Plugins with security vulnerabilities are optimal targets for hackers to exploit to take over a user’s computer. Keeping plugins up-to-date with the latest patches is critical to protecting and preserving your data. But what if there is no security patch? What should you do? Easy. Dump it, now!
Here are three plugins that fall into the red alert category and require immediate attention.
Apple QuickTime for Windows
Apple has announced that it is deprecating QuickTime for Windows and will no longer be providing security updates. The Zero Day Initiative (ZDI) comes into effect when a vendor does not release a security patch when a vulnerability is found. Security researchers at Trend Micro have already identified two security vulnerabilities in QuickTime. These vulnerabilities could allow a hacker to take control of computers running Windows. As a result, advisories from Trend Micro and the United States Computer Emergency Readiness Team (US-CERT) are recommending uninstalling QuickTime for Windows as soon as possible.
Adobe Flash
Earlier this month, Adobe announced in their security bulletin the availability of an emergency patch for Adobe Flash for Windows, Mac OS, Linux and ChromeOS. This particular security vulnerability leaves a user’s computer vulnerable to CERBER ransomware. CERBER affects Flash-based advertising. If a user clicks the ad, CERBER encrypts the user’s files and demands a ransom of $500 to $1000 for the key. Windows 10 systems have been actively exploited.
This is the second security flaw discovered in the span of several weeks for this plugin. Mac users are asked to download the latest patch from the Adobe Flash Player Download Center. Users on Windows, Linux and ChromeOS should automatically receive the patch. For an additional preventive measure, enable the Click to Play feature in Adobe Flash. This ensures that Adobe Flash does not render in the browser unless the user gives specific permission.
Microsoft Silverlight
In March, a hacker took advantage of a recently patched copy of Microsoft Silverlight software to hack into the New York Times and BBC among others. These sites were used to serve malicious ads. The ads would then redirect users to a web page hosting the malware. The malware would look for a backdoor to the user’s computer where it would release a cryptolocker-type ransomware encrypting the user’s hard drive, and then demanding a ransom in bitcoin. Here’s the post we ran when this story broke.
Microsoft released a patch to fix the Silverlight vulnerability installed on a Mac or Windows OS. This security issue gives a hacker the ability to execute code remotely when a user visits a compromised website. The user is brought to the site by clicking a link in an email or instant message.
Microsoft Silverlight updates automatically unless you have disabled the auto-update feature. There is a security update For Microsoft Silverlight available for Windows, Macintosh and Microsoft Windows Servers.
Staying Protected
It is important to ensure that any plugins used on a computer are up-to-date with security patches. News of security holes in plugins moves quickly in the hacker community, so it’s essential to respond just as quickly to plug vulnerabilities in your network that could compromise data or privacy. Many plugins have automatic update mechanisms in place to patch software and we’ll be looking at those soon. If a plugin is not used or no longer receiving security patches from the vendor then it’s definitely time to remove it. This is one way to ensure you are protected from advanced malware.
Leave a Comment