Scan reveals weaknesses in your web browser

6 Jun

In posting this column for the archive (in May 2012), I ran the scan again, and found two insecure programs, which were fixed with a simple update. Don’t wait – do it now.

June 6, 2011

By Geoff Meeker 

We all do it from time to time. We’ve got several files and web pages open on the computer, and we’re right in the middle of something, when a window pops up, telling us that an update is available for your video player.

The temptation is to click “Not at this time” or “Remind me later.” I know, because I’ve done it.

And according to some new research, that’s a major mistake.

Internet security management company Qualys has revealed that many web browsers operate with out-of-date video plug-ins that leave them vulnerable to Internet skullduggery.

The key finding: roughly 80 percent of browser-related security flaws relate to plug-ins –  software add-ons that enhance browser capabilities – and only 20 percent to the browser itself.

Qualys made this finding after scanning 420,000 computer web browsers, using its Browsercheck tool (more on this in a moment). They found that the biggest problems can be traced to a handful of well-known plug-ins for video, including Adobe Flash, Apple Quicktime, Shockwave and Windows Media Player, along with utilities like PDF Reader and Java.

The most vulnerable utility was Java, which runs on 80 percent of Internet browsers. Of those scanned by Qualys, 40 percent were running an out of date version that was open to malicious activity. Adobe Reader, also on 80 percent of browsers, was vulnerable 30 percent of the time.

Flash video was the most common plug-in, on 95 percent of browsers, but only 20 percent of them were open to exploits. Shockwave and Quicktime appear on just 40 percent, and were vulnerable 20 to 25 percent of the time.

Wolfgang Kandek, Chief Technology Officer at Qualys, said the sheer number of plug-ins complicate the job of keeping them up-to-date.

“The problem is that they all have their own individual updating mechanisms,” Kandeck told “It makes the problem much bigger than it needs to be.”

So, what do you?

First and foremost, when your computer advises that updates are available, don’t click the “Get off my back” key. Save your work, then execute the download.

However, that’s not enough. Some plug-ins don’t seek out updates on their own – it is up to the user to perform this task.  There is an effective, extremely convenient way to do this, while exposing and fixing possible vulnerabilities in your browser.

Go to

You are going to allow an external computer to install a plug-in that peeks under the hood, to check your browser for updates. But don’t be nervous: the “s” in https stands for “secure”, and this is a credible, trusted site.

Browsercheck has a clean, simple screen. You will be asked to click the “Scan Now” button, to start the security check. In no time, you are presented with a list, beginning with your web browser, followed by the plug-ins running there. Most should be “Up to date.” In my case, there was one “Update available.”

You might also receive warnings that you are running an “Insecure version” of a browser or plug-in. There is also an “Obsolete” finding, which means the installed version is no longer supported by the vendor, in which case you click “fix” to link to the latest version. There are other outcomes as well, for every possible scenario, but I’ve covered the key ones.

So go ahead, do it now. Open the page and run the scan. You will feel much better for it.

Geoff Meeker is a communications consultant with a soft spot for technology. He also writes a blog about the local media scene, which is hosted at


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: