Network News

X My Profile
View More Activity

Security Fix Pop Quiz, Reality-Show Style

It's been a while since we published our last Security Fix Pop Quiz, a periodic exercise to see whether you've updated your computer with the proper security updates.

Usually when we do these quizzes I focus on the latest updates for third-party software programs, patches designed to guard against attackers who try to install malicious software using known security holes in these widely-used applications.

This time around, however, I want to give readers more perspective about why applying these updates are so critical, by looking through the lens of the criminal masterminds behind "Grum," one of this year's largest spam botnets, or groupings of hacked Microsoft Windows PCs typically used to relay junk e-mail.

But what exactly is it that makes this malware family so successful? Put simply, it observes the old adage, "If at first you don't succeed, try, try again."

Indeed, Grum is incredibly tenacious: the Web sites the Grum authors enlist to foist this bot program toss a veritable kitchen sink of exploits at visiting browsers, trying no fewer than 10 Web browser exploits. If one fails, the visitor's browser is served with the next exploit, until one succeeds.

Many of these exploits attack browser plug-in flaws that were patched months, if not years, ago. But it's important not to get too hung up on that point, because the botmasters who control this network could easily add a few more recent exploits at any time, since the whole process of trying each exploit only takes a second or two, according to Alex Lanstein, a senior security researcher at Milpitas, Calif., based security firm FireEye.

Also, while many of these exploits count on the visitor browsing with Internet Explorer, some may also work against users who stumble upon booby-trapped sites with Firefox or other browsers.

Here is a look at some of the browser vulnerabilities Grum tries to exploit (in no particular order). Does your machine have the latest updates for these applications?

-RealNetworks RealPlayer ActiveX Flaw

-Yahoo! Messenger ActiveX Vulnerability

-Yahoo! Webcam image upload ActiveX Control

-WinZip 10 ActiveX flaw

-Adobe Flash Player security flaw in v.

-Adobe Reader/Acrobat PDF Vulnerability

-Apple QuickTime integer overflow vulnerability

-Microsoft Access Snapshot Viewer ActiveX Vulnerability

-Microsoft VMLOverflow Exploit

-Zenturi ProgramChecker ActiveX control

It's no use trying to warn people about exploit sites, which change from day to day. All the bad guys need to do is embed malicious code in a widely-viewed Web site or cleverly-placed banner ad. From that point, the hacked site silently fetches the code from one of the countless exploit sites.

It's also not terribly easy to tell when your system is infected with a bot program. Most bot programs -- once they get their hooks inside a host -- bury themselves deep down into the operating system, and usually compromise security software on the victim's PC. That is why taking precautions to ensure your system is up-to-date with the latest patches is so critical.

Security Fix tries very hard to keep readers abreast of the latest security updates for widely-used applications, and of course updates for Windows and Mac operating systems. Another excellent resource for this information can be found in the free vulnerability scanning services offered by the security firm Secunia.

By Brian Krebs  |  January 28, 2009; 11:13 AM ET
Categories:  Latest Warnings , New Patches , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Breach May Preface Targeted Attacks
Next: Blogfight: IE Vs. Firefox Security


The challenge of securing web browsers and their plug-ins is akin to securing an entire computer and the applications that run within it. I recommend a two pronged approach to dealing with the risks.

For the lack of authorization control within a web browser, which enables a javascript from one browser tab to steal data from the session of another browser tab.

A successful exploit of a web browser can escape its confines and implant malware into the rest of the PC. So, look into security software that prevents the web browser or any other application from being used to harm the PC, such as AppGuard.

Posted by: eiverson1 | January 28, 2009 3:31 PM | Report abuse

I've been concerned about digital security on my pc ever since I heard about malware being attached to sites that I travel. Trying to get up to speed here. Found some useful information on and I hear they may be starting up their own blog soon to cover some issues out there.

Posted by: ThomasWhitney | January 28, 2009 4:48 PM | Report abuse

I would like to update Quicktime but it will no longer let me do so as a stand-alone but insists that I also MUST install iTunes. I don't want iTunes on this Win XP-Home laptop. Is there some other program I can add to Firefox to view Quicktime files? My family sends .mov files which I want to still be able to view.

Posted by: Eremita1 | January 28, 2009 4:58 PM | Report abuse

I don't have any of those apps installed to begin with, so no need to update them.

Posted by: macoafi | January 28, 2009 6:26 PM | Report abuse


No Adobe Flash? Now that's a surprise!

Posted by: featheredge9 | January 29, 2009 2:45 AM | Report abuse

Flash even has problems on linux -- it can backdoor misconfigured screening routers. Shows what happens when there are no consequences for shoddy work: manufacturers won't bother to produce clean products.

Might be interesting to see what would happen if the users who don't apply patches or the companies who don't fix products were liable for the results of breakins. Might see an uptick in the number of patches that work getting applied.

Posted by: lembark | January 29, 2009 7:15 AM | Report abuse

Interesting: the java applet at

doesn't load into Opera. Probably has some specific tie-ins to Exploder; guess standards compliance isn't part of their security scan.

Posted by: lembark | January 29, 2009 7:20 AM | Report abuse

I notice that half of these things are ActiveX vulnerabilities - I specifically use Firefox to avoid all of these.

I hear talk from ordinary users about how security lockdowns are annoying in that people have become used to all sorts of 'features' which introduce vulnerabilities. Take away those 'features' and the users complain and then work to circumvent the security.

Posted by: ericy | January 29, 2009 7:58 AM | Report abuse

I followed your link to the free Secunia scan. That was an odd experience. While it turned up 3 vulnerabilities that are probably valid (in QuickTime, Macromedia Flash and Adobe Flash Player), it also listed as missing (in duplicate) 6 IE7 patches that are already installed on my system, and it listed a couple of other apps in 2 places- once as okay, and once as "vulnerable".
Not very confidence-inspiring.

Posted by: MayFran | January 29, 2009 8:24 AM | Report abuse

Not sure how many users are aware that older versions of Sun Java were not removed when a newer version was installed. Sun states that they will incorporate old version removal with future installs of new versions. Time will tell. If you use the Secunia scanning service you may show these older version of Java that are vulnerable. You can go to add/remove programs and remove the old versions. Then you run the Secunia scanning service again to check for any possible remaining vulnerabilities.

Posted by: g0th52 | January 30, 2009 7:14 PM | Report abuse

@lembark: The online version of the Securia software scan works in Firefox--though I sometimes have to click on the button that starts the scan a couple of times before the scan will start up.

We use Firefox as our primary browser, and Opera for sites that won't load on Firefox. We've only found one site we use regularly that won't load on either of those browsers.

Posted by: Heron | January 31, 2009 2:29 PM | Report abuse

By the way, BK, thanks for pointing out the "RELATED LINKS" box on the sidebar with guides to computer security basics. Till then, I didn't know it was there.

I wonder if you'd get fewer questions like "What can I do to keep my computer as safe as possible?" from newer "Security Fix" readers if that box were located in the main body of the blog's start page, rather than on the sidebar and in a location readers have to scroll down to see. I hope that'll be a part of the redesign you mentioned.

Posted by: Heron | January 31, 2009 2:37 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company