May 14 2014
The BrowserScan concept emerged during the heyday of Java zero-day exploits in 2012. The risk posed by out-of-date browser addons, especially Java and Flash, was a critical issue for our customers and the greater security community. The process of scanning each desktop for outdated plugins was something that many firms couldn't do easily. BrowserScan helped these firms gather macro-level exposure data about their desktop systems, providing a quick health-check of their patch management process.
Our no-scan and no-agent approach did have some drawbacks. It was difficult to identify vulnerable users behind a NAT gateway without doing deep integration with internal web applications. Our ability to track browser-specific vulnerabilities was hampered by consistency issues between vendors. Additionally, some of our users didn't want a cloud-based solution and asked for a on-premise installation instead. These limitations were acceptable so long as the primary use case of identifying out-of-date addons was helping the community.
Over the last two years, web browsers and their associated addons have evolved to reduce the risk of attack. Java no longer runs applets by defaults. Firefox no longer allows outdated plugins to load. Internet Explorer 10+ now throws a nasty popup when a site tries to detect whether Java is installed. Chrome manages its plugins as part of the browser itself, which is constantly being updated. In short, most of the attack surface that BrowserScan was designed to detect is no longer accessible. Even worse, trying to detect out-of-date addons now causes some browsers to emit warnings about a possible attack.
We feel that the browser addon ecosystem has changed enough that BrowserScan has outlived its usefulness. We will begin ramping down the service immediately, first by disabling new account creation and then gradually reducing the services. If you are an active user, you will receive an email soon describing the ramp-down process and the timeline for removing the widget from your web sites.
If you have any questions, you can reach the BrowserScan team via research[at]rapid7.com
Update: We have released PluginScan, an open source implementation of BrowserScan available under the MIT license.