BrowserScan is a service that allows scan the browser for vulnerable plugins. The analysis is performed instantly by checking the installed versions of Java, Flash, Adobe Reader, Adobe Shockwave, Quicktime, RealPlayer, Silverlight, VLC Media Player, Windows Media Player and Phoscode DevalVR.
The tool was created by the Rapid7 team, the same creators of Metasploit and is completely free:
In addition to performing manual browser scans, the tool can work automatically under a statistical system very good that can be used in business environments to monitor or evaluate the safety of employees.
You just have to create an account in BrowserScan, then you need to add a small script (tracking code) on a page that is very visited by users or the company intranet, in this way you can automatically analyze the browsers of all visitors (without manual scans or extra installations).
It is worth mentioning that the information is collected in a general way, that is, there is no personalized monitoring of each user or computer. In addition, the script can work transparently (invisible) or display a warning to users in case the browser is vulnerable.
To quickly show you how it worked, I added the script to the Forum for a few hours, the results surprised me quite a bit in that most visitors were vulnerable to different types of attacks.
In the following screenshot you can see the Dashboard or BrowserScan Desktop. During the test, about 500 users agreed, the blue part shows the total number of scans and the red part shows the vulnerability in the browser, that is, some outdated component:
You can also see the most used operating systems and browsers, as well as statistical graphics for each of the plugins. For example, in the following screenshot you can see the different versions of Adobe Reader detected… 81% of them did not have it updated!
They surely don't know that they can be automatically infected when opening a malicious PDF if the document reader (in this case Adobe Reader) is vulnerable.
In the case of Java It was only updated in 20% of browsers, the rest could be infected in a hidden way simply by visiting an attacking website:
Similar statistics can be obtained for all plugins, you can also see the source IPs of the users (although they are not directly related to the graphics) and the source sites (referral) where the tracking code is located.
As we can see, BrowserScan can be very useful not only to obtain statistics but also to know in what security aspects more work needs to be done to educate users.
It goes seifreed.com and community.rapid7.com
See also: The vulnerabilities most exploited by cyber criminals during 2012.