Media players more dangerous than Windows
By Scott Dunn
Windows users face the greatest security risks today not from flaws in Windows itself but from unpatched media players.
That's because many Windows Secrets readers, according to an online test we sponsored, are running versions of Flash, Java, and QuickTime that are unpatched against the latest security threats.
Readers' systems are rife with outdated add-ons
In two of our recent issues, subscribers to the paid version of the Windows Secrets Newsletter were asked to scan their computers using the Software Inspector, a service of Secunia.com. The scan reveals versions of Windows and builds of applications that have security flaws for which a vendor patch is available.
Contributing editor Ryan Russell, whose columns appeared in the July 26 and Aug. 9 issues of the newsletter, described how we affiliated with Secunia.com, a respected security firm that conducts the tests. We've found that Secunia's service provides such important information that we want all of our free subscribers to take the test as well. A link to the test is provided near the end of this article.
The tests of our paid subscribers showed which applications are the most likely to be installed but unpatched on users' PCs. In the following list, number 1 represents the unpatched application that was found on the greatest number of readers' machines, with higher numbers representing fewer machines:
1. Adobe Flash Player 9.x
2. Sun Java JRE 1.6.x/6.x
3. Macromedia Flash Player 6.x
4. Macromedia Flash Player 8.x
5. Macromedia Flash Player 7.x
6. Apple QuickTime 7.x
7. Macromedia Flash Player 5.x
8. Mozilla Firefox 2.0.x
9. Macromedia Flash Player 4.x
10. Adobe Reader 7.x
All of these applications are media players, browser plug-ins that play media files, or a browser itself (i.e., Firefox). All of these programs can be attacked across the Internet — for example, if you play an infected Flash video you find on a Web site or that you received via e-mail. Consequently, using an older version of these program poses a real security risk.
Indeed, it isn't hard to find reports of security holes for any of these applications. Numerous public advisories describe serious flaws in Adobe Flash Player, Sun Java, Apple QuickTime, Mozilla Firefox, and Adobe Reader — all of which should be updated at least monthly by users. I found warnings about these five programs from, respectively, US-CERT, Australia CERT, Apple, Mozilla, and Adobe.
Windows Secrets readers appear to be conscientious about keeping Windows itself patched. No version of Windows appeared in any of the top 10 lists that Secunia provided to us. Perhaps because of this, hackers have turned to applications that allow Trojan horses to silently infect PCs. Now we all need to learn to keep our add-ins updated, too.
Keep your Web tools up to date
Fortunately, all of the applications mentioned above support automatic updating. In addition, they allow you to choose to update them manually, if you prefer to run monthly updates on your own. Here are the steps to take to update each program:
To update Adobe Flash Player:
The update settings for Adobe Flash Player are stored on your computer but are accessed via the Web.
Step 1. Launch a Web browser and navigate to the Global Notification panel of the Settings Manager using this Macromedia link.
Step 2. Use the checkbox to turn automatic updating on (checked) or off (unchecked). Configure the drop-down list to determine how frequently the program will check for updates.
If you prefer to update the Flash Player manually, you'll need to visit Adobe's download page periodically.
To update Sun Java:
Step 1. In the Windows Control Panel, launch the Java applet. You can also right-click the Java icon in the Taskbar tray and choose Open Control Panel.
Step 2. Click the Update tab. Use the controls there to customize the update notification. Click OK.
If you prefer to update Java manually, uncheck the box for automatic updating. Then return to this dialog box periodically and click Update Now at the bottom of the Update tab.
To update Apple QuickTime:
Step 1. In the Windows Control Panel, launch the QuickTime applet. You can also right-click the QuickTime icon in the Taskbar tray and choose QuickTime Preferences or Check for QuickTime Updates.
Step 2. If necessary, click the Update tab. Use the checkbox to determine whether the software checks for updates automatically. Click OK.
If you prefer to update QuickTime manually, uncheck the box for automatic updating. Then return to this dialog box periodically and click the Update button. If an update is found, click OK to proceed.
To update Mozilla Firefox:
Step 1. In Firefox, choose Tools, Options.
Step 2. Click the Update tab. Use the Firefox checkbox to set your preference for automatic updating. When checked, it enables additional options for customizing how updates occur. Click OK.
If you prefer to update Firefox manually, uncheck the Firefox box in this dialog box. Then periodically choose Help, Check for Updates.
To update Adobe Reader:
Step 1. In Adobe Reader, choose Help, Check for Updates.
Step 2. If the dialog title reads simply "Adobe Updater," click Preferences.
Step 3. Use the controls in the Adobe Updater Preferences dialog box to customize update notification. Click OK.
Use the Software Inspector on your own PC
Now it's time to check your own system using the free Software Inspector at Secunia.com. This online utility requires Java to run, so you should use the Java update procedure described above to make sure you have the latest version of Java before proceeding.
If you use the special link shown here, Secunia.com will provide the Windows Secrets Newsletter with aggregate information about which applications are the most nonupdated among our free readers. We'll publish the results in a future issue. However, Secunia.com does not ask for and will not provide us with any personal information whatsoever.
Use this link to test your PC with Software Inspector
What it does: This scan will find software (including the operating system) with known security flaws for which patches exist. The on-screen report lists your updated apps (with a green checkmark) and nonupdated apps (with a red X). If you have multiple copies of a single application installed, the report will list each version. Click the "+" icon to the left of each item for more information, including the specific path to each file.
What it doesn't do: Software Inspector does not flag applications for which no update exists. Consequently, you may still have applications with security holes that aren't mentioned in the report. In addition, the program can't detect any workarounds you may have put in place to avoid security problems with existing applications.
What should you do if the scan finds multiple versions of software? That depends. Sometimes older versions represent a security risk to your system. But in some cases (such as Java), you may need an older version to keep other application software running properly.
Before doing anything, make a backup of your system, or at least create a restore point using System Restore. (To do this in XP and later, choose Start, All Programs, Accessories, System Tools, System Restore, and follow the instructions there.) That gives you a chance to get back to your former state if removing old software causes problems.
Secunia's Software Inspector is especially valuable for those of us who prefer to use manual updating, rather than letting programs check and download patches automatically. The scan not only tells you what updates to look for, but it checks all your software in a single step without having to use each application's update feature one at a time.
Your most difficult task will be remembering to use Software Inspector periodically. To automate that chore, click the reminder service link on the Software Inspector page. This will send you an e-mail notification every time a new update or version is available.
It's disturbing that, even when Windows is fully patched, our application software can represent an even greater vulnerability. To reduce your risk, consider running Software Inspector once a month, just after you've installed the Windows patches that Microsoft typically releases on Patch Tuesday (the 2nd Tuesday of the month).
Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.