Monday, February 22, 2010

Surfing (a little more) Securely

Brian Krebs has an interesting post up about a new research effort that is trying to stop drive-by downloads; i.e., malware so called because it gets jammed onto your computer merely by virtue of your having visited an infected website. This is becoming a fairly serious problem, especially for Windows users.

Brian highlights an important new wrinkle: now that browsers are pretty well secured, especially in light of the automatic updating process featured by the likes of Firefox and Chrome, the bad guys are now focusing much more on security holes in browser plugins. Three of the most common are Adobe Flash, Adobe Reader, and Sun's Java. The fourth most commonly exploited application is Internet Explorer itself.

Building on Brian's post, I thought I'd gather up a few links that may be of use. Here is a terse outline:

  1. Adobe Flash: check version | download latest
  2. Adobe Reader: download latest
  3. Sun's Java: check version | download latest
  4. Internet Explorer: Keep up with Microsoft patches
  5. And more ...

Expanding on the above:

  1. Adobe Flash: The latest version, as of this posting, is Visit this page to check what version you have installed. If you have anything lower, click the Player Download Center link (right on that same page, also) to get the latest version.

    Two things to be aware of:
    1. You must update Flash separately two times: once using Internet Explorer, and once using Firefox (or Chrome, Safari, Opera, etc.). All of the latter are covered by the same update process, but for reasons beyond my understanding, IE is not.

    2. Adobe will attempt to get you to add something along with the Flash update, such as a browser toolbar or a "McAfee Security Scan Plus." Uncheck the appropriate box before installing the new version of Flash, if you don't want the shovelware.

  2. Adobe Reader: The latest version is 9.3. Use the menu choice Help → About to check what version you have. Visit this page to get the latest version of Adobe Reader.

    Note: If your usage patterns are like mine, you might uninstall Adobe Reader completely and install the free alternative, FoxIt Reader, instead. As far as I can tell, it does a perfectly satisfactory job rendering PDF files. It also is faster to launch (as a standalone program), and as a plugin, it has gotten considerable better since I first started recommending it. There may be a security benefit here as well -- it is less of a target for exploits, since it is less heavily used.

  3. Sun's Java: The first thing to do here is to remind you that Java is not the same thing as Javascript. You pretty much can't live on the Web these days without the latter, you might well be able to without the former. (More on that starting here.)

    That aside, version 6 update 18 is the latest Java, as of this writing. Visit this page to check your version; visit here to download the latest, if necessary.

  4. Internet Explorer: As mentioned above, IE is itself a common application for the creators of drive-by downloads to exploit. The first thing to say is this: if you're still using IE version 6, don't. Second, if you're on to version 7 or 8 (and you insist on using IE over other browsers), make sure you're keeping up with the patches Microsoft pushes out. Visit to check by hand, and unless you have a very good reason not to, make sure that you have Windows Updates set to automatic. Though Microsoft generally releases fixes for security holes only monthly (on Patch Tuesday), they have released a few out-of-band fixes lately, when the problems are deemed severe enough.

    And, to repeat, unless you're compelled to use IE (on a work computer, perhaps), give Firefox, or Chrome, or one of the others a try.

  5. Mozilla plugin check: If you use Firefox, some of your plugins will be checked automatically. For a more comprehensive test, visit Mozilla's plugin check page.

  6. More Adobe: Visit here to find the latest versions and more information if you use other Adobe plugins.

If you would like me to elaborate further upon any of the above, please don't hesitate to ask.

No comments: