Forum Thread: Secure Browsing nits

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as resolved.
hirectuvaw Secure Browsing nits
Member 8th Jan, 2011 16:46
Ranking: 1
Posts: 9
User Since: 13th Sep, 2010
System Score: N/A
Location: US
I think I have the latest (2.0) psi, running on win 7 x64.

My "Secure Browsing" says that all my browsers might load the VLC plug-in which is insecure. I've uninstalled and reinstalled VLC without the plug-in, and checked the add-on settings in the browsers. None of them is set to use a VLC plug-in for any content-type, as far as I can see. (This is the mitigation cited in the Secunia Advisory.) Yet PSI continues to say that they are susceptible. I don't see a way to get it to re-scan for browser security without re-scanning the entire machine, but this has been going on long enough that it should have re-scanned automatically a few times.

I also notice that the advisory is for the Mozilla/Firefox plugin, but PSI lists the VLC plugin as a risk factor for IE also. Does IE really use the Firefox plugin?

And, as others have reported, PSI doesn't seem to realize that "Chrome 9.0.597.19 beta" is a browser, so it isn't listed.

Post "RE: Secure Browsing nits" has been selected as an answer.
Maurice Joyce RE: Secure Browsing nits
Handling Contributor 8th Jan, 2011 18:18
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Is VLC showing as secure in the Patched section?

PSI will not show Google in BETA nor any other BETA programmes. More details here:

http://secunia.com/products/consumer/PSI/faq/#q7

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+1
-0
hirectuvaw RE: Secure Browsing nits
Member 8th Jan, 2011 20:30
Score: 1
Posts: 9
User Since: 13th Sep 2010
System Score: N/A
Location: US
Yes, VLC is the latest version. It turns out that the latest available version of the browser plugin is what is not secure, and (as I mentioned) the mitigation for the browser bug is to disable the VLC browser plugin. So having the latest VLC version installed (which I do) is not a factor in this question.

I suppose there is some value in excluding beta versions ... except that Google tends to keep things in beta long after most folks have switched to using it all the time, and there are security advisories on beta versions.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Secure Browsing nits
Handling Contributor 8th Jan, 2011 20:47
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
With VLC being secure in the Patched section is indeed relevant. That gives the average user the all clear to use it.

The secure browsing tab is for advanced users who,having read the advice from Secunia, should be able to decide what action to take.

In your case U appear to have nullified the plug in(s) which is OK.



--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0
hirectuvaw RE: Secure Browsing nits
Member 8th Jan, 2011 21:57
Score: 1
Posts: 9
User Since: 13th Sep 2010
System Score: N/A
Location: US
Thanks for confirming that I had taken the correct action.

My point remains that PSI still claims that Firefox, as well as IE, are unsafe for browsing because they load the plug-in, when in fact they do not.

Even Advanced users should be able to depend on accurate information from a program like this.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Secure Browsing nits
Handling Contributor 8th Jan, 2011 22:03
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I do not use VLC so cannot comment on that aspect or whether it really means an ActiveX or is a total error in reporting.

Good idea to leave this thread open for Secunia Support to comment on Monday.

I think their reply will be of interest to others. Many appear to use this programme.

Have a nice weekend. Sorry I cannot help further.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0
This user no longer exists RE: Secure Browsing nits
Member 10th Jan, 2011 13:37
Hi,

That the PSI shows a plugin tied to a certain browser on the secure browsing page does not necessarily mean that the plugin for that browser is installed.

However, there are several other issues with browser plugins, which are the reason the PSI currently shows results the way it does.

When a program such as VLC is installed, browser-plugin or just the desktop version, it frequently associates itself with several filetypes.
So it is possibly that the browser could run the program anyway, if you, for example, opened a filetype that is associated with the program.

Hope this clarifies matters.
Was this reply relevant?
+0
-0
hirectuvaw RE: Secure Browsing nits
Member 10th Jan, 2011 17:36
Score: 1
Posts: 9
User Since: 13th Sep 2010
System Score: N/A
Location: US
That explains what Secunia is doing, but I'm not convinced.

To quote from the "Secunia Advisory SA41810", cited on the "Secure Browsing" page: "Successful exploitation requires that the 'VLC Multimedia Plug-in' for Mozilla is installed (not installed by default)." The mitigation cited is to remove or not install the plug-in.

So what you are saying is "there is a security advisory about a plug-in (DLL) for VLC, so we will declare all browsers on the machine insecure for browsing, even if the DLL is not installed, and even if the DLL (if it were installed) is not designed for the other browsers, on the off chance that when a particular file-type is loaded from the internet, VLC might get called and might use the DLL that is not installed, even if the other VLC files are not subject to this security advisory."

I understand "belt and suspenders" security, but isn't that a bit extreme?

By the way, I have my browsers set to save most multimedia files, rather than use an embedded player - including PDFs. That way I control where they get saved and which player or reader I use, or even whether I open them at all. I realize some of those players reset my preferences (sigh), so it would be really helpful if PSI would notify me that the browser is configured to use a plugin that is insecure. But to notify me that there is a chance the browser might use a plugin that is not installed -- that just induces unnecessary paranoia (IMHO). When I see the notification, to feel secure, I need to check the mitigation listed in the advisory (don't install the plug-in, or disable it), make sure the plug-in is not installed (it's not) and make sure the browser is still configured not to use the embedded plug-in (it's not). What's frustrating is that even when I have completed the mitigation activities cited in the advisory, PSI still says all my browsers are insecure because of this advisory.
Was this reply relevant?
+0
-0

This thread has been marked as locked.