|
Hi Folks,
Here is asomething I never thought of and it is pretty hot according to
this article. I have always preached - keep your Windows up to date,
but I never thought about the browser plugins.
Media players
more dangerous than Windows
By Scott Dunn
Windows users face the greatest security risks today not from
flaws in Windows itself but from unpatched media
players.
That's because many Windows Secrets readers, according
to an online test we sponsored, are running versions of Flash, Java, and
QuickTime that are unpatched against the latest security
threats.
Readers' systems are
rife with outdated add-ons
In two of our
recent issues, subscribers to the paid version of the Windows Secrets
Newsletter were asked to scan their computers using the Software
Inspector, a service of Secunia.com. The scan reveals versions of Windows
and builds of applications that have security flaws for which a vendor
patch is available.
Contributing editor Ryan Russell, whose columns
appeared in the July 26 and Aug. 9 issues of the newsletter, described how we
affiliated with Secunia.com, a respected security firm that conducts the
tests. We've found that Secunia's service provides such important
information that we want all of our free subscribers to take the test as
well. A link to the test is provided near the end of this
article.
The tests of our paid subscribers showed which
applications are the most likely to be installed but unpatched on users'
PCs. In the following list, number 1 represents the unpatched application
that was found on the greatest number of readers' machines, with higher
numbers representing fewer machines:
1. Adobe Flash Player
9.x
2. Sun Java JRE 1.6.x/6.x
3. Macromedia Flash Player 6.x
4.
Macromedia Flash Player 8.x
5. Macromedia Flash Player 7.x
6. Apple
QuickTime 7.x
7. Macromedia Flash Player 5.x
8. Mozilla Firefox
2.0.x
9. Macromedia Flash Player 4.x
10. Adobe Reader
7.x
All of these applications are media players, browser
plug-ins that play media files, or a browser itself (i.e., Firefox). All
of these programs can be attacked across the Internet - for example, if
you play an infected Flash video you find on a Web site or that you
received via e-mail. Consequently, using an older version of these program
poses a real security risk.
Indeed, it isn't hard to find reports
of security holes for any of these applications. Numerous public
advisories describe serious flaws in Adobe Flash Player, Sun Java, Apple
QuickTime, Mozilla Firefox, and Adobe Reader - all of which should be
updated at least monthly by users. I found warnings about these five
programs from, respectively, US-CERT, Australia CERT, Apple, Mozilla, and Adobe.
Windows Secrets readers appear to
be conscientious about keeping Windows itself patched. No version of
Windows appeared in any of the top 10 lists that Secunia provided to us.
Perhaps because of this, hackers have turned to applications that allow
Trojan horses to silently infect PCs. Now we all need to learn to keep our
add-ins updated, too.
Keep your Web tools
up to date
Fortunately, all
of the applications mentioned above support automatic updating. In
addition, they allow you to choose to update them manually, if you prefer
to run monthly updates on your own. Here are the steps to take to update
each program:
To update Adobe Flash Player:
The
update settings for Adobe Flash Player are stored on your computer but are
accessed via the Web.
Step 1. Launch a Web browser and
navigate to the Global Notification panel of the Settings Manager using
this Macromedia link.
Step 2. Use the
checkbox to turn automatic updating on (checked) or off (unchecked).
Configure the drop-down list to determine how frequently the program will
check for updates.
If you prefer to update the Flash Player
manually, you'll need to visit Adobe's download page periodically.
To update
Sun Java:
Step 1. In the Windows Control Panel, launch
the Java applet. You can also right-click the Java icon in the Taskbar
tray and choose Open Control Panel.
Step 2. Click the Update
tab. Use the controls there to customize the update notification. Click
OK.
If you prefer to update Java manually, uncheck the box for
automatic updating. Then return to this dialog box periodically and click
Update Now at the bottom of the Update tab.
To update Apple
QuickTime:
Step 1. In the Windows Control Panel, launch
the QuickTime applet. You can also right-click the QuickTime icon in the
Taskbar tray and choose QuickTime Preferences or Check for QuickTime
Updates.
Step 2. If necessary, click the Update tab. Use the
checkbox to determine whether the software checks for updates
automatically. Click OK.
If you prefer to update QuickTime
manually, uncheck the box for automatic updating. Then return to this
dialog box periodically and click the Update button. If an update is
found, click OK to proceed.
To update Mozilla
Firefox:
Step 1. In Firefox, choose Tools,
Options.
Step 2. Click the Update tab. Use the Firefox
checkbox to set your preference for automatic updating. When checked, it
enables additional options for customizing how updates occur. Click
OK.
If you prefer to update Firefox manually, uncheck the Firefox
box in this dialog box. Then periodically choose Help, Check for
Updates.
To update Adobe Reader:
Step 1. In
Adobe Reader, choose Help, Check for Updates.
Step 2. If the
dialog title reads simply "Adobe Updater," click
Preferences.
Step 3. Use the controls in the Adobe Updater
Preferences dialog box to customize update notification. Click OK.
Use the Software
Inspector on your own PC
Now it's time to
check your own system using the free Software Inspector at Secunia.com.
This online utility requires Java to run, so you should use the Java
update procedure described above to make sure you have the latest version
of Java before proceeding.
If you use the special link shown here,
Secunia.com will provide the Windows Secrets Newsletter with aggregate
information about which applications are the most nonupdated among our
free readers. We'll publish the results in a future issue. However,
Secunia.com does not ask for and will not provide us with any personal
information whatsoever.
Use this link to test your PC with Software
Inspector
What it does: This scan will find
software (including the operating system) with known security flaws for
which patches exist. The on-screen report lists your updated apps (with a
green checkmark) and nonupdated apps (with a red X). If you have multiple
copies of a single application installed, the report will list each
version. Click the "+" icon to the left of each item for more information,
including the specific path to each file.
What it doesn't
do: Software Inspector does not flag applications for which no update
exists. Consequently, you may still have applications with security holes
that aren't mentioned in the report. In addition, the program can't detect
any workarounds you may have put in place to avoid security problems with
existing applications.
What should you do if the scan finds
multiple versions of software? That depends. Sometimes older versions
represent a security risk to your system. But in some cases (such as
Java), you may need an older version to keep other application software
running properly.
Before doing anything, make a backup of your
system, or at least create a restore point using System Restore. (To do
this in XP and later, choose Start, All Programs, Accessories, System
Tools, System Restore, and follow the instructions there.) That gives you
a chance to get back to your former state if removing old software causes
problems.
Secunia's Software Inspector is especially valuable for
those of us who prefer to use manual updating, rather than letting
programs check and download patches automatically. The scan not only tells
you what updates to look for, but it checks all your software in a single
step without having to use each application's update feature one at a
time.
Your most difficult task will be remembering to use Software
Inspector periodically. To automate that chore, click the reminder
service link on the Software Inspector page. This will send you an
e-mail notification every time a new update or version is
available.
It's disturbing that, even when Windows is fully
patched, our application software can represent an even greater
vulnerability. To reduce your risk, consider running Software Inspector
once a month, just after you've installed the Windows patches that
Microsoft typically releases on Patch Tuesday (the 2nd Tuesday of the
month).
Scott Dunn is
associate editor of the Windows Secrets Newsletter. He is also a
contributing editor of PC World Magazine, where he has written a monthly
column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with
Jesse Berst and Charles Bermant.
More Next Friday,
Chuckstr
----My Web Site----
Please feel free to forward this to anyone that you think
might be interested in it. If they wish to subscribe, they can click
on the link below.
If this was forwarded to you and you wish to subscribe,
please click here: Subscribe
If you wish to be deleted from
the mailing list, please click here: Unsubscribe
|