 'check your security'. Their webpage and software model appears to be practically identical to a million scareware, 'Anti-virus' products out there.

Re:Uhmm NO

Worse than that:

"Install Qualys Browsercheck?

It can Access:

All data on your computer and the websites that you visit."

Re:Uhmm NO

[The+MAZZTer]

It is certainly possible to check plugin versions through JS alone, though from reading mozilla blogs I understand it's tricky since not all plugins report their version numbers the same way. Mozilla's Plugin Check.

Re:Uhmm NO

I'm running Opera, no Java. It worked fine and didn't ask to install anything.

Re:Uhmm NO

[Tolkien]

Would you rather they use malicious means of installing their checker so that you don't have to go through the tedious hoops of pressing your mouse button a few times? It might help their point, but it won't help their credibility.

Re:Uhmm NO

[elashish14]

Then Jesus proclaimed, "Behold, I will now compromise the security of this OpenBSD installation. Here you see the machine. It is fresh, clean, secure. Now, turn around. Turn around..."

Re:Uhmm NO

[lennier]

Would you rather they use malicious means of installing their checker so that you don't have to go through the tedious hoops of pressing your mouse button a few times?

What part of 'installing a random browser plugin' isn't already malicious means?

Re:Uhmm NO

[Tolkien]

Considering you have to manually download and run it, I would hardly qualify it as malicious if the the authors are sufficiently reputable. Otherwise, the only real way to test for vulnerabilities is to exploit them. How would you suggest they do that without losing credibility?

Java?!?!?

Java was supposed to run in its own sandbox and therefore wouldn't be a security issue according to the original SUN PR bullshit.

Kiddies, remember, in the future someone will say "we have a write once run everywhere language that is secure!" and you can look back on Java and say, "Nuh ahh! It existed before!" and then when you post on the future version of Slashdot pointing this fact out, you will be modded down - just like the people who pointed out that BASIC was supposed to be write once - run everywhere and that didn't pan out.

History repeats itself - especially in IT.

Remember that when you think you're smarter than others .....

Didn't proof read b/c Slashdot's scripts are too goddam slow!

Re:Java?!?!?

[mswhippingboy]

Java was supposed to run in its own sandbox and therefore wouldn't be a security issue according to the original SUN PR bullshit.

This is actually true. However, when user just mindlessly click through the security dialog on unsigned applets that warn that resources outside the sandbox may be accessed it defeats the whole sandbox protection mechanism.

I guess it gets back to the old adage "Make it foolproof and only a fool will use it.".

Re:Java?!?!?

[gad_zuki!]

You don't need to click on anything. The malware java exploits I've seen in the wild simply load up as applets. The malware writers get them signed with stolen keys. No need for the user to do anything. Blaming the user is common here, but its shit software owned by a shit company, and has a shitty security record.

Considering most people have no need for java the best advice isn't update, its uninstall it.

Re:Java?!?!?

[Zelgadiss]

Java was supposed to be the safe (but painfully slow) way to run "web apps" after the giant clusterfuck that was ActiveX.

But over the years it seems it too have "growth" into a security risk.

I wonder if Javascript will suffer the same fate one day.

Re:Java?!?!?

[mswhippingboy]

I'm sure your right. Just one thing I don't understand though. If it's so shitty, can you explain why it has been and continues to be (increasingly) the most widely used language/platform on the planet?

I assume you have a different language/platform that you prefer. Care to share it with us? I'm sure it is the 100% perfect language that no one here on /. can find flaws with.

Re:Java?!?!?

[Robert+Zenz]

Wait...so basically you're saying that Java is shitty because it can't detect stolen security keys?

Re:Java?!?!?

[lgw]

If it's so shitty, can you explain why it has been and continues to be (increasingly) the most widely used language/platform on the planet?

For the same reason that the craptastic COBOL was before that? It's easy to learn, and once its popularity grew among non-technical managers, the network effect took over.

There's still no real need to have Java on the desktop. Server-side, just like COBOL before it, it has it's place. Inventory, payroll, CRM, and all those other card-walloping programs need to be written somehow, even if there aren't any cards to wallop anymore.

Re:Java?!?!?

[BitZtream]

Just because a lot of people use Word (or Java) does not mean they are good at it. The application really has a difficult time fixing stupid, regardless of application or language. The harder you try to fix stupid programmers, the more complex and more difficult it becomes to actually write secure software.

Everytime someone comes up with some way to 'make it easier' the end result is more often than not something thats simply more complex and just as broken and far more difficult to effectively understand. Garbage collection being a perfect example of something thats supposed to make it 'easier' but in almost every instance makes it more complex and more prone to errors since the developer really has NO CLUE whats actually going on.

However, newbies and those ignorant see marketing speak and think its true because they have no experience to know otherwise. Hence, Java is popular.

On that note however, as a former Java hater who had to start doing Java development, I came to realize that shitty buggy java apps are generally the fault of the shitty developer who made them, not Java. I blame code completing IDEs for letting people who THINK they are developers right software using methods that they assume do what they want based on the name, when in reality that is rarely if ever the case. Simple things like MIN/MAX are often used incorrectly by blathering idiots. Thats not the languages fault.

Re:Java?!?!?

[mswhippingboy]

If it's so shitty, can you explain why it has been and continues to be (increasingly) the most widely used language/platform on the planet?

For the same reason that the craptastic COBOL was before that? It's easy to learn, and once its popularity grew among non-technical managers, the network effect took over.

There's still no real need to have Java on the desktop. Server-side, just like COBOL before it, it has it's place. Inventory, payroll, CRM, and all those other card-walloping programs need to be written somehow, even if there aren't any cards to wallop anymore.

Sorry, by my recollection is different. Java became popular despite the the fact that the corporate world was practically OWNED by Microsoft and Visual Basic/Visual C++. Most non-tech managers were afraid to use anything that didn't have a Microsoft logo on it. Most only allowed Java into their shops when it became clear that it was the logical choice in certain application spaces.

I agree, Java is not and never has had much to entice desktop application development (though that may well change when Android apps start landing on the desktop).

Also, I understand it's in vogue to dis COBOL on /. and geek forums. For a 50+ year old language, as "craptastic" as you may think it is, it seems to me it's held up pretty well. Where will you're current favorite language be in 50 years?

Re:Java?!?!?

[mswhippingboy]

On that note however, as a former Java hater who had to start doing Java development , I came to realize that shitty buggy java apps are generally the fault of the shitty developer who made them, not Java

I think that one sentence says it all. How can you be a Java hater before you've done any development in it? Somehow the word "lemming" comes to mind.

Re:Java?!?!?

Here is some background information:

http://threatpost.com/en_us/blogs/serious-new-java-flaw-affects-all-browsers-040910

Basically no user interaction is needed, besides loading a page with a malicious applet.

Re:Java?!?!?

[dshk]

A stolen key is not enough. The Java plugin always displays the security dialog if it encounters a signed applet. It has to, because a signed applet can access anything on the machine. The user has to explicitly allow that.

Re:Java?!?!?

[dshk]

Why do you thing that the Java plugin is particularly risky? I have the feeling that in the last 10 years it had less actually exploited security issues than any other internet related software I use.

Re:Java?!?!?

[jrumney]

Signed applets with stolen keys would still result in a prompt the first time the applet is run. Something else is going on here. There have been vulnerabilities in the JVM in the past that let unsigned apps jump out of the sandbox, and if the user has an outdated JVM these will still work - one particular nasty vulnerability is the fact that the OBJECT tag originally allowed the developer to specify a specific version of the JVM, so attackers can try to force the use of a vulnerable JVM - which will not prompt if that version of JVM is already installed alongside the most recent version.

Re:Java?!?!?

I blame code completing IDEs for letting people who THINK they are developers right software using methods that they assume do what they want based on the name, when in reality that is rarely if ever the case.

And I blame Slashdot for letting people who THINK they are literate write comments using words that they assume say what they want based on phonetic similarity, when in reality that is rarely if ever the case.

Re:Java?!?!?

[jrumney]

Java ran applets well before ActiveX appeared on the scene. Javascript does have the advantage that it is not capable of doing anything outside the sandbox. A lot of Java's vulnerabilities have been because of its dual use as a sandboxed untrusted applet environment and as a full unlimited desktop and server programming environment.

Re:Java?!?!?

[Zelgadiss]

Replace "after" with "unlike" then. :p

ActiveX was MS attempt at competing with Java applets. After everyone realized what an unsafe idea ActiveX was, Java was championed as the "right way" to do it but never was used much due to it's terrible speed.

Re:Java?!?!?

[Decker-Mage]

Well if they actually are literate, they either become lead developers or the project managers who speak to lead developers. After all, we can't let the illiterate developers demonstrate in our dog and pony shows how illiterate they actually are to anyone outside of IT that controls our pay now, could we?

As for the language wars, and the browser wars herein, I've seen everything at least four to five times now since I started with punch cards and magnetic tape, way back when I was ten, on a computer that occupied the whole first floor of the Science building. So far, I've never used the same tools twice for any of the dozens of projects since that time instead choosing the tools to fit the requirements of the project rather than force-fitting the project onto the tools. Whatever. Let the children have their tantrums about their favorite toys ;-).

Re:Java?!?!?

[Decker-Mage]

Not quite correct AC. You have to have had at least one version of a defective JVM installed. If you are like me and don't install it at all, even with Windows you will not be affected. Yet another reason not to play in traffic with defective toys.

Self-selecting for failure

[RobertB-DC]

So eight out of 10 browsers running the test failed it? That's not terribly surprising, since I have to install a plugin to run the test.

I don't know Qualys from Quantas, so I'm highly unlikely to install their plugin just to find out whether my browser has vulnerabilities. In fact, I'm not terribly likely to install any plugins at all (though I'm enjoying Ghostery immensely).

Now, let's assume for a moment that I'm the type to install any plugin that asks nicely and looks shiny. Gee, is it any surprise that Qualys' plugin isn't the first one I've accepted? And is it any surprise that I've got other issues?

This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

Re:Self-selecting for failure

[NotBorg]

This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

This. (QFT)

Also, it seems the plug-in only scans software versions. It doesn't actually test if penetration is actually possible. If blocked by firewall, AV, sandboxing, system policies, etc, the test still flags you as vulnerable. It probably doesn't take into account the likelihood of a particular vulnerability of being exploited. Some "holes" have a rather obscure set of conditions that must be present for them to work.

But I suppose at the end of the day it only takes one fucked up plugin to bitch slap you in the face: Adobe Flash. (You don't need another plugin to test what version you have either.)

Re:Self-selecting for failure

Yea I thought that too. I was like, people who are most likely to do a browser check are those that are experiencing problems. Which is an awesome suggestion for malware creators. Don't want anyone to remove it? Test your code!

Re:Self-selecting for failure

Those most likely to take the "test" are the ones most likely to fail it.

In other words - the only way to win is not to play.

Lynx FTW

[antifoidulus]

Whew, doesn't look like there are any Lynx vulnerabilities so I'm safe!

Did I pass?

I guess this means that my browser passed:

Qualys BrowserCheck is not supported with your current browser, operating system or both.

Updating Java

Perhaps people would be more keen to update their Java version if the installer didn't keep trying to spring a surprise 'Install Yahoo! Toolbar' move on them on EVERY patch.

Re:Updating Java

[Vlad_the_Inhaler]

My reason is different.
When I am browsing with Windows - which is not very often - it is with XP without Admin rights. Up comes a warning saying 'There is a new Java version available'. Well, I don't have the rights so I switch to an account *with* rights and . . . nothing. Ok, I go to Settings/Java and tell it to upgrade. It ignores me.

Ok, I could go to the Oracle site and download the JVM directly, but wtf does the standard update mechanism simply not work? It did once.

I tried installing once without Admin rights and it happily downloaded the update to some place I never found before telling me that it was not able to do the update. If I go into XP in the first place it is normally because I want to do something specific which I can't get to work on Linux. I really can't be bothered trying to work out why some stupid software package feels it can't update itself.

Re:Updating Java

Or the Java ‘quick’ starter for that matter. It comes back after every update.

Re:Updating Java

If only java didn't install a service AND autostart entry on windows each time it is updated, that relies on other vulnerable services... Why do I need to spend several minutes to clean up after the update each time?

Re:Updating Java

I agree, WHY is the boxed ticked by default. Can you imagine if every piece of software that needed updating tried to install another piece of software?

Re:Updating Java

[Decker-Mage]

Actually I don't have to imagine at all. I see it practically every time I go out to cure the "slows" which inevitably occurs due to every damn package out there wishing to install yet another toolbar, yet another search provider, yet another home page, and always yet another updater! And that's before f*ck*ng cleaning up the malware. Malware is actually the least labor intensive element of the whole charade. I call it a charade as it's inevitable that I'll be back in a few months to wash, rinse, repeat.

The sad part of all of this is that I can't really blame the users since they are conditioned into following whatever recipe that each shiny new app that comes along requires of them. While there have been a few oopsies along the way, so far, with apps for smart phones, you wait and watch for them to follow down this trap infested path (gutters?).

Old versions kept with Java

[SmilingBoy]

One issue with Java seems to be that it keeps old versions (or at least it used to). I used a laptop at work that had been in the cupboard for half a year. It had (roughly, can't remember exactly): Java 1.5 update 12 - Java 1.6 - Java 1.6 update 2 - Java 1.6 update 3 - Java 1.6 update 6 - Java 1.6 update 7. Why this is the case, I have no idea. Doesn't seem right though!

Re:Old versions kept with Java

[Vekseid]

This nonsense stopped around 6.16 or so, but yes until then it was freaking annoying. Java updates will remove old versions now.

Re:Old versions kept with Java

[godel_56]

One issue with Java seems to be that it keeps old versions (or at least it used to). I used a laptop at work that had been in the cupboard for half a year. It had (roughly, can't remember exactly): Java 1.5 update 12 - Java 1.6 - Java 1.6 update 2 - Java 1.6 update 3 - Java 1.6 update 6 - Java 1.6 update 7. Why this is the case, I have no idea. Doesn't seem right though!

Yes, you need JavaRa 1.16 beta which cleans out the old crud. It's free at http://raproducts.org/wordpress/software and many other places.

BTW jre1.6.0.24 has just been released this week. I use Secunia PSI to check for upgraded programs, but you don't really need it in Windows Startup.

Many users cannot update

In my experience, your average user has a machine that is quite a few years old (end of life performance wise).
If pressure to upgrade was successful once, it long since passed the point where they needed to upgrade the OS and computer before they could update their browser.
Amidst the stability problems of a home computer that hasn't been formatted periodically (or ever), only select browsers (and only specific versions of them) can run successfully.

I've come across this a lot since the latest bout of cool features for web came along. It is difficult to fix the problems caused by lingering dated hardware.

My proposal: the One Macbook Per Child program.

Java, obvious

[Bobfrankly1]

The most likely plug-in to require a patch: same as last year, Oracle's Java."

Of course, this has nothing to do with the fact that new versions of Java tend to break existing java based applications and utilities. You can use the new version of Java, or you can use the older one that works with your mission critical enterprise tools.

Re:Java, obvious

Yup, we don't ever patch Java or update it 'cuz our Java stuff always breaks. Java is just to damn brittle!

Re:Java, obvious

[Desler]

So the mantra should be: "Write once, break every new version", right?

Re:Java, obvious

[mswhippingboy]

While I don't doubt the sincerity of your post, I certainly have had a different experience. I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break. I know of one recent upgrade that broke Eclipse, but it was quickly regressed and the problem was really in Eclipse, not Java.

I guess I've just been lucky.

Re:Java, obvious

[Bobfrankly1]

I know we have to keep our java below a certain version for our Citrix remote portal. There are some other apps that are affected, but that's by far the most important one for us.

Re:Java, obvious

[mswhippingboy]

Ok, I see your point. Vendor supplied applications almost always specify a particular Java version. Sometimes it's because they do something out of the ordinary (such as using JNI to get outside the JVM), or sometimes it's just that they've only tested and certified it to work with a particular version. However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

Re:Java, obvious

[Calsar]

Are there really enterprise apps that are 15 years old? Java wasn't even a server side technology back then, the only thing you do was write applets. The applets I wrote using JDK 1.0 stopped working several versions of Java ago.

Re:Java, obvious

[Hydian]

We ran into a particular version that when installed would not allow IE to use plug-ins for other versions of Java. I believe it was version 6, update 20, but it's been a while so I'm not positive anymore.

Re:Java, obvious

I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break.

J2EE is only 11 years old, bro. Is this like having 10 years of C# experience back in 2005?

Re:Java, obvious

[Desler]

I've been working with Java in large enterprise settings for over 15 years,

Really? Large enterprise settings were using Java before the official release? The only way you could have been using it in large enterprise settings for over 15 years ago is if you were using the pre-release alpha from '94. J2EE is only 12 years old.

Re:Java, obvious

[Desler]

He probably also has 20+ years of experience in C# as well.

Re:Java, obvious

[mswhippingboy]

First, I said "I've been working with Java in large enterprise settings for over 15 years". I didn't say I have applications that were written 15 years ago that are still running the same binaries.

Second, there was a lot more than applets being written 15 years ago. I do still have Java back-end applications that were originally built back then but have undergone enhancements over the years. Just because the "Server JVM" wasn't introduced until somewhere around 1.4, doesn't mean java didn't run on servers long before that. The Server JVM was introduced mainly because there was so much being written for back-end systems it was advantageous for them to share a single JVM rather than each application running their own. Other than playing around a bit with them, I've never spent much time working with applets since this technology never really received widespread use.

You may very well be correct that applets written for JDK 1.0 no longer work, but that's a problem with the applet technology. However, class files created back then can (as far as I know, although I haven't tried it) still be executed in the latest JVM. But even if they can't, a simple re-compile should take care of it. Again, applets are not a fair representation of Java since it's strength is in the server side, not the client side.

Re:Java, obvious

[mswhippingboy]

I've been working with Java in large enterprise settings for over 15 years,

Really? Large enterprise settings were using Java before the official release? The only way you could have been using it in large enterprise settings for over 15 years ago is if you were using the pre-release alpha from '94. J2EE is only 12 years old.

Actually yes. I was involved in the Sun Early Access program and started working with Java in mid 1995 (actually, I believe it was Beta code at that point, maybe still Alpha - I don't recall). JDK 1.0 was officially released in early 1996, but we were already heavily into development at that point.

No, this was not J2EE work, and it was not web oriented at all (the corporate web applications at that time were primarily done with C++ and ISAPI). These were all system integration applications and there were primarily intended as chance for the corporation to dip it's toe into Java technology. I haven't worked with that particular corporation in several years, but they are very heavily into Java development today.

Re:Java, obvious

[Vlad_the_Inhaler]

We have a mainframe application which relies on something from Java, some classes I think. An update to Java around three years ago broke that application for the clients which had appled the update. Two or three levels later (4-5 months?) it started working again.

Re:Java, obvious

[Amouth]

lets see

JRE 1.6 Build 17

forced disabled on MD2withRSA - now i understand you shouldn't be using it BUT alot of older apps used it including a lot of embedded web services that used SSL (aka switches, routers, printers)

they gave zero option to enable it's usage in any case starting with that update. that broke a lot of shit right there.

Re:Java, obvious

[mswhippingboy]

I'm not here to make excuses for Snoracle's screw ups. Any time a new version of software (anybody's) is installed, there is a chance things will break. I agree, in this case it was an obvious dumb move to push out a new version without at least flagging it in bright red letters and supplying work arounds. It was noted in the release notes for u17 (http://www.oracle.com/technetwork/java/javase/6u17-141447.html), but who reads those and who can control the clients anyway.

I understand why that had to make this change (otherwise they'd get slammed for security holes), but it obviously could have been handled better.

In any case, this is a certificate/security issue and not a language/platform issue which was the original point I was trying to make.

Re:Java, obvious

[Amouth]

In any case, this is a certificate/security issue and not a language/platform issue which was the original point I was trying to make.

It started as a "certificate/security" issue and became a "language" issue when they forced a change in what was expectable commands without recourse.

and sorry i do not believe in "don't upgrade" as a viable recourse as you are just leaving that user wide open for future problems.

they need the ability for the USER not the application to request that that the program or app be run in a specific version of the JVM so that you can allow proper backwards compatibility while allowing the user to keep up todate

Re:Java, obvious

[lgw]

Wow, can you really not imagine writing an enterprise application without a framework? Really? Grumble grumble wrote me some enterprise software in assembly code back in the day mumble grumble GET OFF MY LAWN YOU KIDS.

Re:Java, obvious

[BitZtream]

You do realize 1994 was 17 years ago ... right?

And yes, its fairly common for some people to be using software products before release. Ever heard of beta testing? Its pretty common to let some of your customers have an early crack at something so you can find out how well its going to work and find bugs you didn't otherwise predict or see.

Re:Java, obvious

[Bobfrankly1]

I was doing beta testing in 1997 for a (now dead) "multimedia company" (web developer) that was creating a kiosk for Toyota that would help users to choose the right car for them. It looked very similar to alot of the features you see on websites today, although a lot more basic. It was written in Java and as Java was back then, the app was buggy as hell. I was quite good at my job, I could break the app at any moment and when the opportunity arose, I received the lead programmer's blessing to transfer to the graphic department. He was glad to be rid of me. The point of this story is that Java was in use, or at least development (not sure if that project ever saw the light of day) 14 years ago, and they had been working on that project for a time before I ever got there.

Re:Java, obvious

[Desler]

You do realize 1994 was 17 years ago ... right?

Yes. I do. Which is why I said if you were using Java more than 15 years ago you would have had to be using the pre-release alpha. Your post is not insightful.

Re:Java, obvious

[BlueBlade]

I know some of our older RSA cards on our IBM servers don't work with anything over (IIRC) Java 6.3. So we have to keep machines around with older Java version to get the remote-control feature working.

I've also seen some doc sharing sites one of our client is using (pharmacology related) that are sensitive to which Java version you run.

I know I've seen other instances which I can't recall right now. Java's portable and compatible with everything, except when it isn't :P .

Re:Java, obvious

[lennier]

I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break.

You've not been running Galaxy CommVault, then.

Re:Java, obvious

[lennier]

However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

'Should' is a wonderful word which, in IT, means 'won't'.

Re:Java, obvious

[mswhippingboy]

However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

'Should' is a wonderful word which, in IT, means 'won't'.

No, it means should in IT, just like it does everywhere else. It does not however, mean "always" which, in the case of Java I suppose is where the bar is set.

I suppose it's ok for a new version of Windows, Linux or OSX to break existing applications. It's fine for new versions of .Net, Cocoa, GTK, QT or other frameworks to break old applications. It expected that new versions of VB, Python or Ruby might cause problems for existing applications. However, if the latest version of the JRE causes problems for a ten year old application, lord almighty, what a piece of crap it is.

C'mon folks it's just software, like any other platform. It is prone to bugs, distribution screw-ups and inadequate regression testing just like any other software package. My experience is that it's better than most, but it's not perfect. Maybe your experience is different. If so, choose a different language/platform. That's the wonderful thing about software today, there are many other choices.

Re:Java, obvious

[ShakaUVM]

>>I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break.

It breaks on platforms that have older versions of the JDK. All your newer version stuff doesn't work.

And since they thought Java would be "write once, run anywhere" you can't use the same tricks C had for dealing with platform differences like that (preprocessor defines and macros).

I guess if you're just using java on a single platform, it's not an issue, but we had to support IRIX machines, which were stuck with the original version of Java. So none of those fancy "StringBuffer" things those whippersnappers are using nowadays...

Re:Java, obvious

[strikethree]

I guess you have never had to use any of Cisco's products that are written in Java, They specify an exact version number and refuse to work with any other version number. I guess that is so the off-shored programmers can't be held responsible for changes in the JVM. *shrug*

Re:Java, obvious

[mswhippingboy]

J2EE != Java, Bro.

J2EE is an environment for developing, building and deploying Web-based enterprise applications.

It may be hard for you to grasp the concept, but everything is not a web based application. Maybe they failed to teach you that in your intro to comp sci class.

Re:Java, obvious

[mswhippingboy]

Snicker, snicker. Oh aren't you witty!

No, only about 6 years (circa 2005). I was late to the C# party since most customers that were tied to Microsoft still wanted their apps written in VB back then.

Wasn't hard to pick it up though, given that it's pretty much a knock-off of Java with a .Net framework.

Re:Java, obvious

[ConceptJunkie]

Or perhaps, "Run once, rewrite everywhere."

Java has literally become the opposite of what it was intended to be (with regard to portability) for that reason.

What I'm finding now is that any apps that are Java-based are simply bundled with the specific JRE that they are intended to run with.

Irony: it is a plugin

[MobyDisk]

You have to appreciate the irony that the test requires a plug-in. For all I know, the test is the virus. I assumed it would be a series of javascripts that tested vulnerabilities.

False positives?

[dgatwood]

I wonder how much of this is due to vendors deliberately not bumping the version numbers when they put in a security patch?

Re:False positives?

[F.Ultra]

And also imagine all the backporting that is occuring on Linux distributions where the version number of the plugin/library/application is unchanged, or keeps the version with a suffix like 2.4.5-11ubuntu12 wonder if this check can handle that :)

Not vulnerable

I resisted the "Install Plugin" ruse. Consequently no vulnerability was found.

Mozilla has one too

[gQuigs]

http://www.mozilla.com/plugincheck/

Re:Mozilla has one too

[hduff]

So both sites tell me that Shockwave and Java are out-of-date (using Mageia1-alpha1 and FF4beta11) and I update them with the files they provide links to AND it now says I' still out-of-date.

Derp?

Re:Mozilla has one too

Did you restart Firefox?

Re:Mozilla has one too

[surveyork]

Hmmm... Are you running Firefox beta portable? In any case, here's my experience: I have: Firefox 3.6, Firefox 4 beta portable and Pale Moon portable. When I go to Plugin Check and update, only Firefox 3.6 gets updated. If I recall correctly, I manually copied the Flash DLL from my User > Application Data > Mozilla > plugins into Firefox 4 beta port. and Pale Moon port. "plugins" folder. Now all of them are up-to-date. Someone else may explain it better but the gist of the solution is that the relevant DLLs in Fx 4 port. and Pale Moon port. plugins folder need to be manually updated.

Mandatory Access Controls or Sandboxing

[metrix007]

SO, at present the most secure browsers on Windows are Chrome and IE8+

Why?

Because they make use of Windows Integrity Controls, a type of MAC which means if a low level process is exploited it has no access to the rest of the user account.

As much as people laud Opera they are really behind the fucking curve on this one, and I don't know what Mozilla's excuse is. With the excess beta's they really don't have one.

It should be noted out before hairyfeet gets in that while Firefox and Opera do not make use of WIC, this is not the same as running a browser as root and leaving the whole system vulnerable as he has tried to state before. If you run as a basic user and keep your browser up to date then you are reasonable secure, just not as secure as Chrome or IE in the event of an attack.

On linux it is a different story, as with SELINUX, RSBAC, Grsecurity or any of the other frameworks you can restrict the helper processes as you see fit, and restrict excatly what directories or objects they have write read or execute permission to. It would be nice if the browser makers hopped on board and added some native support though.

Re:Mandatory Access Controls or Sandboxing

[tuppe666]

SO, at present the most secure browsers on Windows are Chrome and IE8+

I'd love to see you back this claim up. Windows Integrity Controls are used only in a small share of Windows Users, Internet Explorers integration with Windows will mean that Internet Explorer 8 and its insecurities will continue until users update or move away from XP. Perhaps if Windows was not so closely tied to the machine, easy to install and offered cheaper than the price of a second hand car separately the would be more secure.

Re:Mandatory Access Controls or Sandboxing

[metrix007]

Not sure what point your making. I was assuming Vista and up for my statement. To clarify, Chrome and IE8+ are the most secure browsers on versions of Windows Vista and after due to making use of WIC and/or sandboxing.

Re:Mandatory Access Controls or Sandboxing

[gad_zuki!]

The problem with these sandboxed browsers is that their plugins are not sandboxed, generally.

I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

I think IE8 is doing well on these tests because if you're using IE you might be a corporate user who's computer is regularly updated by the system admin.

Both these browsers running an insecure version of Java means instant exploit. The best advice is run any browser you want, but get rid of Java and use an alternate PDF reader.

Browsers themselves are now pretty secure, its the damn plugins causing all the issues. At least Google understands this and has a sandboxed secure pdf reader in Chrome. If only they would disable the java plugin by default or make it throw a UAC prompt everytime it needs to run. Java sitting there on the browser ready to run any applet is absolute madness.

Re:Mandatory Access Controls or Sandboxing

[VGPowerlord]

I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

Chrome also integrates Adobe Flash... but unless Google is updating Flash whenever Adobe issues an update, it's less secure than the versions that use a standalone plugin.

Re:Mandatory Access Controls or Sandboxing

[mlts]

The more browsers use the operating system security abilities, be it WIC, jail(), AppArmor, SELinux, or any other mechanism that reduces the privs a Web browser under, the better.

The battle for control of most PCs is going to be fought at the browser and browser add-on level. This is one front that really needs defense in depth, from browser add-ons being in a separate context from other objects, to a browser tab or window not being able to access other windows, to a browser not being able to get normal user (or even worse, root/sysadmin/QSECOFR context.)

Kudos to Chrome for working on advances with keeping things separated/sandboxed. A Flash or other scripted app that can record keystrokes only can record those typed in its window of the Web browser, and can't record anything if the user is using another window or another program.

Re:Mandatory Access Controls or Sandboxing

[mlts]

Correction: Kudos to Google for using OS controls for additional security.

Yes, using OS specific security constructs makes a Web browser less portable across platforms, but it might be that some OS security mechanism may be the only thing standing in the way of browser compromise turning into complete machine pwnage.

On a larger scale, it might be time for OS makers to have some standardized security mechanisms, where a program can take advantage of them regardless if it runs on Windows, OS X, AIX, or OpenVMS.

Re:Mandatory Access Controls or Sandboxing

[venom8599]

Right now Chrome on Windows and Linux is using 10.2.154.12. (10.2.154.13 on Mac) The standalone Windows and Mac plugins are both 10.2.152.26, and the normal Linux plugin is 10.2.152.27.

Re:Mandatory Access Controls or Sandboxing

[Amouth]

but unless Google is updating Flash whenever Adobe issues an update, it's less secure than the versions that use a standalone plugin.

except that Google's version is Sandboxed where the standalone plugin isn't.. so while the flash part might be exploitable - too what ends is far different.

Re:Mandatory Access Controls or Sandboxing

You have it backwards. For two reasons. One, Chrome's Flash updates are always pushed out long before Adobe's own. Two, Chrome's Flash version is proprietary and sandboxed specifically for Chrome.

Re:Mandatory Access Controls or Sandboxing

[cbhacking]

Strictly speaking, IE7 also includes Protected Mode (MIC sandbox). That's only relevant on Vista though - Win7 comes with IE8 and XP is incapable of MIC.

Re:Mandatory Access Controls or Sandboxing

[cbhacking]

Unless a plugin automatically adds an exception for itself (which some *cough*Flash*cough* do) it will either prompt you for permission to run outside the sandbox, or will run within it. I remove permissions for Flash to do this and it still usually works just fine.

Not sure of header

[hesaigo999ca]

With a heading like this, too much is left to the imagination, I thought 80% of browsers out there in use are vulnerable, and if that is all, I would say redundancy is useless. Stating the obvious, such as any application made by man, will be error prone....so any browser running out there, is obviously flawed, no news here, move along...

Corporate -vs- home users?

[MobyDisk]

I wonder what the percentages are for corporate users compared with home users. I bet home users are better: My current employer requires out machines to have a *particular* version of Java installed. The internal corporate web site doesn't work on anything newer, or older. Unfortunately this seems to be the norm, not the exception.

I'm constantly amazed at how these internal apps are some of the poorest maintained software. Training applications, time sheets, desktop sharing, CRMs ... consistently the poorest quality tools I encounter.

Re:Corporate -vs- home users?

[Asic+Eng]

Same in our company. The problem is that frequently the users have no say at all. If the SW needed to be sold, then customers would simply refuse to buy such low quality - for internal tools the users are forced to use the crap.

Re:Corporate -vs- home users?

[Salvo]

Users shouldn't have a say, The IT dept. should have the say.
Unfortunately, bean counters and upper management have more of a say than those who actually know all the issues. System sales reps use buzzwords to impress the management, or provide kickbacks for bean counters, lumping the IT dept. with an overpriced piece of crap that any competent sysadmin could roll themselves in a weekend (as long as they didn't get interruptions from Clueless Users) using a Linux system, Apache and MySQL.
It's all well and good purchasing a commercial system so you have someone to blame when it doesn't work, but unless you renew the service contract annually, you can't blame them when something goes wrong.

Re:Corporate -vs- home users?

[ConceptJunkie]

Enterprise software in general is terrible. That's been my experience for over 20 years.

The people who buy it usually don't use it and the people who have to use it have no say. Once a PHB is sold by slick marketing and drops X thousand dollars per seat, it's too late to back out when you realize that you bought something that makes IBM software from the 1980s look modern and friendly.

The above paragraph may not be the actual case, but it sure explains what I've always seen.

Besides, from what I've been seeing lately, Java apps are often bundled with their own JREs. It makes the installers obscenely large, but I suppose it solves the compatibility problem.

Re:Corporate -vs- home users?

[ikirudennis]

I know what you're saying, but in order to run the test, the user must be able to install a plug-in. If the corporate user is unable to update java, they probably won't be able to install the plug-in.

BrowserCheck not supported on my system

[koinu]

Qualys BrowserCheck is not supported with your current browser, operating system or both. See supported versions below.

And now? Am I safe?

Firefox terrible in this regard

Simple patch updates have serious regression issues, such that extensions no longer work. I've been stuck on a particular version for months now, because one of my extensions won't work with the new version, and this has NEVER been addressed, either by Mozilla or the extension developer.

For fuck sake, if you want me to update, don't fuck my shit up..

Re:Firefox terrible in this regard

[tuppe666]

Which Extensions don't work. I have been shocked that I have been able to run a beta copy of Firefox for months with my plug-ins working, considering these are not under Mozilla control I find it remarkable. In fact the extensions page tells you if the plugin works with your version of Firefox. I suspect if your dunning 3.6.* everything works :).

Re:Firefox terrible in this regard

[venom8599]

Are you sure the extension is incompatible? It could just be the extension's version string and not an actual problem. Try using the Nightly Tester Tools extension and forcing compatibility.

Re:Firefox terrible in this regard

[d_jedi]

(I am OP, didn't post under my username before.. and this is a reply to both tuppe and venom)
I am running Firefox 3.0.19. The extension that doesn't work is Tab Clicking Options 0.6.9

Re:Firefox terrible in this regard

[tuppe666]

I you can't see the problem of running a two year old browser, with an unpopular plugin which has functionality replicated by other extensions better, then basically update your browser and use tab utilities :)

Install Plugin to Check Your Browser

That's what the header of their web page says. Oh sure. I'll do that right away.

Not even remotely surprised

[jimicus]

I've been saying this for some time: Windows (and to a lesser extent OS X) needs an API so updates are centralised, configured and installed from a single interface.

OS X has the app store. Linux distributions have repositories. Both of these solve this problem very neatly, and it's a lot easier to keep everything up to date. But I don't think centralised distribution is necessary - just an API call so you can say to the operating system "this is the name of the application, this is an RSS feed where updates are published, this is the key with which updates will be signed, this is how frequently you should check for updates" would probably solve most of the problems.

The mess we have right now is the reason why there is always something on a PC that needs updating.

Re:Not even remotely surprised

You don't need a centralized repository. You just need applications that can update themselves. This has been on the rise on OS X for awhile, since before the app store. OS X apps could use Sparkle to handle automatic updates. Windows doesn't need a central repository, it just needs something like Sparkle.

Re:Not even remotely surprised

[mdielmann]

A lot of the Windows apps I use are auto-updating (preferably on app start), and it's one of the features I look for. Also, Windows 7 Update carries drivers from third parties as optional components, which is (potentially) handy. After all, if you're going to check for updates to your OS, it helps if you check for updates to the components that directly interface with your OS.

Re:Not even remotely surprised

I use OS X at home and am constantly in wonderment at the design of the software update system...

Why is it that the "Software Update" program that's built into the OS doesn't also check the versions of the software installed via App Store?

Why is it that all the programs I have (VLC, Firefox, etc...) all have their own update system?

Why do I need to pop into a shell to update my command line tools via apt-get ?

It's like the worst of all worlds. The rest of the OS is pretty nice.

Re:Not even remotely surprised

[mlts]

I'll take the repos where the Web browser can scan both default and user specified repositories for updates over having every single program, plugin, and code chunkie having a separate update mechanism.

With so many update mechanisms, there are so many links that can become weak links in a security chain that program security becomes unwieldy. If a blackhat manages to compromise some browser addon's update mechanism, and the addon can get user (or even admin) context, it means the blackhat just obtained themselves a multi-million PC botnet with users unable to do anything about it.

The only thing that should update applications should be the OS, other than application data (levels in games, zones for a MMO, etc.) Why have every single program reinvent the wheel, as opposed to having a hardened OS mechanism do the dirty work.

This is the nice thing about repos, Apple's App Store, and Windows 8's store. If I want to tell a user to download an app, they just type it in on the store search, and download it. No website compromise, no Trojanized executables. It also increases the "hmm, I shouldn't really do this" barrier with websites asking a user to install dubious applications manually, as opposed to through a repo/store.

So, repos keep the chance of getting Trojans down, which is one of the bigger vectors of compromise. Leave the application updates to the OS.

Re:Not even remotely surprised

[leachlife4]

Self-updating applications do not work well, in practice. They either are not in use constantly and will thus miss patches for a while, and then delay their use when you do want to use them so they can update, or they take the windows approach and have a service running constantly, which, when there are many applications installed, leads to performance loss.

I like the repository approach that *nix uses, as it is reliable and light on resources, though the rss/signature concept does sound as if it could be viable. The whole application installation/config/registry structure in windows may have to be changed a bit to make this work without breaking everything when an update is performed.

On another note, npackd is a windows based package management system, though it has some compatibility problems with the windows add/remove functionality already built in (cannot uninstall/update application installed regularly from npackd, and vice versa).

Re:Not even remotely surprised

The problem with Apples App Store is that it only manages updates for stuff you downloaded through it. Basically I fear that excludes all of the most critical stuff like Adobe, Java and Office. It's definately in the same direction, but nowhere near the ease of updates you get in Linux (installing is just as easy).

Re:Not even remotely surprised

An up-to-date Ubuntu 10.10 system with Sun's Java installed from the official repositories shows up as vulnerable as well.

An automatic update system is a good start, but the problem is not solved if the packages in it are not up to date (and that's the really hard part).

Re:Not even remotely surprised

[Rich0]

Uh, what he was proposing was something like Sparkle. App registers with the OS with an RSS feed. App owner publishes to RSS feed, app gets updated, maybe with user confirmation first.

The problem with apps that update themselves, is that they can only do that when they're running, and as local admin. I don't like apps that run all the time - I don't need to have QuickTime running the 99.999% of the time that I'm using my computer and NOT watching a quicktime video. I certainly don't need to have it running to check for updates the 99.999% of the time that there is no update available.

If the OS had a central update mechanism, then once a day/hour/whatever it could check all the feeds. You would have one lightweight service running all the time, at most. Or, maybe it runs as a scheduled task with zero overhead when not running. The user could go to one place and see what his update statuses are.

MS doesn't even do this well for their own apps. I gave up on Office ages ago because figuring out if I was properly patched was a royal pain. With openoffice I just check for updates in the menus. Then again, openoffice doesn't need to make it hard to get updates in order to vet users and punish those who haven't paid for it.

There is no reason you need a linux-like package manager to do all of this. You can still do this in a decentralized way. However, you still need a central API to manage things.

Something more android-like that sandboxes apps would be even better - even without an app store. You would have guaranteed clean uninstalls that way, and would never have app conflicts.

Re:Not even remotely surprised

[BitZtream]

So you want Sparkle/WinSparkle to be an OS library.

Sparkle might have happened previous to the OS X AppStore since the guy who writes it is an Apple employee but thats probably shot now.

I wouldn't expect anyone to make much effort in this direction though, it offers no profits and requires extra work.

Re:Not even remotely surprised

[BitZtream]

MS doesn't even do this well for their own apps.

2005 called, they want their feature back.

Windows Update only updates Windows issues.

Microsoft Update handles pretty much all MS apps at this point, once you visit it and install the required bits Windows Update turns into Microsoft Update and the problem is solved ... for MS updates.

Re:Not even remotely surprised

[jimicus]

Something like that, yes. I hadn't heard of Sparkle, but it looks like it's roughly the right idea.

The reason it needs to be in the OS is because if it isn't, there's precious little chance of third-party software supporting it. Not only would it reduce these risks, but it could hook into Active Directory for enterprises.

Though existing companies providing network management software would probably have something to say about that.

Re:Not even remotely surprised

I agree with that. We need something better than every app providing its own updater, some of them terribly bad. In the meantime, I've found the following quite useful:

http://secunia.com/vulnerability_scanning/personal/

Java needs to update better...

[toxickitty]

Java is a horrible piece of crap when updating. I've been running it on Vista and now Windows 7 for ages and the auto update NEVER WORKS. I have to manually update every time. It's really squarely Java's fault. Also if anyone happens to know how to fix it I always get "Failed to download required installation files.". I've had no luck in trying to find the cause of it.

Re:Java needs to update better...

[R.Mo_Robert]

Try completely removing your existing installation of Java. Try the standard Add/Remove Programs (sorry, "Programs and Features") uninstaller. When that probably fails, do the rest yourself: delete everything in C:\Program Files\Java, then remove the HKLM\Software\JavaSoft key from the registry. Now, download the full offline installer (or whatever you want, I guess--I normally use this one because I hate downloading installers that really only download something else) and try again. You may need to reboot beforehand if you've attempted a previous installation recently.

Or, at least, this is what I've done manually on some 100+ computers where the SCCM installation of Java has epically failed and deleted most of the bin folder. Maybe it will work for you, too.

Re:Java needs to update better...

[mlts]

Ideally, Java should come as a .MSI or .MSP file. I don't like how it tries to foist a third party program on you when updating. Nor do I like having to deal with third party installers which means another program that has to have admin level privs on a system.

Plus, MSI/MSP files mean it is easily pushed out centrally.

Re:Java needs to update better...

[BitZtream]

MSI/MSP files are notorious for the problems they cause due to the crappy shit the InstallShield produces and Microsoft uses.

I've spent the last few years moving all the apps our company produces off of MSI files just so we can cut down on installation issues like silly shit that happens when an MSI depends on an MSI that depends on running an EXE during installation or even worse when an MSI calls a EXE wrapper for another MSI instead of referencing the MSI file directly.

Guess what, you can still deploy them with a script or ActiveDirectory! MSI files are not required for centralized deployment, just a clue about what you are doing.

In short, if you think MSI files are great, you have must not have any experience dealing with them in a large installation.

Plugins don't auto update

[sandytaru]

Java and Adobe's problem is the same - it asks permission to update instead of doing it silently. Heck, the last Reader update required a system reboot. Compare that to AdBlock or NoScript, which updates without you having to do anything and lets you know after the fact. I can force out Windows updates on the systems I manage, but I can't force users to update their Java, and the icon will sometimes sit there for weeks or months before they even bother to mention it.

Re:Plugins don't auto update

[Locke2005]

They both need to ask permission because their updates so frequently fail. Nothing like doing the same automatic update over and over again to bring your computer to a crawl.

Not bad, actually

Well, that was a surprise: I've been checking Adobe almost weekly for updates to Acrobat Reader 9.4 for Linux. Adobe's web site always tells me it's the latest. But this tool directs me to Adobe's FTP (not HTTP) where I find--low and behold--there is a 9.4.1 and it's been out since September. So what's wrong with Adobe's download? Lazy site maintenance? As for Java, I also check this weekly. Last Monday, the 14th, the latest was 1.6.0_22. Today I see that 1.6.0_23 was released on the 14th. I'm pleased. Besides, this patching beats working. :)

WTF?

[The+Grim+Reefer2]

I went to the Browser Check link and was told that I have to enable Java and refresh the page. So to check my browsers security I first have to lower my current security settings? Now I see how they got their numbers.

Re:WTF?

They also want you to install their custom plugin. LOL.

80% of users can't be trusted

[ArhcAngel]

to stay away from web sites that steal their data.

Secunia PSI

Use Secunia PSI to auto-update your software, including many commonly used plugins:

http://secunia.com/vulnerability_scanning/personal/

100% of web browsers are vulnerable

[blair1q]

Anyone who imagines we've found all the exploits already is a moron.

has trouble with nspluginwrapper

[AdamWill]

If you have Flash installed via nspluginwrapper, it shows two Flash entries, one saying "10.2.152 Up to Date", but the other saying "10.2 Potential Threat", with an explanation that it couldn't figure out the version precisely enough to be sure what it was. It counts this as a security threat. So that's a false positive right there.

Re:has trouble with nspluginwrapper

64bit flash for Linux has been out for a while...

Re:has trouble with nspluginwrapper

[Whipstersh]

Not only that, but I doubt that various Linux distro patching is acknowledged in testing for "vulnerabilities" (used synonymously with "up to date" by the BrowserCheck) for modified browsers and plugins. While most would consider the current version of Iceweasel shipped with Debian stable to be "fully patched", this tool likely doesn't take non-upstream versions into account and would report false positives on those as well.

Better statistic

[JustAnotherIdiot]

100% of machines used by idiots are at risk of attack when they try to claim their prize for being the 1000th visitor.

USA 2011

[westlake]

"About eight out of every 10 Web browsers run by consumers are vulnerable to attack [CC] by exploits of already-patched bugs, a security expert said Thursday.

The venue is worth a mention: RSA Conference 2011 - San Francisco

This not a second-tier event.

Speakers include former President Bill Clinton, General Keith B. Alexander, Commander, U.S. Cyber Command, William Lynn III, Deputy Secretary of Defense...

In Open Source from Qualys:

BlindElephant Web Application Fingerprinter

Does an error equal secure?

[Hydian]

If it gives you an error when you try to run it, does that mean that you are secure or vulnerable?

What is this crap

So in order to test my system, I need to re-enable javascript, cookies and plugins and download an unknown untrusted plugin?

I'm afraid I must decline...

The scan is not even close to accurate

I tried the Qualys BrowserCheck. It misidentified the Mozilla browser version and the Java Runtime version and claimed they were old versions with vulnerabilities. In fact the browser is the latest version and JRE is a newer version without known vulnerabilities. It correctly identified the Flash version but failed to notify me that simply running Flash makes my entire www experience one huge vulnerability in itself ha ha ha.

It's worth remembering that an OS with system-wide package management almost negates these kinds of issues anyway (though browser plug-ins may remain a problem depending on how you obtained them).

Lame product unless you're that rare person who runs Windows and cares about security but also keeps forgetting to do anything about it.

Consumers

[McTickles]

what exactly do they "consume" using a web browser?
I doubt I can actually download food ...

Don't use BrowserCheck.

[R.Mo_Robert]

Mozilla has a free plugin check that you can use to see not only if you're up to date on the most common plugins but also if any of yours that are out of date suffer from an known exploit you should fix immediately. It's free, and there's no extra plugin (yeah, BrowserCheck...what the) to install: http://www.mozilla.com/en-US/plugincheck/.

Me too

[QuincyDurant]

I didn't have to install a plug-in to run the check as some have said below.. Over and out on three Mac browsers in two or three minutes.

Only the naive would use this site

Only naive browser users would install a plug-in from a random web site to test the security of their plug-ins. It's a self-selecting statistical sampling and we know the value of those. I'm surprised their results aren't 95%, but it says nothing about the vulnerability of the population of browser users.

You need a throwaway browsing account and no Java

And I'm a Java dev, both at work and for fun.

Java doesn't have its place in a browser. Applets are the lamest joke ever, only seconded by the abysmal failure that JWS is.

And I do like Java a lot, I really do. Simply I *never* use a Java enabled browser and I'm not missing much.

I realized browser would always have security holes something like, say, five years ago (I know, I'm lame, I should have understood that with Netscape back in the 20th century).

So what do I do? I surf using throwaway accounts. It's trivial to set up on Linux, where you can install a browser in one user account, without needing to be root. So I've got my main user account and several "browsing" account. The slashdot/theregister/news/whatever account is called "/home/tmp/" and I erase it at each reboot.

Then I've got my "personal data" browser which I use for GMail + Google Docs + managing my domains etc.

Then I've got my Java developer account : on Linux you can install Java without needing to be root (on Windows you *must* be admin to install Java). So user "a" can have Java (JRE/JDK) and user "tmp" only has a browser and does *not* "see" the Java from user "a".

And because Linux / X11 allows to display applications from another user, I simply display window of user "/home/tmp/" on one of my virtual desktop.

For shitty Windows-only-bug-ridden-bullshit that I need to try once in a while, I've got a KVM with Windows XP that I "kill -9" and reimage once I'm done with it.

The only safe browser is one that you can throwaway.

Try it: there are amazingly few websites where you need your real identity (AC on /., fake identity on StackOverflow, etc.). For all the stuff that where don't need my real identity, I surf from the "tmp-throwaway-reimageable" account.

Use JavaRa

[surveyork]

godel_56 beat me to it: Use JavaRa to get rid of old installations of Java. However, Sun/Oracle wised up a bit and current versions of Java have this issue fixed --If memory serves me right. No more crap left over when updating _fresh installs of current JRE_.

Java is a pain

[thsths]

And luckily I can do without it in most cases. I only know one website that uses it, and unfortunately a few of our intranet applications :-(

I just don't understand why one of the biggest software companies is not able to program an update mechanism that works. Microsoft can do it, Google can do it, Mozilla can do it, Debian/Ubuntu etc have mastered it. But neither Sun nor Oracle get anywhere with their solution.

flawed

the biggest problem with this scan is that it assumes updates are always to patch over security vulnerabilities, and thus an old plugin is vulnerable to exploitation.

Well then

[Cant+use+a+slash+wtf]

"Browser Check Complete Congratulations! You passed Qualys BrowserCheck. We recommend you scan your browser regularly to stay up to date with the latest versions and plugins." Well, that certainly was uneventful

Yes, we know: You have done better stuff, suso

In fact, your works in software are so superior to this very useful tool, that nobody even knows what it is you've done (which is pretty much zero), right? Until you've done something yourself, your jealous little bullshit is best kept to yourself, because it's what you appear to be: A jealous done-nothing with himself in this life blowhard.

Unsupported?

[IanBal]

My browser is "Unsupported". So I guess according to this tool, the exploits must be unsupported in my browser too!