BrowserScan from vulnerability management vendor Rapid7 is a low-impact scanning service that IT managers can use to check what browsers users are running on their computers. Large companies have dedicated IT personnel and comprehensive patch management systems that track what software users are running on their computers and ensure they are up-to-date. The small business administrator generally doesn’t have the time or resources to keep track of which version of Mozilla Firefox or Adobe Flash plug-in each employee has on the computer.
Cyber-attackers are increasingly relying on Web threats and malware which target outdated Web browsers and plug-in software, knowing that a majority of users are not staying on top of all the new versions. Rapid7′s free BrowserScan tool gives administrators a quick picture on the state of Web browsers and installed plug-ins within the organization.
BrowserScan is very similar to the similarly-named BrowserCheck Business Edition offered by Qualys and Mozilla’s smaller PluginCheck. BrowserScan is more robust than PluginCheck, since all Mozilla’s tool does is to check the plug-ins installed on Firefox, but slightly less robust than BrowserCheck as it cannot scan for Windows operating system updates. BrowserScan’s narrow focus—scanning for the major Web browsers and the plug-ins—makes sense when you consider that a significant number of cyber-attacks nowadays target the Web browser. With BrowserScan, administrators can at least prevent immediate risks, and then expand their efforts to a more robust patch management system later on.
BrowserScan simplifies the entire scanning process from the user’s perspective. There is no agent to install, no full-fledged software to run and no button to tell employees to click on. Administrators embed a unique tracking code into websites under the organization’s control the user is likely to visit, such as Sharepoint, blog or CMS platform, Outlook OWA, or even the internal HR portal. Every time the user lands on that site, the code executes and quickly gathers information about the operating system, the IP address, the Web browser being used, and some plug-ins installed on that browser. BrowserScan saves the information on the centralized Web-based dashboard so that the administrator can get an overview of the organization’s browser security status.
I viewed new machines in the dashboard as they were scanned and added. The dashboard tracked the machines every time the user loaded the page, and tracked the status over time, making it possible to see whether users were catching on and update software.
If I don’t want to use BrowserScan anymore, it’s as simple as removing the tracking code from my sites and clicking on “Purge data” from the dashboard.
BrowserScan, As a User
BrowserScan has four modes of operation, and the user experience depends directly on which mode the administrator selects. The default, Transparent mode, is completely silent, as BrowserScan collects the data and the user has no indication the site is scanning the computer. Badge mode lets the administrator display a small graphic after the scan to indicate the browser status. If there are no risks, the icon says, “Your system is up to date,” while out-of-date software results in “Your system is out of date!”
Overlay mode is more aggressive as it displays a full-page popup if the browser is at risk. The pop-up message warns, “Your system in unpatched! You are using outdated software that puts your data at risk,” and has a button marked “Help Me” to take users to a page informing them what software needs to be updated.
The final mode, Redirect, intervenes and blocks users with insecure software from accessing internal resources. Unlike Overlay mode where the user is just warned, Redirect prevents the user from accessing internal sites until they update the browser. The user is generally redirected to a different page with information on what to update.
After I click on the “help me” link from the badge, pop-up window, or the redirected site, I saw a page similar to what BrowserCheck had, with a list of plug-ins (BrowserScan checks 10 popular plug-ins) to the left, with an icon indicating which was out-of-date, and a button to download the update. —Next: BrowserScan as an Administrator, Dashboard
As an IT administrator, I am interested in what out-of-date plug-ins on my users’ computers can expose them to drive-by-downloads so that I can get them updated before a problem happens. In the dashboard, I can see a day-by-day graph of how many computers were scanned and how many were out-of-date. This provides me with a view of my company’s overall risk posture.
BrowserScan, as an Administrator
Clicking on each plug-in name—Oracle Java, Adobe Flash, Adobe Reader, Adobe Shockwave, Apple Quicktime, RealPlayer, Microsoft Silverlight, VLC Media Player, Windows Media Player, and Phoscode Deval VR (to view interactive 3D content)—brings up the graph showing me how many computers scanned had the plug-in and how many were outdated. Each plug-in page also has a pie chart showing what version my users are running.
With the day-to-day graph, I could see how all the visitors to my site had up-to-date Java plugins; and the day after Oracle released its mammoth Java update, I could see how many of my users had not installed the security fixes. This is a good way to get up-to-date risk assessment.
I could also see what operating systems and browsers my users are running. It easily detected Linux, Windows, and Mac OS X . It detected Android tablets running JellyBean and Gingerbread as Linux (Other). iOS devices, oddly enough, came up as “Unknown.” Interestingly enough, the stock Android browser was detected as Safari, possibly because of the Webkit engine under the hood.
The service did not split out versions within the OS, so I couldn’t identify how many machines had Windows 7, for example. It detected the browsers, but again, did not break out which versions, so there was no way to tell how many folks were using IE 10 or IE9. Seemed like a missed opportunity here.
Basic Information Scanning
Keeping in mind BrowserScan is intended to be a first line of defense and not a comprehensive patch management system, I still felt like there were some areas that could have used some attention. Not being able to tell who was running what versions of the Web browser was surprising, considering that is information readily available from the header information set by the browser. The service records results by the computer’s public IP address. In our Labs scenario, all of us have the same public IP, which means I can’t identify which of the 18 computers we have was scanned. Transparent mode is not going to be that useful for administrators unless they have a bulk of employees working remotely or have different public addresses. The other three modes at least inform users about the problem and allow them to get and install the updates.
I really liked BrowserScan’s no-software approach. We aren’t adding yet another plug-in to the browser, not installing a software agent, or making sure the monitoring software is still running on the computer. However, while it’s nice not to have to rely on the user to run the scans (or on the user not disabling the software so that automated scans can run), BrowserScan’s approach also depends on the user to regularly visit the site with the embedded code. And here is the other problem—the service just checks the browser I am using to load the page. It is not checking if my other browsers are up-to-date. This is fine for 95 percent of the time, but it takes a single visit to a malicious site with a vulnerable browser—just once!—to be infected.
Case in point, I have Java enabled only on one browser (IE) on one of my test Windows machine and the default browser is Chrome. The day after the Java patch was released, I scanned the test machine and found everything was up-to-date, which I knew was incorrect since I hadn’t updated yet. It took me a few moments to realize that I was accessing the site using Chrome and not IE. Once I switched to IE, I saw the warning.
Quick Scanning As First Line of Defense
BrowserScan is a great way for administrators to get a quick snapshot of the state of browser security. It can’t provide exact information about which machine has which issues, but at least the administrator can see that there are certain computers which need attention. The Redirect mode can act as lightweight network access control, restricting users who don’t have proper security from getting to the site. Whatever site the administrator selects for the tracking code has to be one that users regularly visit or the service won’t be as useful.
For small businesses falling behind on patch management and regular software updates, BrowserScan is a good first step towards addressing the most common threats. If you just want a quick system that will tell you the state of your browsers and plug-ins across your Windows network, BrowserScan is sufficient. For more thorough scanning and Windows updates, you should consider a more robust platform such as Secunia SmallBusiness.
Copyright © 2012 Ziff Davis, Inc