Secunia's Online Software Inspector (OSI) is a great free service, one that all Windows users should avail themselves of regularly. OSI is an online scan of a Windows computer (Macs and Linux are not supported) that looks for software with known security flaws. Any computer that gets a clean bill of health from OSI is better defended than one that doesn't.
As I write this, only 7,019 scans have been run in the last 24 hours. More Windows users need to be made aware of the scanner, and I hope this posting does so. That said, OSI isn't perfect.
Defining The Problem
A screenshot illustrating a portion of the OSI report is shown below. The easy-to-understand green check vs. red X indicates that Flash versions 9 and 10 are considered safe, whereas Flash version 7 is not. This illustrates a design choice made by Secunia that I disagree with.
Software with known bugs is given a green check if the vendor has not yet released a patch for the bug(s).
Secunia describes its assorted scanners as focusing "...solely on detection and assessment of missing security patches and end-of-life programs." An unpatched bug is not missing a security patch, so it's green-lighted.
This may be what large organizations need to know, but I think home users should be warned of known buggy software, patch or no patch. For example, if the Adobe Reader has a known bug, we can decide to use the Foxit PDF Reader in the meantime.
Flash version 9 is currently in this state; version 10 fixes a number of bugs. I recently blogged about installing Flash version 10 and warned that version 9 should be replaced. This resulted in an e-mail exchange with Thomas Kristensen, Secunia's CTO.
In his own words:
The OSI and the PSI reports missing security updates for supported software. Flash 9 is still supported and no security related update has been released yet, thus we don't report any missing update for Flash 9. Flash 10 is not a security update for Flash 9, since Flash 9 still is supported.
The interesting perspective here is whether Adobe is using the security issue in Flash 9 to promote Flash 10.
The real problem here is not the OSI and PSI results, the real problem is that Adobe hasn't released an update for Flash 9 (or announced "end of life" for Flash 9).
PSI refers to the Secunia Personal Software Inspector, a free Windows application from Secunia. PSI runs on Windows XP, Vista, 2003, and 2000. The big advantage of PSI is that it scans for 7,000 applications whereas the online scan only evaluates 70. At CNET's Download.com, the editor's review gave PSI five stars (out of five).
Running a scan
The online scan is a Java applet and thus requires that Java be installed. Specifically, it requires Java version 1.6.x. You can test the state of Java on your computer at my javatester.org Web site. If Java is not installed, you can download the latest version at www.java.com/en/download/manual.jsp. I prefer to use the "offline" installation which is just over 15 megabytes.
When the Secunia Java applet loads into your computer, you are asked whether to trust it. This is normal, and you need to trust it to run the scan. The question is issued by the Java runtime environment because Java, by default, does not allow applets to see the local file system. Because it's a Java applet, you can run the scan from any Web browser.
The OSI page has a red "Start Scanner" button at the bottom of the page that doesn't start the scanner. Instead it loads the Java applet and offers a choice as to the type of scan.
A default scan looks for software in the default location for each product. A "thorough system inspection" (enabled by a check box) looks everywhere. Anyone using portable software, needs to run a thorough scan. A default scan is faster and may be a good starting point the first time you use the service. However, I recommend the thorough scan. Inquiring minds want to know.
Scan results
The first thing you'll notice (see below) when the scan completes is the report on missing bug fixes to Windows itself.
Secunia did not reinvent Windows Update; instead, it calls the Windows Update software and reports the results. You see this in the system requirements which include the "Latest version of Microsoft Windows Update."
What it doesn't explicitly mention is that the underlying Windows service (called "Automatic Updates" in XP and 2000, and "Windows Update" in Vista) needs to be running. Every time I run the scan on one of my computers I get the error shown below.
This is because I keep the underlying service disabled, only enabling it once a month to install patches.
I mention this because it brings up another questionable design decision by Secunia. If it can't communicate with the Windows Update software, it nonetheless gives Windows a green check. I think a question mark would better reflect the situation.
E-mailed notifications
When the scan completes, you're prompted to subscribe to Secunia's OSI reminder service, which notifies you by e-mail of significant changes to OSI.
I've been on the list for a while and get maybe one or two notifications a week. The latest one (shown below in a slightly edited format) would have come in very handy Thursday as a warning about the latest critical bug in Windows.
Hi,
Secunia has updated the Secunia Online Software Inspector (OSI) with new rules for detecting insecure software.
Run the Secunia OSI to make sure that your system is up-to-date:
What is New:
1) Inspection rules have been updated to detect a special out-of-band security patch from Microsoft.
You have received this email because you have subscribed to the Secunia
OSI Reminder Service.
Each e-mail includes a link to remove yourself from the list.
Despite my nit-picking, Secunia is offering a great service to Windows users.
See a summary of all my Defensive Computing postings.
Update October 20, 2008 Noon EDT. According to Secunia they now detect version 10 of the Flash Player and they have corrected their FAQ. However, the most important issue, treating version 9 of the Flash Player as good rather than bad has not changed.
Update October 20, 2008 9 PM EDT. An email from Secunia said they don't consider version 9,0,124,0 of the Flash Player to be bad because it is the latest edition of version 9 and because Adobe still supports version 9.
I've mentioned previously that I'm a big fan of Secunia's Online Software Inspector for rooting out old buggy software on a Windows computer. Although it's not perfect, Windows users are much better off with it than without it. But there are two recent issues.
Sample report from the Secunia Online Software Inspector.
One long-standing issue is that OSI is a Java applet and Secunia could do a better job of making new users aware of the Java requirement--not only what Java is, but also the required version and the currently installed version.
First problem
What's new about Java is that the necessary version has been updated.
As I write this, Secunia's FAQ says Java version 1.5.0_12 or later is needed, while its system requirements page says that Java 1.6.x or later is needed. I discovered the hard way that the system requirements page is correct.
As part of installing the latest version of the Adobe Flash Player, I tried to run a Secunia scan on a system with Java version 1.5.0_15, only to have it fail in a new way. After trying to load Java 50 times, it gave up and issued the error below.
Running Secunia OSI with an old version of Java.
I can only assume this has something to do with the Online Software Inspector update on October 16.
So, what version of Java, if any, is installed on your computer? See my www.javatester.org Web site.
Second problem
The other problem with Secunia's OSI is that it is behind the times on the Adobe Flash Player.*
For one thing, it still thinks version 9 of the Adobe Flash Player is OK. According to Adobe, it's not. Then too, it does not yet detect version 10 of the Flash Player at all.
I'm sure Secunia will get up to speed on the Flash Player soon. Its Online Software Inspector is still a very valuable service, and the new version seems to run much faster than the old one (even though it can't count to two--see screenshot below).
The Secunia Online Software Inspector reports an inconsistent number of errors.
*This was tested again Sunday October 19, 2008 at 3 p.m. EDT.
Initially tested Saturday October 18, 2008 at 7 p.m. EDT.
See a summary of all my Defensive Computing postings.
In researching assorted postings on this blog I've dealt with security firm Secunia and thus ended up on their mailing list. They sent a notice yesterday warning that QuickTime has a security problem and everyone should upgrade to the newest version. A new bug in QuickTime certainly comes as no shock.
But the email was about more than just QuickTime. Secunia said this latest fix was the "...fourth major security update during the last two days required to protect private PCs against criminal attacks ... Users of Skype, Adobe Reader, and Java also run a risk of falling victim to online criminals ..."
The message is both a warning and a plug for Secunia. They offer a free online Software Inspector service for Windows that I'm a big fan of. It examines a computer and reports on software that is missing important bug fixes. It's not perfect, but any computer that passes the test is safer than one that doesn't. Highly recommended.
According to Secunia, anyone running Java version 1.6.0_03 from Sun should upgrade to version 1.6.0_04. They issued a pair of advisories about bugs in Java, one on Feb 6th and one on Feb 1st.
You can visit my website, www.javatester.org to see which version of Java you are running. I describe many ways to determine the version number, but the straight from the horse's mouth method runs a Java program (technically an applet) that reports the version number and the vendor directly from Java. This simple, reliable method works on any computer with Java installed, be it Windows, Macs, Linux or anything else. Sample output is shown below.
Be aware that if you use multiple web browsers you need to check the Java version from each browser. It is possible for two different browsers to be using different versions of Java on the same computer. Also, Sun is not the only company offering a Java runtime environment. This posting is only about Sun's versions of Java. Versions from other vendors will have their own issues. ThinkPad owners may find their Java came from IBM/Lenovo.
Note: The biggest drawback to Secunia's Software Inspector is that it requires Java. This requirement is listed as "Sun Java JRE 1.5.0_12 or later". JRE is nerd talk for the Java Runtime Environment, which is the part of Java that lives on your computer and lets you run Java programs. It is the logical equivalent of the Adobe Flash player. Like the Flash Player, the Java Runtime Environment is free.
If you run the Secunia Software Inspector on a Windows machine with Java version 1.6.0_03 you get this message: "This installation of Sun Java JRE 1.6.x / 6.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 6.0.30.5, however, the latest secure version released by the vendor, fixing one or more vulnerabilities, is 6.0.40.0." A screenshot of this is below.
Who's On First? What's On Second?
I know what you're thinking. How did we get from version 1.6.0_03 displayed by my JavaTester.org site to version 6.0.30.5 that Secunia reports? How is anyone supposed to realize that 6.0.30.5 translates to 1.6.0_03? How can it be both version 1 and version 6?
A while back I complained to Secunia that their version numbering scheme for Java was confusing. They basically said, don't shoot the messenger. Secunia looks at files and they get the version number from the Java executable itself. In this case, on a Windows XP machine, the executable is file java.exe in C:\Program Files\Java\jre1.6.0_03\bin. The version number is shown below. Sure enough, that's what Secunia reports. Don't ask me why software released in 2007 is copyright 2004.
For years Sun has referred to a single version of Java with multiple names. It's as if they just don't care.
In the Windows XP Control Panel, the Add/Remove Programs feature refers to this same version of Java with a third format "Java (TM) 6 Update 3". The Java Control Panel in the Windows Control Panel has yet another format for the version number as shown below:
Pushing Old Software
Regardless of the many names, Java version 1.6.0_03 is old, the latest version from Sun is 1.6.0_04. Here is your reward for reading this far:
Sun still offers version 1.6.0_03 for download and recommends it no less!
Go to sun.com and click on "Java for your computer" off the Java menu at the top. You end up at java.com/download/ where the latest version (see screenshot above) is said to be Version 6 Update 3. It's as if one division at Sun didn't tell another division that there's a new release of the software. If you're keeping score at home, this is naming format number three.
Clicking on the "Do I have Java?" link took me to a page with a big green "Verify Installation" button. On an XP machine running IE6 with version 1.5.0_12 installed, the verification correctly identified the version of Java and warned that it was old. But rather than offer to install the latest version, it offered to install Version 6 Update 3. A screen shot is above. Note the use of naming format number one and number three only inches apart on the same web page.
On an XP machine with version 1.6.0_03 installed, I went to the java.com home page and let the website test the installed version of Java. As shown above, it again recommended Version 6 Update 3.
There seems to be a failure to communicate at Sun, both within the company itself and to the outside world. We're left to guess whether to go with Sun's recommendation or that from Secunia. I asked Sun to comment on this a couple days ago and got no response.
What To Do?
I'd install the latest version, be it referred to as "1.6.0_04" or "Version 6 Update 4" or "6.0.40.0".
Back on January 23rd Brian Krebs wrote in his Security Fix column that version 1.6.0_04 fixed 370 bugs. As proof he linked to java.sun.com/javase/6/webnotes/ReleaseNotes.html where you can count the bug fixes for yourself.
To get the latest Java version, you can follow the link provided by the Secunia Software Inspector or you can go to java.sun.com/javase/downloads/index.jsp and look for "Java Runtime Environment (JRE) 6 Update 4" (yes, that's naming format number five).
Note: If you are running Java version 1.5.x, Secunia says version 1.5.0_12 is not secure but that version 1.5.0_14 is.
See a summary of all my Defensive Computing postings.
The free Flash player from Adobe is one of the most popular pieces of software on the planet. It's a web browser add-on that runs in Windows, Mac OS X and assorted versions of Linux and Unix. A large percentage of web pages include Flash-based content. It's all but guaranteed to be installed on the computer you are reading this on.
There are a few things you need to know about it.
The current version of the Flash player is 9.0.115.0. Older versions suffer from critical security problems, so if you are not using version 9.0.115.0 you need to upgrade. You can see which version of the Flash player your web browser is using at Adobe's Flash tester page (my terminology). You need to run this test in every web browser installed on your computer because they might be using different versions of the Flash player.
Uninstall First
Before installing a new version of Flash you should uninstall the old version(s). I say this both because removing software with known security bugs is a good thing in general and because Adobe recommends it in one of their TechNotes which says "Before you install Flash Player for any Windows browser, uninstall all previous versions" (see Troubleshoot Adobe Flash Player installation for Windows).
Over the years, the Flash installer has not un-installed old versions. Thus, there may be a slew of old, buggy copies of the Flash player on your computer.
Although the Flash player appears in the list of installed software in the Windows Control Panel "Add or Remove Programs" list, removing it from there doesn't always work. And, it may not tell you that it didn't work.
Update. January 30, 2008: According to Adobe, removing the Flash player via the Windows Control Panel should be the first approach. This will work for recent versions of the Flash player, but not for older versions. If your browser(s) continue to use an old version of Flash after removing it via the Control Panel, then try the un-installer.
Update. February 4, 2008: On a Windows XP machine running IE7, I was not able to remove the Adobe Flash Player 9 ActiveX using the Add/Remove Programs applet in the Control Panel. Clicking the button did nothing. The computer was using Flash version 9,0,45,0 which is fairly recent. The downloadable Flash uninstaller, dated December 3, 2007 did remove the Flash player.
The official way to remove the Flash player is with an un-installer program that you can download from Adobe. Another one of their TechNotes says "Due to recent enhancements to the Adobe Flash Player installers, you can now remove the player only by using the Adobe Flash Player uninstaller."
How would someone know this? It seems a techie has to tell you. One just did.
No one told Ian "Gizmo" Richards, the man behind the Support Alert newsletter. The just-released January 24th edition warned about the Flash security problems and the need to upgrade to version 9.0.115.0, but it didn't mention Adobe's Flash Player un-installer program. This is not a criticism of Mr. Richards, to my mind, Adobe hasn't done enough to publicize either the non-standard uninstall process or the need to upgrade to version 9.0.115.0 in the first place.
For example, a search on CNET's own news.com for "flash player" turns up my previous blogs, but nothing in the news section about the need to upgrade the Flash player. Lockergnome also doesn't seem to have mentioned this. Neither did Good Morning Silicon Valley or InfoWorld. ComputerWorld mentioned the need to upgrade, but said nothing about un-installing old versions. Brian Krebs at WashingtonPost.com mentioned both the needed upgrade and the un-installer, but only mentioned the un-installer in passing.
On top of this, the Adobe Flash player un-installer is incomplete. I documented two instances where the Adobe uninstaller left behind an old buggy copy of the Flash player (see Problems updating the Flash player in Firefox? Here's Help). I first reported this to Adobe roughly a month ago. Since then, they have not released a new version of their un-installer. The latest version, with these two problems, is dated December 3, 2007.
Adobe is hurting their reputation by failing to reliably un-install their own software. Since they are not helping you, you need to help yourself.
Secunia Software Inspector
One way to get an inventory of old copies of the Flash player that may still be floating around your computer is the online Secunia Software Inspector.*
This free service from Secunia runs as a Java applet and scans your computer looking for software (not just Flash) with known security vulnerabilities. By default, it only checks software installed in the standard or official location. In response to a communication from me, Secunia recently changed their search pattern for the Flash player and they are now more likely to find all live copies. Still, to get a full accounting, I suggest running a "thorough system inspection" - it's a checkbox under the blue Start button. This looks for software in "non-default locations". To me, if you're going to run a scan for insecure software at all, you might as well do the most thorough scan possible.
The downside to the Secunia Software Inspector is the need for Java, another web browser add-on. Your computer not only needs to have Java installed, (many don't) Secunia also requires a recent version (1.5.0_12 or later). At my javatester.org website you can check whether Java is installed on your computer and which version you have. Java is like Flash in that different browsers on the same computer can be using different versions. Thus you need to test the Java version in all of your web browsers.
If dealing with Java is too much for you, Secunia has a similar program, their Personal Software Inspector, that you can download and install. It runs on Windows XP, Vista, 2000 and 2003.
The Flash player is just a file. In Windows, it may be a DLL file or it may be an OCX file. The file names have changed many times. Old versions that Secunia finds can be removed simply by deleting the file that Secunia identifies.
After removing the old versions, verify that each of your web browsers is no longer using Flash at Adobe's flash tester page. Internet Explorer should offer to install the ActiveX version of Flash when it finds it missing. Firefox will offer links to the plug-in version of Flash. In both cases the installation process is pretty standard.
If this doesn't work (which has happened to me a few times) you can download Flash at www.adobe.com/go/getflashplayer. This page auto-detects your web browser and offers the correct version of Flash for that browser.
Cheat Sheet
The cheat sheet below, for Windows users, summarizes the necessary steps:
- Go to my javatester.org web site and check if Java is installed.
- If it is, and it's from Sun Microsystems and is version 1.5.0_12 or later, then run the online Secunia Software Inspector. Opt for a "thorough system inspection" (it's a checkbox under the blue Start button).
- If Java is not installed, or is not from Sun or is too old, then there are two options. Either upgrade to the latest version of Java (here too, un-install any old versions first) or download and install the Secunia Personal Software Inspector. If you opt to download Secunia's software, then after installing it, check the Settings section. You may want to change some of the default options. For example, it wants to run all the time in the background.
- If the only versions that Secunia detects are 9.0.115.0, then all is well. You're done.
- If there are versions older than 9.0.115.0 they should be removed (covered in the next few steps).
- Download, install and run Adobe's Flash un-installer program from here.
- After running it, repeat the Secunia search to verify that all versions of Flash were in fact removed. If any versions were not removed, delete the files that Secunia identifies.
- From every web browser on your computer visit Adobe's Flash tester page. At this point, no web browser on your computer should report that it is using Flash. Instead they should offer to install the missing Flash player.
- Install the latest version of the Flash player in every web browser on your computer. If the automatic installation at the Flash tester page fails, then manually install it from www.adobe.com/go/getflashplayer.
The Secunia Software Inspectors are Windows-only. Mac users can download and run a Mac version of Adobe's Flash player un-installer. Linux users get no assistance from either Secunia or Adobe.
It's a shame that Adobe makes this so difficult.
*Regardless of Flash, being familiar with and regularly using the Secunia inspector is a great step towards Defensive Computing.
See a summary of all my Defensive Computing postings.
Installing a new version of software should be trivial thing--especially for popular software such as the Adobe Systems' Flash player, which is used by millions of people every day. But no.
For one, the Flash player does not play well with the other kids in the sandbox. That is, trying to remove the currently installed version via the Windows XP Control Panel Add/Remove applet is a waste of time. The first three machines I tried this on resulted in three different outcomes, and the software was not removed on any of the machines. Instead, Adobe has an uninstaller for the Flash player.
And why do I bring up removing old versions in the first place?
Because the Flash installer has never removed older versions of the program. The first time I ran the Secunia Software Inspector I almost fell off my chair at the huge list of old versions of the Flash player that were hanging around. Those old versions were flagged by Secunia because they had security vulnerabilities (a nice word for bug, which is itself, a nice word for a mistake by a programmer).
As I blogged about yesterday, this is now an important issue because the latest version of the Flash player fixes nine bugs, some of them critical (Adobe's term, not mine). Simply viewing a Web page can infect your machine, so removing the old buggy versions of Flash is important.
Unfortunately the bugs in Flash extend beyond the player itself, as I learned the hard way while trying to update a handful of machines to the latest version.
Two versions of the Flash player
IE ActiveX version of the Flash player (top) and the Firefox plug-in version
Even in the best of times, the Flash player is particularly annoying to upgrade because it has to be done twice, once for Internet Explorer and then again for Firefox. The player comes packaged as an ActiveX control ("control" is nerd talk for "program") for IE and as a "plug-in" for Firefox.
You can see this is the screenshot above from the Secunia Software Inspector, which shows both versions of the latest Flash player. The .ocx file at the top is the ActiveX version; the .dll file at the bottom is the plug-in version. As you can see, both files normally reside in
C:\WINDOWS\SYSTEM32\Macromed\Flash\
The problems described below were only with the Firefox plug-in version.
Fighting to upgrade
One computer in particular desperately resisted being updated to the latest version of the Flash player. I eventually got it working, however. So if anything similar happens to you, you may find a helpful tip below. The problematic machine was running the latest version of Firefox (2.0.0.11) and Windows XP with all bug fixes applied.
I mentioned yesterday that Adobe has what I refer to as a "tester" page for Flash, a Web page that displays the currently installed version of the Flash player.
When I approached the machine this morning, the Flash tester page showed that Firefox was running the old version 9.0.47* but Internet Explorer 6 was running the latest version 9.0.115. I dutifully ran the Adobe Flash uninstaller (the version from December 3, 2007) and then went back to the tester page to see what it had done. The ActiveX version for Internet Explorer was successfully removed, but the Firefox plug-in version remained.
I cleared the Firefox cache, rebooted and tested again. Still, the Adobe tester page reported that Firefox was using the old version.
I got a second opinion from the Secunia Software Inspector: it said there was no plug-in version of Flash. Who to believe, Adobe or Secunia?
My first guess was to believe Secunia since all they do is look for files in folders, a simple process that shouldn't break. Sure enough, when I checked, there was no NPSWF32.dll file in C:\WINDOWS\system32\Macromed\Flash.
But I figured the acid test was to visit a Web site that uses Flash, so I browsed around Yahoo.com a bit. Lo and behold, Firefox was able to display the Flash-based ads. Both the Adobe uninstaller and Secunia had failed to locate the copy of the Flash player that Firefox was using. Nice work, guys.
But, if the NPSWF32.dll file was not in it's official folder, Firefox was nonetheless picking it up from somewhere. To find out where, I ran a Secunia "thorough system inspection," something I suggested at the end of my previous posting.
Sure enough, it found three instances of the Firefox plug-in version of the Flash player.
A portable version of Firefox on the M disk was using Flash version 9.0.47, another portable version of Firefox on the Z disk was using Flash version 9.0.45 (the Adobe Flash tester page confirmed this). But the interesting file was on the C disk:
C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
This was probably the file Firefox was using.
from the downloaded EXE file
At this point I figured I'd just install the new Flash player and be on my way to the next machine. So I went to the Flash player download center and downloaded an EXE to install the plug-in version of Flash for Firefox. The install ran successfully as shown above (I can't show all the messages because the window is not re-sizeable).
Not trusting anything, I verified that the official folder C:\WINDOWS\system32\Macromed\Flash did, in fact, contain a file called NPSWF32.dll and that its properties showed it to be version 9.0.115.
I cleared the Firefox cache and restarted the browser. You could have knocked me over with a feather when the Adobe tester still showed that Firefox was using the old version 9.0.47 instead the just-installed latest version, 9.0.115.
Determined not to be defeated by Adobe's incompetence at the simple task of installing and uninstalling its own software, I renamed the NPSWF32.dll in C:\Program Files\Mozilla Firefox\plugins\ to NPSWF32.DONTUSE.ME.dll, cleared the Firefox cache again and restarted the browser.
It was still using version 9.0.47!
This I truly did not expect. After all, I had uninstalled the Flash player, installed it successfully and renamed the file it might have been picking up by mistake. Despite all this, it kept using the old version. But from where? Can you guess?
Fortunately there was no need to guess. The excellent Process Explorer can display the DLLs loaded by any running process.
A picture is worth a thousand words, so take a look at the screenshot of Process Explorer above. Despite renaming the NPSWF32.dll file and despite that it does not reside in the official folder, Firefox is still using it. Now I'm annoyed with Mozilla, too.
The next step was obviously to delete the NPSWF32.DONTUSE.ME.dll file, and, finally, this activated the new 9.0.115 version of the Flash player.
A parade of bugs
Let me wrap up by summarizing the virtual parade of bugs I ran into:
Adobe bug: Its uninstaller program did not uninstall the Flash player being used by Firefox. It missed the player used by both the normally installed copy of Firefox and by two portable versions of Firefox.
Secunia bug: Firefox was using an old buggy version of the Flash player, but its regular inspector didn't find any instance of Flash to report on, let alone object to.
Adobe and/or Mozilla bug: After successfully installing the new version of the Flash player, Firefox didn't use it.
Firefox bug: Using a DLL despite having the wrong name.
Firefox bug: There should be one and only one location that Firefox uses for plug-ins. The use of two folders for plug-ins fooled both Secunia and Adobe.
Not to mention the nine bugs in the Flash player that kicked off this endeavor. And not being able to use the Control Panel Add/Remove Programs applet in Windows XP to remove the Flash player. It works for everyone else, why not for Flash? All this is made even worse by the fact that Flash and Firefox are mature, popular products.
They don't make programmers like they used to.
Update: January 30, 2008. For more on this topic see A heads-up on the Adobe Flash player from January 26, 2008.
Update: January 6, 2008. There is yet another location that Firefox will pick up the Flash player from that the Adobe un-installer ignores. See Black eyes for Adobe.
Update: January 10, 2008. Based on this blog posting, Secunia is changing how their online inspector works. The below is from an email message from them to me:
By default the Secunia Online Software Inspector will only search default install directories, to our knowledge the default plug-in
directory for Flash in Firefox has previously been: %ProgramFiles%\Mozilla Firefox\plugins
However, with a recent update they (Adobe or Firefox) changed the Firefox Flash plugin directory to be: %SystemRoot%\SYSTEM32\Macromed\Flash
This is why a default inspector (non-thorough) wouldn't pick up any Flash files from the Firefox plug-in directory.
However, based on your findings we have chosen to re-insert the default Firefox plug-in directory again, so it should now pick-up Flash plug-ins located in both directories.
Update: April 11, 2008. For the latest on the Flash Player see Time to update the Flash player. Here's how.
* The full version numbers are 9.0.47.0 and 9.0.115.0 but I'm leaving out the last zero so your eyes don't glaze over and because it's not relevant to the point at hand. Adobe also uses commas in the version number instead of periods. I'm using periods here because that's the standard for version numbers.
See a summary of all my Defensive Computing postings.
Back in August I wrote about a free security program for Windows XP called DropMyRights. It comes from a trusted source, requires no maintenance, and incurs no overhead.
DropMyRights works by front-ending an application. To use it with Internet Explorer for example, you make a shortcut to DropMyRights and modify the shortcut to include the full path to the IE executable. When DropMyRights runs, it, in turn, invokes Internet Explorer. But, as the name implies, it first lowers the "rights" for IE. Thus, even if you are logged onto Windows XP as an Administrator, IE will run with the restricted rights of a limited user. Windows prevents restricted applications from doing a whole host of dangerous things, the most important of which being modifying the system itself and installing software.
For the ultimate in safety, you would, of course, log on to Windows as a restricted user in the first place. But, that brings along its own set of problems and has proven unworkable for many people. With DropMyRights, we try to hit a happy medium. Although logged onto Windows as an Administrator, we can run the most dangerous programs in restricted mode. But which applications should be run in restricted mode?
As a given, I suggested Web browsers (each one, if you have more than one installed), e-mail programs, and Microsoft Office. It turns out that two organizations publish lists of the most insecure applications. Let's go see.
Bit9
Over at ZDNet, Ryan Naraine recently mentioned a list, compiled by Bit9, of the most vulnerable (think buggy) Windows-based applications. Topping the list was Yahoo Messenger. Microsoft's own IM program, with the clumsy name Windows Live (MSN) Messenger, was fourth. If you use instant messaging, run your IM program with restricted rights.
I previously suggested QuickTime as an application that should be run in restricted mode. According to Bit9, it was the second most vulnerable application. As if to confirm this, Apple just released a new version of QuickTime with fixes to at least seven security related bugs.
iTunes should be included in the list of restricted mode applications. Not only was it sixth on the Bit9 list, but it also invokes QuickTime.
Secunia
Secunia has its own list of the most insecure applications based on data accumulated by its very useful Online Software Inspector. It even provides JavaScript so that you can display a dynamic version of the list on your own Web page. Rather than risk breaking a CNET publishing system I don't understand, I've posted a couple Secunia lists on my personal site.
As of this writing, Secunia ranks the Adobe Acrobat Reader version 8 as the most insecure application on a percentage basis, looking at the last month. Adobe recently released a fix for a critical security problem; if you are not running version 8.1.1 of Acrobat you are at risk. Add the Acrobat Reader to the list of applications that should be run in restricted mode.
The Secunia list includes many instances of Flash, but Flash runs in the context of a Web browser, so if the browser is in restricted mode, so too is Flash. The same applies to Java, which as of this writing was the second on the list.
Secunia also has a list of the most insecure applications based on the number of installations, rather than percentages. This list, however doesn't turn up any new applications that need to run in restricted mode.
At this point, you have to wonder if the pain threshold of keeping Windows defended isn't higher than that of switching to another operating system. I haven't done much switching, so I don't have an opinion as yet, but it's always in the back of my mind.
- prev
- 1
- next
