Last month Adobe released version 10 of their free Flash Player plugin for web browsers. If you've installed version 10, then you're done. You are not missing any patches and can stop reading now.
If you're not sure which version of Flash is installed, Adobe has a tester page. Windows users that have installed another browser, need to run this test in both Internet Explorer and the other web browser(s).
Anyone still running version 9 of the Flash Player needs to be running the latest edition, 9,0,151,0, which was released just a few days ago. It fixed a slew of bugs.
If you have an older edition of version 9, then you have a choice.
To install version 10 see my October 18th posting Seven steps to update the Adobe Flash Player on Windows. But, version 10 seems like a big change, and for defensive computing, it's often best to avoid the bleeding edge.
The problem with updating to version 9,0,151,0 is finding it. Adobe recommends using version 10 and that's the only available version at the Flash Player Download page. But, version 9,0,151,0 is available from Adobe at Flash Player 9 for Unsupported Operating Systems. There are links for Windows, Macs and Linux.
Although not always necessary, I suggest doing a full un-install of the Flash player before installing a new version. For more on this see How to uninstall the Adobe Flash Player plug-in and ActiveX control. For documentation on the fixes to the latest edition of version 9 see Flash Player update available to address security vulnerabilities.
See a summary of all my Defensive Computing postings.
There is a common defensive computing thread in two recent stories.
In the first story, Newsweek reports that both presidential candidates had their campaign computers hacked from afar. As they put it:
The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." ... Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information... "
The second story involves a former Intel employee who allegedly stole trade secrets. As CNET's Stephanie Condon writes, the employee resigned, yet continued on the Intel payroll for a few weeks (perhaps working off vacation time). During this transition period, he started working for Intel rival AMD, yet he remained in possession of his Intel laptop and still had access to Intel's computer network. The FBI later found him in possession of "top secret" Intel files worth more than $1 billion in research and development costs.
The lesson is clear. If you have really valuable or sensitive files, don't make them remotely accessible. Cut the wire. Some files should never be available off-site.
If this means buying a new computer just to hold really sensitive files, it's money well spent.
A couple years ago, I heard someone from the hacker group 2600 give out this same advice on their radio show, Off The Hook. It made sense back then and makes even more sense now.
Windows passwords are easily hacked. Instead of relying on a Windows password for local physical security, set both a power-on password and, if the computer supports it, a hard disk password. Whole disk encryption is another option, but one that involves much more work to implement.
If you put sensitive files on a laptop computer, then consider storing it in a safe when not in use. If you have a small safe, get a small laptop or a Netbook.
Laptops need more than just cutting the Ethernet wire. To begin with, turn off the Wi-Fi radio (there is probably a switch or a function key for this). If the laptop has Bluetooth, physically turn that off too.
Then, turn off the networking features in the operating system.
On Windows, turn off file sharing for every network adapter and turn off every network protocol. Then, disable all the network adapters.
Finally, disable the underlying Windows services that handle networking. On Windows XP this would be: Wireless Zero Configuration, Server, Computer Browser, Workstation and SSDP Discovery. Then since, the machine will be off-line forever, there are quite a few other Windows XP services that won't be needed and can be disabled: Automatic Updates, Distributed Link Tracking Client, Distributed Transaction Coordinator, Net Logon, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, Network Location Awareness (NLA), Network Provisioning Service, Remote Desktop Help Session Manager, Remote Registry and WebClient. The laptop I'm writing this on also has an Infrared Monitor service. I don't know what it's for, but I keep it disabled.
All told, this isn't much work and doesn't involve much expense. Yet, it's great insurance and can leave your sensitive files better defended than those at Intel and each presidential campaign.
See a summary of all my Defensive Computing postings.
I've stated before on this blog that I think Netbooks will be very popular. The 25 best selling laptop computers at Amazon.com bears out this prediction. But, perhaps the most shocking thing about the list is how few computers have Windows Vista installed.
The top 10 consist of seven Netbooks running Windows XP, one Netbook running Linux and two MacBooks. No Vista.
As of 11 a.m. PT Thursday, here's the list of operating systems on the most popular laptop computers sold at Amazon.com.
1. Windows XP Home Edition
2. Windows XP Home Edition
3. Mac OS X 10.5 Leopard
4. Windows XP Home Edition
5. Windows XP Home Edition
6. Windows XP Home Edition
7. Mac OS X 10.5 Leopard
8. Windows XP Home Edition
9. Windows XP Home Edition
10. SUSE Linux Enterprise Desktop 10
11. Windows Vista Home Premium
12. Mac OS X 10.5 Leopard
13. Windows Vista Home Basic
14. Linux
15. Windows XP Home Edition
16. Mac OS X 10.5 Leopard
17. Windows XP Home Edition
18. Linux
19. Windows XP Home Edition
20. Mac OS X 10.5 Leopard
21. Windows XP Home Edition
22. Linux
23. Mac OS X 10.5 Leopard
24. Windows XP Home Edition
25. Windows XP Home Edition
Operating System Totals
Windows XP: 13
Mac OS X: 6
Linux: 4
Windows Vista: 2
Form Factor Totals
Netbook: 18
Full size Laptop: 7 (includes 6 Macs)
See a summary of all my Defensive Computing postings.
I have a lot of e-mail addresses and thus attract my fair share of unwanted and malicious e-mail. The latest malware spreading e-mail to land in my in-boxes has purported to be from the package delivery company UPS. Thursday, I received two of these, but there have been other similar messages recently.
As you can see in the picture below, it came with an attached ZIP file.
A malicious email that was not from the UPS package delivery company
ZIP files are commonly used as a container to transmit malicious software. The number in the name of the ZIP file is probably there to evade detection by antivirus software; the numbers were different in the two messages received Thursday.
The ZIP file contained a single EXE called UPSInvoice_997612.exe. I uploaded the file to VirusTotal.com, where 4 of the 36 antivirus applications detected it as malicious.
As I've noted before: never decide to trust an e-mail message based on the sender. It is very easy to forge the "From" address when sending e-mail.
And, hopefully by now it should go without saying, Windows users should never run an executable file sent by e-mail. Mac and Linux users (including the many new Netbook Linux users) can ignore this warning.
See a summary of all my Defensive Computing postings.
Chances are, there is a copy of Java on any computer you walk up to. According to Sun Microsystems, the company behind Java, it has been installed on more than 800 million computers. There are versions of Java for many operating systems, including Windows, OS X, Linux, and Solaris, just to name a few. You can see if Java is installed on a computer by visiting Javatester.org.
If there is a copy of Java on a computer you own or maintain, it may be old. JavaTester.org not only reports the installed version but gives you some idea of how old that version is, by listing the most recent versions and when they were released.
Multiple versions of Java can, and often do, coexist on a single computer. This is because installing newer versions of Java has never removed older versions. Windows users will see any old versions in the usual Add/Remove Programs list in the Control Panel.
Do you need Java at all? Maybe, maybe not.
Many people use Java without realizing it. I recently wrote about the Secunia Online Software Inspector, a great online service for reporting old, dangerously buggy software that's installed on Windows computers. It requires Java. If you have a Box.net account and use their drag-and-drop multiple file uploader, you're using Java.
Installing
What follows are step-by-step instructions for installing the latest versions of Java on a Windows computer.
Sun, the company behind Java, just released a new version known as Java 6 Update 10 (among other names). As I noted previously, there's no compelling reason to install this latest version, in fact, a case can be made that the prior version, Java 6 Update 7, is the better way to go. The steps involved in installing either version are the same.
The Java plug-in fails to automatically install in Firefox
In theory, the first time you try to use a Web page that requires Java it should be automatically installed. In reality, this rarely works. I just tested it under Windows XP with Firefox versions 2 and 3 and with Internet Explorer versions 6 and 7. Not once did Java auto-install (see above).
No matter, the manual installation is fairly simple. And unlike Flash, Windows users only have to install Java once.
Technically, what you download is the Java Runtime Environment (JRE). The latest JRE version is always available at www.java.com/en/download/manual.jsp. Go for the "offline" version. The prior Java version (Java 6 Update 7) is available at java.sun.com/products/archive/j2se/6u7/index.html. Click on the "Download JRE" link at the bottom of the page.
For both versions, when you run the downloaded EXE file, the installation starts with the usual license agreement.
Starting the installation of Java
Then you may be given the chance to download additional software. When I installed Java 6 Update 7, there was no additional software. But when I installed the latest version, it defaulted to also installing the Yahoo Toolbar for Firefox. No one needs the Yahoo Toolbar, so I suggest not installing it. Defensive computing means installing only the software you really need. The less software installed, the less of a bug magnet your computer is.
Additional software, unrelated to Java, may be an option.
As the software is being installed, you'll see a standard progress bar.
Java is being installed.
When it's all done, this too is clearly shown.
Java has been installed.
Old Versions
What to do with older versions of Java that may be on your computer is debatable.
My preference is to delete old software, so that malicious software can't exploit any known bugs. Others may argue to let sleeping dogs lie because there may be some software that specifically requires an old version of Java. I'll take that chance. In the worst case, you can always download an old version of Java at java.sun.com/products/archive/.
On Windows, Java uninstalls in the normal, standard manner.
This latest version of Java (6 Update 10) is going to complicate things in the future. Newer versions of Java 6 may install themselves over this version or they may not. Java can now be installed in two ways: patch-in-place and static.
If your copy of Java 6 Update 10 is "patch-in-place" then a newer version of Java 6 will remove Update 10 when it's installed. However, if your copy of Java 6 Update 10 is "static," then newer versions of Java 6 will not replace Update 10.
Either way, newer versions of Java 6 will not remove versions of Java 6 prior to Update 10. Also, when Sun gets up to Java version 7 Update 1, that will not remove any copies of Java 6 that may exist.
I don't make these decisions, I only report them.
See a summary of all my Defensive Computing postings.
Sun Microsystems released a new version of Java for Windows, Linux and Solaris a few days ago. Should you rush out to install it? Probably not.
First a bit of level-setting. Version numbers are an ongoing annoyance with Java, and this latest go-round is no different. The new release is identified with six names:
- 1.6.0_10 (from the Java runtime)
- Update 10 of Java Standard Edition 6
- Java (TM) 6 Update 10 (in the Add or Remove Programs thingy in the Control Panel)
- Java SE 6u10
- 6.0.100.33 (by the Secunia scanner)
- 1.6.0_10-b33 (a property of the java.exe file)
New software typically has both new features and bug fixes, but this release of Java only has new features. Sun's release notes say "this feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 7. Users who have Java SE 6 Update 7 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."
From what I've read, this appears to be a pretty big release. There are many new features including some affecting the core of the product. New features inevitably mean new bugs, thus the safer approach is wait. Anyone currently running the previous version of Java (1.6.0_7) is therefore best off doing nothing. To see which version, if any, you have installed simply visit Javatester.org.
If, however, you have an older version of Java installed, then you should update it to 1.6.0_7 (a.k.a. Java 6 Update 7). You can download the older version of Java at java.sun.com/products/archive/j2se/6u7/index.html. Click on the "Download JRE" link.*
If and when the time comes that you need one of the new Java features, that's the time to upgrade. Chances are, that by that time, the new features may have had a bug or two fixed.
One exception, is anyone using Google's Chrome browser, which requires the latest version (1.6.0_10) of Java.
Mac users don't have a decision, there is no new release of Java for OS X. For whatever reason, Sun--the company that developed Java--does not supply it for Macs. But Apple does, and Apple is always behind the curve in terms of new releases.
To take a step back, do you need Java at all? If for nothing else, Java is required for the Secunia Online Software Inspector, which I wrote about two days ago.
*Here is an alternate link directly to the EXE file for Windows users. This should download file jre-6u7-windows-i586-p.exe, which is about 15MB. Surprisingly, CNET's own Download.com is a bit behind on Java releases.
See a summary of all my Defensive Computing postings.
Secunia's Online Software Inspector (OSI) is a great free service, one that all Windows users should avail themselves of regularly. OSI is an online scan of a Windows computer (Macs and Linux are not supported) that looks for software with known security flaws. Any computer that gets a clean bill of health from OSI is better defended than one that doesn't.
As I write this, only 7,019 scans have been run in the last 24 hours. More Windows users need to be made aware of the scanner, and I hope this posting does so. That said, OSI isn't perfect.
Defining The Problem
A screenshot illustrating a portion of the OSI report is shown below. The easy-to-understand green check vs. red X indicates that Flash versions 9 and 10 are considered safe, whereas Flash version 7 is not. This illustrates a design choice made by Secunia that I disagree with.
Software with known bugs is given a green check if the vendor has not yet released a patch for the bug(s).
Secunia describes its assorted scanners as focusing "...solely on detection and assessment of missing security patches and end-of-life programs." An unpatched bug is not missing a security patch, so it's green-lighted.
This may be what large organizations need to know, but I think home users should be warned of known buggy software, patch or no patch. For example, if the Adobe Reader has a known bug, we can decide to use the Foxit PDF Reader in the meantime.
Flash version 9 is currently in this state; version 10 fixes a number of bugs. I recently blogged about installing Flash version 10 and warned that version 9 should be replaced. This resulted in an e-mail exchange with Thomas Kristensen, Secunia's CTO.
In his own words:
The OSI and the PSI reports missing security updates for supported software. Flash 9 is still supported and no security related update has been released yet, thus we don't report any missing update for Flash 9. Flash 10 is not a security update for Flash 9, since Flash 9 still is supported.
The interesting perspective here is whether Adobe is using the security issue in Flash 9 to promote Flash 10.
The real problem here is not the OSI and PSI results, the real problem is that Adobe hasn't released an update for Flash 9 (or announced "end of life" for Flash 9).
PSI refers to the Secunia Personal Software Inspector, a free Windows application from Secunia. PSI runs on Windows XP, Vista, 2003, and 2000. The big advantage of PSI is that it scans for 7,000 applications whereas the online scan only evaluates 70. At CNET's Download.com, the editor's review gave PSI five stars (out of five).
Running a scan
The online scan is a Java applet and thus requires that Java be installed. Specifically, it requires Java version 1.6.x. You can test the state of Java on your computer at my javatester.org Web site. If Java is not installed, you can download the latest version at www.java.com/en/download/manual.jsp. I prefer to use the "offline" installation which is just over 15 megabytes.
When the Secunia Java applet loads into your computer, you are asked whether to trust it. This is normal, and you need to trust it to run the scan. The question is issued by the Java runtime environment because Java, by default, does not allow applets to see the local file system. Because it's a Java applet, you can run the scan from any Web browser.
The OSI page has a red "Start Scanner" button at the bottom of the page that doesn't start the scanner. Instead it loads the Java applet and offers a choice as to the type of scan.
A default scan looks for software in the default location for each product. A "thorough system inspection" (enabled by a check box) looks everywhere. Anyone using portable software, needs to run a thorough scan. A default scan is faster and may be a good starting point the first time you use the service. However, I recommend the thorough scan. Inquiring minds want to know.
Scan results
The first thing you'll notice (see below) when the scan completes is the report on missing bug fixes to Windows itself.
Secunia did not reinvent Windows Update; instead, it calls the Windows Update software and reports the results. You see this in the system requirements which include the "Latest version of Microsoft Windows Update."
What it doesn't explicitly mention is that the underlying Windows service (called "Automatic Updates" in XP and 2000, and "Windows Update" in Vista) needs to be running. Every time I run the scan on one of my computers I get the error shown below.
This is because I keep the underlying service disabled, only enabling it once a month to install patches.
I mention this because it brings up another questionable design decision by Secunia. If it can't communicate with the Windows Update software, it nonetheless gives Windows a green check. I think a question mark would better reflect the situation.
E-mailed notifications
When the scan completes, you're prompted to subscribe to Secunia's OSI reminder service, which notifies you by e-mail of significant changes to OSI.
I've been on the list for a while and get maybe one or two notifications a week. The latest one (shown below in a slightly edited format) would have come in very handy Thursday as a warning about the latest critical bug in Windows.
Hi,
Secunia has updated the Secunia Online Software Inspector (OSI) with new rules for detecting insecure software.
Run the Secunia OSI to make sure that your system is up-to-date:
What is New:
1) Inspection rules have been updated to detect a special out-of-band security patch from Microsoft.
You have received this email because you have subscribed to the Secunia
OSI Reminder Service.
Each e-mail includes a link to remove yourself from the list.
Despite my nit-picking, Secunia is offering a great service to Windows users.
See a summary of all my Defensive Computing postings.
Update October 20, 2008 Noon EDT. According to Secunia they now detect version 10 of the Flash Player and they have corrected their FAQ. However, the most important issue, treating version 9 of the Flash Player as good rather than bad has not changed.
Update October 20, 2008 9 PM EDT. An email from Secunia said they don't consider version 9,0,124,0 of the Flash Player to be bad because it is the latest edition of version 9 and because Adobe still supports version 9.
I've mentioned previously that I'm a big fan of Secunia's Online Software Inspector for rooting out old buggy software on a Windows computer. Although it's not perfect, Windows users are much better off with it than without it. But there are two recent issues.
Sample report from the Secunia Online Software Inspector.
One long-standing issue is that OSI is a Java applet and Secunia could do a better job of making new users aware of the Java requirement--not only what Java is, but also the required version and the currently installed version.
First problem
What's new about Java is that the necessary version has been updated.
As I write this, Secunia's FAQ says Java version 1.5.0_12 or later is needed, while its system requirements page says that Java 1.6.x or later is needed. I discovered the hard way that the system requirements page is correct.
As part of installing the latest version of the Adobe Flash Player, I tried to run a Secunia scan on a system with Java version 1.5.0_15, only to have it fail in a new way. After trying to load Java 50 times, it gave up and issued the error below.
Running Secunia OSI with an old version of Java.
I can only assume this has something to do with the Online Software Inspector update on October 16.
So, what version of Java, if any, is installed on your computer? See my www.javatester.org Web site.
Second problem
The other problem with Secunia's OSI is that it is behind the times on the Adobe Flash Player.*
For one thing, it still thinks version 9 of the Adobe Flash Player is OK. According to Adobe, it's not. Then too, it does not yet detect version 10 of the Flash Player at all.
I'm sure Secunia will get up to speed on the Flash Player soon. Its Online Software Inspector is still a very valuable service, and the new version seems to run much faster than the old one (even though it can't count to two--see screenshot below).
The Secunia Online Software Inspector reports an inconsistent number of errors.
*This was tested again Sunday October 19, 2008 at 3 p.m. EDT.
Initially tested Saturday October 18, 2008 at 7 p.m. EDT.
See a summary of all my Defensive Computing postings.
All web browsers have bugs, but when simply viewing a web page can infect your computer with malicious software, the speed with which bugs are found and fixed is critical. It may be the most important yardstick by which to measure any web browser.
For Windows users, the choice between Firefox and Internet Explorer isn't a contest at all. Microsoft is slow in fixing IE bugs, being locked into a once a month cycle. Not Firefox.
Mozilla released version 3.02 of Firefox on Tuesday. It had a bug. Happens all the time. What doesn't happen all the time is that the bug was fixed quickly and version 3.03 of Firefox was released on Friday.
Anyone interested in Defensive Computing doesn't want their bug fixes idling at the gate waiting for the one day a month when they are set free.
See a summary of all my Defensive Computing postings.
Everyone knows that Mac is safer than Windows because almost all malicious software targets Windows. But every rule has exceptions, and in this case, the exception has been Java.
Java is unusual in that any company can write a Java runtime environment for any operating system. Microsoft, at one point, provided one for Windows, but those days are long gone. ThinkPad laptops still come with a Java runtime developed by IBM. Netscape used to ship its own Java runtime as part of the Navigator Web browser. Today, most Windows users get their Java runtime from Sun Microsystems, the company that originally developed the language.
For whatever reason, Sun does not provide a Java runtime for Macs, instead this is left to Apple.* And, Apple has a history of being slow to fix bugs in Java, trailing Sun by many months.
All this is background to the fact that this week Apple released a large number of bug fixes for Java on Mac OS X 10.5 (Leopard) and OS X 10.4 (Tiger).
Mac users can go to my Javatester.org Web site to see the version of Java being used by their web browser. Anyone using multiple web browsers needs to check the Java version in each browser separately.
Apple supports three versions/editions/families of Java:
• The oldest family is 1.4.2 and the latest version there is now 1.4.2_18. (The prior buggy version was 1.4.2_16.)
• Next is the 1.5.0 family where the latest go-round is 1.5.0_16. (The prior buggy version was 1.5.0_13.)
• The latest and greatest version of Java for Macs is 1.6.0 and the latest version here is 1.6.0_07. (The prior buggy version was 1.6.0_05.)
*Sun points users to developer.apple.com/java/, a page that hasn't been updated to reflect the latest releases.
See a summary of all my Defensive Computing postings.
