Skip to end of metadata
Go to start of metadata

Alerts

No Alerts at this time.

E-mail: security@lbl.gov

Web Browser Plugin Security

Web browser plugins are small pieces of software that extend the functionality of Web browsers, allowing rich content to be viewed online. Some plugins display harmless advertising or videos in Web pages, but when out-of-date, they can also carry viruses.

Berkeley Lab continues to experience virus infections due to vulnerable Web browser plugins, such as Adobe Flash Player (Flash) and Oracle's Java Runtime Environment (JRE).  We can avoid many of these infections is all computers have up-to-date plugins.

To keep Flash and Java browser plugins current on Windows and Mac use this page to:

  • Install IBM Tivoli Endpoint Management (BigFix). (Note: If you have a Windows computer in Active Directory, it's probably installed already.)
  • Check your web browser plugins using the Qualys tool at http://go.lbl.gov/browsercheck.

How to Install IBM Tivoli Endpoint Management (BigFix)

The IT Division offers IBM Tivoli Endpoint Management (BigFix) as a patch management service. BigFix runs automatically in the background, keeping your Flash and Java plugins up-to-date. We recommend that all Windows and Mac systems install IBM Tivoli Endpoint Managemen (BigFix).

Step 1. Download and install the software

To install IBM Tivoli Endpoint Management (BigFix), first download it from the Laboratory’s Software Distribution site. Login with your LDAP credentials, select "IT Supported Downloads", and scroll down to the section labeled Security Software, and click on "IBM BigFix Endpoint Management".  Once the installation package is downloaded, follow standard installation procedures (e.g. double-click to open package and start install, follow steps in installation window). You don't need to do anything further - the software will run quietly in the background.

Home Computer Use: Do not install IBM Tivoli Endpoint Management (BigFix) on home computers. Communication is blocked to the BigFix server from outside the Lab, so you will not be able to get updates from off-site.

Step 2. Verify that the software was installed

a. Windows verification

To verify that BigFix is installed on Windows, look for "Tivoli Endpoint Management Client" in you installed programs list. XP: View installed programs in "Control Panel" then "Add or Remove Programs"; Windows 7: Go to "Control Panel" then "Programs and Features". If your computer is in Active Directory, you probably already have BigFix. The screenshot below shows what a successful install looks like.

b. Apple, Mac verification

To verify that BigFix is installed on Mac, look under your hard drive folder for /Library/BESAgent/BESAgent. If that file exists, BigFix is installed. The screenshot below shows what a successful install looks like.

How to Use the Qualys tool

BigFix has a few limitations, it:

  • Does not identify and patch all Web Browser plugins (just Flash and Java)
  • Does not provide an easy way to verify your plugins were patched

Therefore, we also recommend you run the Qualys browser check at http://go.lbl.gov/browsercheck.

Qualys provides this tool free to LBNL. In addition to helping you, the tool provides us with useful statistics about vulnerable web browser plugins in our environment.  If you use multiple web browsers, for example FireFox and Chrome, you need to run this tool from each browser.

Home Computer Use: Feel free to run Qualys on your home computers. We even encourage it!

Step 1. Install Qualys in each browser you use

The first time you use the tool, you must allow the Qualys browser plugin to install. This process can vary slightly by browser and OS. For Windows 7 and Firefox, click the "Allow" button as shown below:

 

Once you click allow, the plugin will download and present you with the "Install Now" option. Click "Install Now" then restart your browser.

Step 2. Scan your web browser

After the browser restarts, you can then scan your web browser for vulnerable plugins. The system shown below has an outdated Adobe Reader plugin and FireFox. The "Fix It" buttons listed next to each application provides direct links to the updates.

Once you believe all plugins are updated, you should rerun the tool to verify. If you need help, contact the IT HelpDesk.

Step 3. Repeat on a weekly basis for each browser

Visit go.lbl.gov/browsercheck every week for each browser installed on your computer.

Known Issues

  • "Fix It" buttons in Qualys tool don't always work. The "Fix It" buttons are not always a simple way to get the current version. We have found a couple "Fix It" buttons with broken links. It may be necessary to manually update some plugins.

Preventing infections: Isolation

Effective January 24 2012, we will isolate computers with vulnerable plugins from the network.

If your computer is isolated, you will see a notification page when you open your web browser. This page will explain why you are isolated and the steps you can take to fix the vulnerability and get the isolation removed. For the protection of the Lab, you are not able to browse the Web when isolated.

Feedback and Help

If you have further questions, please contact the IT HelpDesk by calling x4357 (HELP), online via Web form (http://help.lbl.gov/), or sending e-mail to (help@lbl.gov.)

Send feedback on isolation procedures to security@lbl.gov.