A few recent stories highlighted a bedrock of Defensive Computing - if you surf the web on a Windows computer, you are safer using Firefox as opposed to Internet Explorer.
On June 26th at ZDNet Ryan Naraine wrote about a new bug in Internet Explorer (Zero-day flaw haunts Internet Explorer) for which Microsoft has no fix/patch. A few days later, he documented how the bad guys were exploiting this bug (Exploit code released for unpatched IE 7 vulnerability). That story starts with "Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser." We've been down this road before.
The original source for stories about this particular bug is US-CERT Vulnerability Note VU#516627 which says the bug affects IE6, IE7 and even the beta edition of the upcoming IE8. A trifecta.
Bringing up the rear, IE6 suffers from another new bug for which there isn't yet a fix. Gregg Keizer wrote about this on June 26th at ComputerWorld (Researchers warn of IE6 zero-day bug).
Do you follow tech news? Were you aware of these new unpatched bugs in Internet Explorer? Have we gotten so used to IE bugs that they're barely news?
Old Versions of Software
Unpatched bugs in the latest version of software are bad enough. Then, there's the problem of not even using the latest and greatest version.
A recent survey, described by Robert Vamosi at CNET found "...637 million Web users are surfing with outdated Internet browsers..." That's just asking for trouble at a time when simply viewing a web page can infect a computer.
Many computer users are non-techies and the self-updating system for software needs to take them into consideration in choosing defaults, error messages and status messages.
Firefox does an excellent job of updating itself, Internet Explorer does not. The survey found many IE users running old versions of the browser, moreso than other browsers. For example, Firefox defaults to opening up a window telling the user that there is a new version, what the new version is, and asking for permission to install it. Internet Explorer doesn't come close to being that user-friendly.
Not only is the Firefox self-updating system well designed, it benefits from only having to update Firefox. Internet Explorer is udpated as part of Windows Update and Microsoft Update and thus lives in a bigger more complicated, more intimidating system. Microsoft uses this system to update Windows, IE, the .NET frameworks, Office, it's Defender anti-malware software and who knows what else.
One of the many problems with the Microsoft update environment is the schedule. Firefox has no schedule, Internet Explorer does. Or rather, Microsoft does. Big companies need a schedule. Microsoft has argued many times that having a schedule for releasing bug fixes is a good thing.
Perhaps it is a good thing for the big companies that Microsoft caters to - but it's not a good thing for you and me. The net result is that Microsoft releases Internet Explorer bug fixes once a month. Mozilla releases Firefox bug fixes when they're ready.
Which do you prefer?
Update. July 6, 2008: Tuesday July 8th is Patch Tuesday and according to Ryan Naraine at ZDNet there will be no fixes to Internet Explorer, which currently suffers from several known bugs. Quoting:
"These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat. There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!"
Update. July 7, 2008: Yet another IE related bug was reported today - Microsoft probing ActiveX attacks targeting Access feature. Firefox doesn't do ActiveX, one of many reasons it's safer. But, perhaps the most telling point of all is this quote "Eventually, Microsoft may provide a security update for the vulnerability...". May provide? What does that say about Microsoft?
Update. July 7, 2008: A commenter made a good point, Windows 2000 users have access to the latest version of Firefox, but are restricted by Microsoft to IE version 6. And speaking of operating systems, anyone needing to use both Macs and Windows can find a comfortable home with Firefox.
See a summary of all my Defensive Computing postings.
Installing a new version of software should be trivial thing--especially for popular software such as the Adobe Systems' Flash player, which is used by millions of people every day. But no.
For one, the Flash player does not play well with the other kids in the sandbox. That is, trying to remove the currently installed version via the Windows XP Control Panel Add/Remove applet is a waste of time. The first three machines I tried this on resulted in three different outcomes, and the software was not removed on any of the machines. Instead, Adobe has an uninstaller for the Flash player.
And why do I bring up removing old versions in the first place?
Because the Flash installer has never removed older versions of the program. The first time I ran the Secunia Software Inspector I almost fell off my chair at the huge list of old versions of the Flash player that were hanging around. Those old versions were flagged by Secunia because they had security vulnerabilities (a nice word for bug, which is itself, a nice word for a mistake by a programmer).
As I blogged about yesterday, this is now an important issue because the latest version of the Flash player fixes nine bugs, some of them critical (Adobe's term, not mine). Simply viewing a Web page can infect your machine, so removing the old buggy versions of Flash is important.
Unfortunately the bugs in Flash extend beyond the player itself, as I learned the hard way while trying to update a handful of machines to the latest version.
Two versions of the Flash player
IE ActiveX version of the Flash player (top) and the Firefox plug-in version
Even in the best of times, the Flash player is particularly annoying to upgrade because it has to be done twice, once for Internet Explorer and then again for Firefox. The player comes packaged as an ActiveX control ("control" is nerd talk for "program") for IE and as a "plug-in" for Firefox.
You can see this is the screenshot above from the Secunia Software Inspector, which shows both versions of the latest Flash player. The .ocx file at the top is the ActiveX version; the .dll file at the bottom is the plug-in version. As you can see, both files normally reside in
C:\WINDOWS\SYSTEM32\Macromed\Flash\
The problems described below were only with the Firefox plug-in version.
Fighting to upgrade
One computer in particular desperately resisted being updated to the latest version of the Flash player. I eventually got it working, however. So if anything similar happens to you, you may find a helpful tip below. The problematic machine was running the latest version of Firefox (2.0.0.11) and Windows XP with all bug fixes applied.
I mentioned yesterday that Adobe has what I refer to as a "tester" page for Flash, a Web page that displays the currently installed version of the Flash player.
When I approached the machine this morning, the Flash tester page showed that Firefox was running the old version 9.0.47* but Internet Explorer 6 was running the latest version 9.0.115. I dutifully ran the Adobe Flash uninstaller (the version from December 3, 2007) and then went back to the tester page to see what it had done. The ActiveX version for Internet Explorer was successfully removed, but the Firefox plug-in version remained.
I cleared the Firefox cache, rebooted and tested again. Still, the Adobe tester page reported that Firefox was using the old version.
I got a second opinion from the Secunia Software Inspector: it said there was no plug-in version of Flash. Who to believe, Adobe or Secunia?
My first guess was to believe Secunia since all they do is look for files in folders, a simple process that shouldn't break. Sure enough, when I checked, there was no NPSWF32.dll file in C:\WINDOWS\system32\Macromed\Flash.
But I figured the acid test was to visit a Web site that uses Flash, so I browsed around Yahoo.com a bit. Lo and behold, Firefox was able to display the Flash-based ads. Both the Adobe uninstaller and Secunia had failed to locate the copy of the Flash player that Firefox was using. Nice work, guys.
But, if the NPSWF32.dll file was not in it's official folder, Firefox was nonetheless picking it up from somewhere. To find out where, I ran a Secunia "thorough system inspection," something I suggested at the end of my previous posting.
Sure enough, it found three instances of the Firefox plug-in version of the Flash player.
A portable version of Firefox on the M disk was using Flash version 9.0.47, another portable version of Firefox on the Z disk was using Flash version 9.0.45 (the Adobe Flash tester page confirmed this). But the interesting file was on the C disk:
C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
This was probably the file Firefox was using.
from the downloaded EXE file
At this point I figured I'd just install the new Flash player and be on my way to the next machine. So I went to the Flash player download center and downloaded an EXE to install the plug-in version of Flash for Firefox. The install ran successfully as shown above (I can't show all the messages because the window is not re-sizeable).
Not trusting anything, I verified that the official folder C:\WINDOWS\system32\Macromed\Flash did, in fact, contain a file called NPSWF32.dll and that its properties showed it to be version 9.0.115.
I cleared the Firefox cache and restarted the browser. You could have knocked me over with a feather when the Adobe tester still showed that Firefox was using the old version 9.0.47 instead the just-installed latest version, 9.0.115.
Determined not to be defeated by Adobe's incompetence at the simple task of installing and uninstalling its own software, I renamed the NPSWF32.dll in C:\Program Files\Mozilla Firefox\plugins\ to NPSWF32.DONTUSE.ME.dll, cleared the Firefox cache again and restarted the browser.
It was still using version 9.0.47!
This I truly did not expect. After all, I had uninstalled the Flash player, installed it successfully and renamed the file it might have been picking up by mistake. Despite all this, it kept using the old version. But from where? Can you guess?
Fortunately there was no need to guess. The excellent Process Explorer can display the DLLs loaded by any running process.
A picture is worth a thousand words, so take a look at the screenshot of Process Explorer above. Despite renaming the NPSWF32.dll file and despite that it does not reside in the official folder, Firefox is still using it. Now I'm annoyed with Mozilla, too.
The next step was obviously to delete the NPSWF32.DONTUSE.ME.dll file, and, finally, this activated the new 9.0.115 version of the Flash player.
A parade of bugs
Let me wrap up by summarizing the virtual parade of bugs I ran into:
Adobe bug: Its uninstaller program did not uninstall the Flash player being used by Firefox. It missed the player used by both the normally installed copy of Firefox and by two portable versions of Firefox.
Secunia bug: Firefox was using an old buggy version of the Flash player, but its regular inspector didn't find any instance of Flash to report on, let alone object to.
Adobe and/or Mozilla bug: After successfully installing the new version of the Flash player, Firefox didn't use it.
Firefox bug: Using a DLL despite having the wrong name.
Firefox bug: There should be one and only one location that Firefox uses for plug-ins. The use of two folders for plug-ins fooled both Secunia and Adobe.
Not to mention the nine bugs in the Flash player that kicked off this endeavor. And not being able to use the Control Panel Add/Remove Programs applet in Windows XP to remove the Flash player. It works for everyone else, why not for Flash? All this is made even worse by the fact that Flash and Firefox are mature, popular products.
They don't make programmers like they used to.
Update: January 30, 2008. For more on this topic see A heads-up on the Adobe Flash player from January 26, 2008.
Update: January 6, 2008. There is yet another location that Firefox will pick up the Flash player from that the Adobe un-installer ignores. See Black eyes for Adobe.
Update: January 10, 2008. Based on this blog posting, Secunia is changing how their online inspector works. The below is from an email message from them to me:
By default the Secunia Online Software Inspector will only search default install directories, to our knowledge the default plug-in
directory for Flash in Firefox has previously been: %ProgramFiles%\Mozilla Firefox\plugins
However, with a recent update they (Adobe or Firefox) changed the Firefox Flash plugin directory to be: %SystemRoot%\SYSTEM32\Macromed\Flash
This is why a default inspector (non-thorough) wouldn't pick up any Flash files from the Firefox plug-in directory.
However, based on your findings we have chosen to re-insert the default Firefox plug-in directory again, so it should now pick-up Flash plug-ins located in both directories.
Update: April 11, 2008. For the latest on the Flash Player see Time to update the Flash player. Here's how.
* The full version numbers are 9.0.47.0 and 9.0.115.0 but I'm leaving out the last zero so your eyes don't glaze over and because it's not relevant to the point at hand. Adobe also uses commas in the version number instead of periods. I'm using periods here because that's the standard for version numbers.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
