Slashdot Mirror

← Back to Stories (view on slashdot.org)

80% of Browsers Found To Be At Risk of Attack

Posted by ryuzaki0 on from the zomg-we're-all-gonna-die dept.

CWmike writes "About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said Thursday. The poor state of browser patching stunned Wolfgang Kandek, CTO of Qualys, which presented data from the company's free BrowserCheck service Wednesday at RSA. 'I really thought it would be lower,' Kandek said. BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, from Adobe's Flash to Windows Media Player. When browsers and plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component. In January 2011, about 80% of the machines were vulnerable. The most likely plug-in to require a patch: same as last year, Oracle's Java."

33 of 196 comments (clear)

  1. Slashvertisement by suso · · Score: 4, Insightful

    Not getting enough hits? Slashvertisement can work for your company too. Call today!

    1. Re:Slashvertisement by tgeller · · Score: 5, Informative

      That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

      --
      Tom Geller
    2. Re:Slashvertisement by Anonymous Coward · · Score: 2, Insightful

      This is a slashvertisement, but at least it was for something useful this time. I just patched 3 browsers based on the results.

  2. Plug-ins Bad. Here's ours by Lunoria · · Score: 2

    So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure. People need to update their software for security. That's not news.

    1. Re:Plug-ins Bad. Here's ours by bunratty · · Score: 5, Informative

      You can use Mozilla's Plugin Check. No installation required.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Plug-ins Bad. Here's ours by bunratty · · Score: 2

      Ah, The perfect is the enemy of the good. Could there possibly exist some things that are useful despite the fact that they are not perfect?

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    3. Re:Plug-ins Bad. Here's ours by ColdWetDog · · Score: 2

      Plugin Check doesn't recognise Gears or Media Player. What use is a plugin checker that doesn't recognise commonly installed plugins?

      This is a problem for both the official Mozilla plug in check and the current slashvertisement site. The official Mozilla site flags a much larger number of plugins including the hapless mess that is Java but misses several Google plugiins. Unfortunately it appears that plugin writers don't necessarily follow the guidelines for announcing themselves and further that Silverlight comes back as outdated in both checks even though I've pulled the download directly from Microsoft's site, installed it and rebooted the machine.

      If nothing else, this points to a huge problem for modern browsers. If there is no mechanism for automatically and accurately keeping tabs of the various components than no one, but no one is going to have a fully patched machine.

      --
      Faster! Faster! Faster would be better!
  3. I would have thought this closer to 100% by mswhippingboy · · Score: 3, Insightful

    Since new exploits are identified each day.

    --
    Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
    1. Re:I would have thought this closer to 100% by SudoGhost · · Score: 4, Insightful

      I would have thought it closer to 100% since about 100% of browsers are used by people, which are the biggest security flaws in any system.

    2. Re:I would have thought this closer to 100% by Kenja · · Score: 3, Funny

      Lynx is still pretty safe!

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    3. Re:I would have thought this closer to 100% by Skarecrow77 · · Score: 4, Informative

      My wife has a shirt that says "Social engineering" on the front, and on the back it says "Because there is no patch for human stupidity".

      My wife is awesome.

    4. Re:I would have thought this closer to 100% by osgeek · · Score: 2

      Look, man, if you have an opinion just express it. Don't keep these things all bottled up inside where they can fester.

      Tell us what you really think about the guy and you'll feel better.

      All this sugar coating to avoid hurting his feelings isn't doing either of you any favors.

      --
      Why are you letting these clowns ruin our country?
    5. Re:I would have thought this closer to 100% by Anonymous Coward · · Score: 2, Funny

      Nah, 80% is correct. the remaining 20% of browsers are Opera, which is not known to be used by people.

    6. Re:I would have thought this closer to 100% by VGPowerlord · · Score: 3, Funny

      I'm one of those who doesn't do updates. Mainly because I've read too many horror stories of updates making computers unbootable, or breaking the software, or whatever.

      Instead I wait a month-or-so until I'm sure there's no negative outcomes being reported by the press.

      I wasn't aware that the Commodore 64 had updates.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    7. Re:I would have thought this closer to 100% by e9th · · Score: 2

      Is your version susceptible to this?

  4. Isn't that? by Wolvenhaven · · Score: 4, Funny

    The exact percentage of IE marketshare?

    --
    Orwell was an optimist.
  5. Uhmm NO by Monty845 · · Score: 4, Informative

    So first I needed to enable javascript for the site. Now it wants me to allow some random website to install a plugin so that it can tell me if my security is up to date... yeah if it can't detect a security vulnerability without me going through a bunch of hoops and ALLOWING it to install on my system, I'm going with the whole thing is BS.

  6. Self-selecting for failure by RobertB-DC · · Score: 3, Interesting

    So eight out of 10 browsers running the test failed it? That's not terribly surprising, since I have to install a plugin to run the test.

    I don't know Qualys from Quantas, so I'm highly unlikely to install their plugin just to find out whether my browser has vulnerabilities. In fact, I'm not terribly likely to install any plugins at all (though I'm enjoying Ghostery immensely).

    Now, let's assume for a moment that I'm the type to install any plugin that asks nicely and looks shiny. Gee, is it any surprise that Qualys' plugin isn't the first one I've accepted? And is it any surprise that I've got other issues?

    This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  7. Updating Java by Anonymous Coward · · Score: 5, Insightful

    Perhaps people would be more keen to update their Java version if the installer didn't keep trying to spring a surprise 'Install Yahoo! Toolbar' move on them on EVERY patch.

  8. Old versions kept with Java by SmilingBoy · · Score: 2

    One issue with Java seems to be that it keeps old versions (or at least it used to). I used a laptop at work that had been in the cupboard for half a year. It had (roughly, can't remember exactly): Java 1.5 update 12 - Java 1.6 - Java 1.6 update 2 - Java 1.6 update 3 - Java 1.6 update 6 - Java 1.6 update 7. Why this is the case, I have no idea. Doesn't seem right though!

    1. Re:Old versions kept with Java by Vekseid · · Score: 2

      This nonsense stopped around 6.16 or so, but yes until then it was freaking annoying. Java updates will remove old versions now.

      --
      Adult Role Playing Forum
  9. Java, obvious by Bobfrankly1 · · Score: 3, Insightful

    The most likely plug-in to require a patch: same as last year, Oracle's Java."

    Of course, this has nothing to do with the fact that new versions of Java tend to break existing java based applications and utilities. You can use the new version of Java, or you can use the older one that works with your mission critical enterprise tools.

    1. Re:Java, obvious by mswhippingboy · · Score: 4, Interesting

      While I don't doubt the sincerity of your post, I certainly have had a different experience. I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break. I know of one recent upgrade that broke Eclipse, but it was quickly regressed and the problem was really in Eclipse, not Java.

      I guess I've just been lucky.

      --
      Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
    2. Re:Java, obvious by mswhippingboy · · Score: 2

      First, I said "I've been working with Java in large enterprise settings for over 15 years". I didn't say I have applications that were written 15 years ago that are still running the same binaries.

      Second, there was a lot more than applets being written 15 years ago. I do still have Java back-end applications that were originally built back then but have undergone enhancements over the years. Just because the "Server JVM" wasn't introduced until somewhere around 1.4, doesn't mean java didn't run on servers long before that. The Server JVM was introduced mainly because there was so much being written for back-end systems it was advantageous for them to share a single JVM rather than each application running their own. Other than playing around a bit with them, I've never spent much time working with applets since this technology never really received widespread use.

      You may very well be correct that applets written for JDK 1.0 no longer work, but that's a problem with the applet technology. However, class files created back then can (as far as I know, although I haven't tried it) still be executed in the latest JVM. But even if they can't, a simple re-compile should take care of it. Again, applets are not a fair representation of Java since it's strength is in the server side, not the client side.

      --
      Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
  10. Mozilla has one too by gQuigs · · Score: 2

    http://www.mozilla.com/plugincheck/

  11. Corporate -vs- home users? by MobyDisk · · Score: 2

    I wonder what the percentages are for corporate users compared with home users. I bet home users are better: My current employer requires out machines to have a *particular* version of Java installed. The internal corporate web site doesn't work on anything newer, or older. Unfortunately this seems to be the norm, not the exception.

    I'm constantly amazed at how these internal apps are some of the poorest maintained software. Training applications, time sheets, desktop sharing, CRMs ... consistently the poorest quality tools I encounter.

  12. Not even remotely surprised by jimicus · · Score: 3, Insightful

    I've been saying this for some time: Windows (and to a lesser extent OS X) needs an API so updates are centralised, configured and installed from a single interface.

    OS X has the app store. Linux distributions have repositories. Both of these solve this problem very neatly, and it's a lot easier to keep everything up to date. But I don't think centralised distribution is necessary - just an API call so you can say to the operating system "this is the name of the application, this is an RSS feed where updates are published, this is the key with which updates will be signed, this is how frequently you should check for updates" would probably solve most of the problems.

    The mess we have right now is the reason why there is always something on a PC that needs updating.

  13. Re:Java?!?!? by mswhippingboy · · Score: 3, Informative

    Java was supposed to run in its own sandbox and therefore wouldn't be a security issue according to the original SUN PR bullshit.

    This is actually true. However, when user just mindlessly click through the security dialog on unsigned applets that warn that resources outside the sandbox may be accessed it defeats the whole sandbox protection mechanism.

    I guess it gets back to the old adage "Make it foolproof and only a fool will use it.".

    --
    Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
  14. WTF? by The+Grim+Reefer2 · · Score: 2

    I went to the Browser Check link and was told that I have to enable Java and refresh the page. So to check my browsers security I first have to lower my current security settings? Now I see how they got their numbers.

  15. 80% of users can't be trusted by ArhcAngel · · Score: 2

    to stay away from web sites that steal their data.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  16. Re:Mandatory Access Controls or Sandboxing by gad_zuki! · · Score: 2

    The problem with these sandboxed browsers is that their plugins are not sandboxed, generally.

    I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

    I think IE8 is doing well on these tests because if you're using IE you might be a corporate user who's computer is regularly updated by the system admin.

    Both these browsers running an insecure version of Java means instant exploit. The best advice is run any browser you want, but get rid of Java and use an alternate PDF reader.

    Browsers themselves are now pretty secure, its the damn plugins causing all the issues. At least Google understands this and has a sandboxed secure pdf reader in Chrome. If only they would disable the java plugin by default or make it throw a UAC prompt everytime it needs to run. Java sitting there on the browser ready to run any applet is absolute madness.

  17. has trouble with nspluginwrapper by AdamWill · · Score: 2

    If you have Flash installed via nspluginwrapper, it shows two Flash entries, one saying "10.2.152 Up to Date", but the other saying "10.2 Potential Threat", with an explanation that it couldn't figure out the version precisely enough to be sure what it was. It counts this as a security threat. So that's a false positive right there.

  18. Re:Java needs to update better... by R.Mo_Robert · · Score: 2

    Try completely removing your existing installation of Java. Try the standard Add/Remove Programs (sorry, "Programs and Features") uninstaller. When that probably fails, do the rest yourself: delete everything in C:\Program Files\Java, then remove the HKLM\Software\JavaSoft key from the registry. Now, download the full offline installer (or whatever you want, I guess--I normally use this one because I hate downloading installers that really only download something else) and try again. You may need to reboot beforehand if you've attempted a previous installation recently.

    Or, at least, this is what I've done manually on some 100+ computers where the SCCM installation of Java has epically failed and deleted most of the bin folder. Maybe it will work for you, too.

    --
    R.Mo