Web browser plug-ins: security with a good user experience

Hi,

I found many cases where software publishers provide default settings that sacrifice user security (against viruses, spyware, tracking, etc.) for the following reasons:

  1. to increase the speed of their software at the expense overall system speed
  2. to support features desired by their sponsors
  3. to avoid the support expense for incompatibility complaints by users who won’t read about the settings.
    The following information may be helpful to you to improve your security and system performance.

A little background… My non-technical spouse had a great desire to surf and shop at most any site (except porn). I had security concerns about using commercial sites, but I decided to learn how to make our PC secure instead of restricting her usage or trying to come up with a complex set of user behavior rules. I tried various security products and computer policies. We found that only minimal site-specific settings were tolerable. We also found that supporting the popular browser plug-ins is necessary is necessary to have a good user experience with commercial sites. We have not had a single problem with a crash, virus or spyware since we first got a PC nine years ago. Today, we feel free to surf any non-porn site and shop at any third-party-verified commercial site. We use Internet Explorer for two sites and Firefox with the Adblock Plus extension for all the rest. We are comfortable and familiar with temporarily disabling Adblock when a new site doesn’t seem to work or when checking out from an online shopping cart, and we are comfortable and familiar with the following site-specific settings:

  1. Firefox is configured to normally allow non-third-party cookies until Firefox closes. Exceptions are frequent sites where we want to avoid logging in after restarting Firefox.
  2. We configure Adblock Plus to be disabled on a few frequent sites where important features will not otherwise work.
  3. I allow one banking site to store data in Flash (see below) to avoid a time-consuming challenge question when logging in.

I use the following web browser plug-ins: Adobe Reader, Adobe Flash Player, Adobe Shockwave Player, Apple’s QuickTime, RealPlayer and Sun’s Java. I don’t associate Windows Media Player with any media types since QuickTime and RealPlayer play its proprietary formats, and it is more likely to be hacked because Windows PCs come with it preloaded. These plug-ins are updated every few months to patch security flaws. After releasing an update, the publisher publicly documents the security flaws of the previous version. The odds then greatly increase that hackers will utilize these security flaws. So it is important to keep plug-ins up to date.

With the default settings, most plug-ins automatically check for updates, and many will automatically update also. I prefer to manually check for updates, about once a week, for the following reasons:

  1. An automatic update sometimes crashes the system due to incompatibility with other open applications.
  2. I prefer to backup the system before updates in case the update fails or creates compatibility problems.
  3. Some automatic updates fail when initiated while using a limited account.
  4. Some plug-ins return to default settings (with security flaws) after update, so I only update when I have time to fix the settings.
  5. Automatic checks and updates can greatly slow down the system at the most inconvenient time.
  6. The updater process continuously consumes RAM, which slows other processes.
    I manually perform the Windows Update for most of the same reasons.

I created a folder of bookmarks in my web browser for manually checking for updates, with the current version at the end of each bookmark label. After backing up the system from the administrator account, I perform the Windows Update and then click on each bookmark and download all the new plug-ins. I reboot between each update installation to avoid compatibility problems between updaters. Here are the links I use for checking for updates:

http://www.apple.com/quicktime/download/
http://www.macromedia.com/software/flash/about/ (your current version is displayed)
http://www.java.com/en/download/manual.jsp (I prefer the offline update to reduce the risk of compatibility problems)
http://www.real.com/ (click “Free Download” button and see the version in the file that it asks to download)
Support options for free and discontinued Adobe products

Many applications and plug-ins have a security flaw by assuming SSL 2.0 encryption with secure sites. Here is an article from 2005: http://weblogs.mozillazine.org/gerv/archives/2005/05/quick_ssl_versi.html
The Firefox team convinced most of the few remaining sites using SSL 2.0 to upgrade to SSL 3.0 or TLS 1.0. Today, the Firefox browser does not support SSL 2.0. The user must disable SSL 2.0 on other applications and plug-ins.

The following is a discussion of security flaws with the default settings of each plug-in. Note that all firewall rules include blocking initiations not explicitly allowed.

JAVA v6 update 11

  1. Keeping temporary Java files on the computer allows web sites to access data from previous browser sessions, much like cookies. Some sites use this to track user surfing and purchasing history.
  2. By default, supports SSL 2.0 encryption (see above).
  3. Only version 6 update 10 and newer are removed by installing a new update. Malicious web sites can request an old update, if available, to access security flaws.
  4. Comodo Memory Firewall (http://www.memoryfirewall.comodo.com/) prevents several errors that are used for malicious web site attacks. A few legitimate programs with bugs will fail when running CMF. Because of such a bug, Java will sometimes (especially during OpenOffice.org or StarOffice installation) consume 100% of the CPU until the PC or the process is shut down. CMF can be configured to exclude Java from protection, but security would be improved if Sun fixed the bug in Java.
  5. Installing an update changes many settings back to default
  6. Java needs to access the internet to execute applications on web pages. Here are my firewall rules:
    C:\Program Files\Java\jre6\bin\java.exe: Allow TCP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is 80
    C:\Program Files\Java\jre6\bin\javaw.exe: Allow TCP Out From IP Any To IP 127.0.0.1 Where Source Port Is Any And Destination Port Is Any

FLASH v10

  1. By default, Flash allows all web sites to store data on the computer, much like cookies. Some sites use this to track user surfing and purchasing history.

INTERNET EXPLORER (IE)

  1. By default, supports SSL 2.0 encryption (see above). Many applications, including RealPlayer, use these settings.

REAL PLAYER v11

  1. Real Guide is essentially a web browser. Unlike Firefox, there is no way to block advertisements that compromise the user’s security.
  2. Avira Antivir Premium (and many others) detects as adware or spyware C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
  3. Every time the user opens up the preferences menu, RealPlayer associates all its supported media types with itself. After accessing RealPlayer preferences on an account, my work-around is to configure QuickTime to associate all supported MIME and file types, and then configure foobar2000 to associate all supported file types.
  4. RealPlayer needs to access the internet to play media files on web pages. Here are my firewall rules:
    C:\Program Files\Real\RealPlayer\realplay.exe: Allow TCP Or UDP Out >From IP Any to IP Any Where Source Port Is Any And Destination Port Is Any

QUICKTIME v7.5.5

  1. QuickTime needs to access the internet to play media files on web pages. Here are my firewall rules:
    C:\Program Files\QuickTime\QuickTimePlayer.exe: Allow TCP Out From IP Any to IP Any Where Source Port Is Any And Destination Port Is 80

WINDOWS MEDIA PLAYER

  1. Windows User Mode Driver Framework service, which appears as Wdfmgr.exe in the processes, installed by Windows Media Player 10 and later, used to sync with hardware players such as MP3, not needed by most users. See Microsoft Support

WINDOWS OPERATING SYSTEM

  1. By default, services are enabled to support access and control by other computers on the internet. For advice on which services to disable and how, go to http://www.blackviper.com/Articles/OS/OSguides.htm, click on the quick link for your operating system, and then click on the link for services configuration. The super tweaks are also useful.

Below are instructions for using manual updates, overcoming most security flaws stated above, and improving system performance:

SECURITY (On Administrator account only)
If applications require older versions of Java (JRE 5.0 or J2RE 1.4), download the latest security update from http://java.sun.com/products/archive/
Start\Control Panel\Add or Remove Programs, remove all but the last update for each version of Java
Start\Control Panel\Add or Remove Programs, remove unnecessary old versions of Java (if an application complains, it can be reloaded from the above link).
Start\Control Panel\Java\Update, uncheck “Check for Updates Automatically” (eliminate jusched.exe process after reboot, avoids unexpected updates with default settings).
Double-click COMODO Memory Firewall\Exclusions\Add\Browse…, select C:\Program Files\Java\jre6\bin\java.exe
Double-click COMODO Memory Firewall\Exclusions\Add\Browse…, select C:\WINDOWS\SYSTEM32\java.exe
Rename or delete C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
Use CCleaner (http://www.ccleaner.com/) to remove registry entries associated with WeatherBug (avoids errors in the Event Viewer)

SECURITY (On each account)
Start\Control Panel\Java\General\Settings…, uncheck “Keep temporary files on my computer” (prevent cookie-like behavior)
Start\Control Panel\Java\General\Settings…\Delete Files, check all boxes
Start\Control Panel\Java\Advanced\Security, uncheck “Use SSL 2.0 compatible ClientHello format”.
Start\Control Panel\Java\Advanced\Security, check “Use SSL 3.0”
Start\Control Panel\Java\Advanced\Security, check “Use TLS 1.0”
Start\Control Panel\Internet Options\Advanced\Security, uncheck “Use SSL 2.0”
Start\Control Panel\Internet Options\Advanced\Security, check “Use SSL 3.0”
Start\Control Panel\Internet Options\Advanced\Security, check “Use TLS 1.0”
RealPlayer\Tools\Preferences…\Connection\Internet / Privacy, uncheck all under Privacy Settings
RealPlayer\Tools\Preferences…\Automatic Services\AutoUpdate, uncheck “Automatically download and install important updates”
RealPlayer\Tools\Preferences…\General\On startup display, select “My Library” (avoids loading ads from Real Guide)
In your web browser, go to Adobe - Flash Player : Settings Manager and do the following:
Global Storage Settings Panel - disk space=none, check “Never Ask Again”, uncheck “Allow third-party…”, uncheck “Store common…”
Global Security Settings Panel - tick “Always deny”
Global Notifications Settings Panel - uncheck “Notify me…”
Website Storage Settings Panel - delete all unnecessary websites (exceptions may include bank websites).
Exit the web browser and delete the empty folders under
C:\Documents and Settings\account_name\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Warning - CCleaner will return the Flash settings to their defaults by deleting settings.sol in this folder, there is no need to use CCleaner for Flash with the settings above.

PERFORMANCE (On Administrator account only)
Start\Run\services.msc\Windows User Mode Driver Framework\Disable & Stop
Start\Control Panel\Security Center\Automatic Updates, select “Turn off Automatic Updates”
Start\Control Panel\Security Center\Windows Firewall\General, select “Off” (assuming a hardware or 3rd-party software firewall is in place)
Install and run JavaRa (http://raproducts.org/) to remove leftover Java files and registry entries.
Start\Control Panel\Java\Advanced\Miscellaneous, uncheck “Java Quick Starter” (eliminate jqs.exe process and Firefox extension after reboot)
Install Autoruns (Autoruns for Windows - Sysinternals | Microsoft Learn) to disable unnecessary programs that run at logon.
Autoruns\Logon, uncheck “SunJavaUpdateSched” (eliminate jusched.exe process after reboot if Java control panel setting above didn’t work)
Autoruns\Logon, uncheck “QuickTime Task”
Autoruns\Logon, uncheck “Adobe Reader Speed Launcher”

PERFORMANCE (On each account)
Start\Control Panel\System\Advanced\Performance Settings\Visual Effects\tick “Adjust for best performance”
Start\Control Panel\Java\Advanced\Java console, select “Do not start console”
Start\Control Panel\Java\Advanced\Miscellaneous, uncheck “Place Java icon in system tray” (eliminate javaw.exe process).
Start\Control Panel\QuickTime\Update, uncheck “Check for updates automatically”
Start\Control Panel\QuickTime\Advanced, uncheck “Install QuickTime icon in system tray”
RealPlayer\Tools\Preferences…\Automatic Services\Message Center\Configure Message Center, uncheck “Check for new messages”
Adobe Reader\Edit\Preferences\General\uncheck “Check for updates”
Adobe Reader\Edit\Preferences\Internet\uncheck “Display PDF in browser”
Adobe Reader\Edit\Preferences\Page Display\Zoom=Fit Page

Here is a Java update installation procedure to avoid a Java extension in Firefox and to avoid the need to disable/delete logon items using Autoruns:
Log into the admin account.
Autoruns\Logon, delete “SunJavaUpdateSched” if it exists.
Install Java offline update.
Do not yet reboot or run Firefox.
Start\Control Panel\Java, make all changes listed above for the admin account.
Start\Control Panel\Java\Advanced\Miscellaneous, check “Java Quick Starter”.
Now reboot.
Start\Control Panel\Java\Advanced\Miscellaneous, uncheck “Java Quick Starter”.
Reboot again.
Autoruns\Logon, confirm that there are no Java items (otherwise uncheck).
Start\Control Panel\Add or Remove Programs, confirm that the old update of Java is removed (otherwise remove).
Install and run JavaRa (http://raproducts.org/) to remove leftover Java files and registry entries.
Firefox\Tools\Add-ons\Extensions, confirm that there is no Java extension.
Firefox\Tools\Add-ons\Plugins, disable all old Java plugins.