Friday, February 22, 2013

The move to plugin-free browsers

Apple was the first major player to offer a browser with no plugins with Safari for iOS. Even the very popular Flash plugin cannot run in the browser. However, no vendor, including Apple, has had such restrictions on their desktop products.

Microsoft has now also gone plugin-free with Internet Explorer 10 Metro. This version of Internet Explorer does not support plugins (except for the embedded Flash plugin which is a allowed on a few whitelisted sites only). See "Get Ready for plugin-free browsing" for additional details.

Chrome and Firefox are also moving in the direction of plugin-free browsers too. The first step is Click to Play, which enables plugins only after an interaction from the user, not by default. With the release of Firefox 19, Mozilla has removed the need to leverage the Adobe Reader plugin by providing a JavaScript based PDF reader. Firefox is also going to enable Click to Play by default (except for Flash) in the next releases.

Blame the plugin vendors

HTML5 is helping browser vendors to get rid of some plugins, like Flash. For example, the standardization around video and sound means Flash is no longer the only option to play a video on modern browsers.

But the main drive toward plugin-free browsers is security.The latest Java vulnerabilities actively exploited and leveraged in successful attacks against Facebook and Apple, are just the latest flaws exposed in Java, Flash and Adobe Reader plugins.

Because these plugins live outside of the browser, they cannot be updated automatically by the browser vendors. Our State of the Web reports continually show that users are slow to update their plugins, even after well publicized vulnerabilities are found.

Not the end of vulnerable browsers

The end of the plugins does not mean the end of vulnerabilities in browser, just fewer of them. This month Microsoft patched about 11 security flaws. But unlike vulnerabilities in plugins which can be exploited in all browsers, browser vulns are specific to each vendor.

Friday, February 8, 2013

“Say cheese!” Let’s take a picture for you guys, packer families.

Gong Xi Fa Cai!恭喜发财
It’s the last weekend of the Chinese New Year, Year of Snake.  


The Chinese New Year is the most important Chinese holiday. Traditional activities such as taking family photo and making dumplings are must-to-do things to welcome the Chinese New Year. So it’s time for me to take a family photo for all packers.

The large-scale volume of packed advanced malware has created a need to discover inter-family correlations for all packers.The following picture is what I have found about packer families.

Isn't it beautiful! Each cluster in the figure stands for a packer. It is clear that packer families share correlations from each other. Let's go through one by one.

PKLite packer is lonely located on the far left middle side.

Here come Orien and Dwing, the latter is one of the most popular packers, which has 20+ sub-versions.


NSPack share correlations with MaskPE and ExePressor.

PECompact has a large family and it has some relatives, such as PEArmor and ExeCryptor.
The God Father of packers goes to UPX. It sits in the right middle of the big family.

All right, I need to go home and make dumplings NOW, and am too lazy to put all the snapshots here.
If you are interested to find more, just drop me a line.

Again, Happy Chinese New Year!