Lots and lots of computer security related news recently, the IE and Firefox brouhaha concerning a high security risk with how IE handles a “firefoxurl://” URI (uniform resource identifier), Haute Secure blocks malware, Microsoft security bulletins and Facebook pimping da crudware baby.
Firefox and IE together brew up security trouble News.com article about the Firefox and IE combo flaw that could allow someone to compromise their machine remotely.
Site Advisor 2.0: Haute Secure Launches To Detect and Block Malware Little review of Haute Secure from Michael Arrington, he says, “Haute Secure launched moments ago: it?s a new browser plug-in that the company says will detect and block malware before it has a chance to infect your computer. The timing couldn?t be better as news spreads of more Windows-based vulnerabilities.”
Haute Secure They block bad sites and then let you decide if you want to allow it or not. Sounds like the UAC feature of Windows Vista, but I haven’t tried it yet myself.
Microsoft Security Bulletin MS07-036 – Critical Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542) This critical security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities as well as other security issues identified. These vulnerabilities could allow remote code execution on your computer if a user opens a specially created Excel file. Users whose accounts are not configured to run as Administrator will be less impacted than those who do. This is a critical security update for supported editions of Microsoft Office 2000. For supported editions of Microsoft Office XP, Microsoft Office 2003, 2007 Microsoft Office System, this update is rated important. This update is also rated important for the Excel Viewer 2003, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats.
Microsoft Security Bulletin MS07-039 – Critical Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) This critical security patch resolves a vulnerability in Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition. Attacks attempting to exploit this vulnerability would most likely result in a denial of service condition, and remote code execution could be possible. On Windows Server 2003 an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Facebook found pimping crudware Facebook has become the latest website to be found pushing services that deliver highly deceptive security warnings designed to trick users into buying software. Purveyors of this scam are making use of Facebook Flyers, small ads that get posted on Facebook pages associated with a specific region. At 5,000 impressions for just $10, it’s a bargain.
Categories: Firefox, IE7, Security Tags: Facebook, Firefox, Haute Secure, Microsoft Excel, Microsoft Office, Microsoft Office 2003, Microsoft Security Bulletin, Office XP, Remote Code Execution, Windows Vista
In a post from the OpenDNS blog, David Ulevitch says Google turns the page? in a bad way, in it he says Dell and Google have teamed up and are installing software on Dell Computers that borders on being spyware. The issue is that they, meaning computer manufacturers like Dell, Gateway, Sony, etc, are installing this program called Browser Address Error Redirector to redirect users who mistype url’s or enter search terms in the address bar like they do a search box, to a search results page that is filled with sponsored listings, the ones that Dell and Google will make money from if users click on them. Here is why this could happen:
This page was generated because of one of these two reasons:
The web address you typed did not resolve correctly.
You typed a keyword query in the browser address bar.
This page is meant to provide you with helpful related content, including web search results and paid advertisements, based on the meaning of the web address/keyword query that you typed. This program can be uninstalled from the Control Panel “Add/Remove Programs” in Windows XP or “Control Panel > Program > Programs and Features” in Windows Vista. Look for the application named Browser Address Error Redirector. Older versions may be called GoogleAFE.
Sounds pretty innocent to me, if you take them at their word, but the ads, err I mean the search results they serve up are dominated by Google ads, in fact, on most users screens, they probably would not be able to see the actual Google search results. Now, David says it is Google and Dell who is doing it, but I wonder if it is Dell’s decision alone to decide how many ads to place on a search results page such as this? I know I decide how many I show on my site, but I have no exclusive deal with Dell to compare it to. I guess the terms and decision makers will come out when Dell and Google respond, if they haven’t already. David goes on to give some reasons why Dell and Google would do this.
The computer hardware business has razor-thin margins which means making a profit is tough. So the opportunity for Dell to get a recurring revenue stream from an existing customer long after the sale of the computer is more than just enticing, it?s huge. It also means a couple other things:
Dell and Google have an incentive to make it very hard for users to turn this off.
Because users can?t get rid of it, Dell and Google can get away with putting more ads on the page and pushing user-relevant content off the page. Source: Google turns the page? in a bad way
Now, I myself have not seen the redirector in action, most of the Dell computers that I end up seeing are re-imaged when they are received by the buyers, so, this crap does not live on those computers very long, and, as a matter of fact, the last one I looked at did much the same thing, but with a Microsoft results page that was a little more helpful than the Dell/Google page, it only had three sponsored listings and a most popular products listing before the search results. OpenDNS is a service users have to go get, and they do much the same thing, but they are way more friendly on their results page, adding a did you mean this link, like when you misspell something, at the top, and the search results right below it, with the sponsored listings on the right, much like the default Google search page. So, lots of commenters are saying OpenDNs only brought it up because they are in competition and that they are trying to make it sound worse than it is by throwing terms around like spyware and saying it is hard to remove. It is easy to find and obviously named in the Add/Remove programs applet in the control panel, so it is not hard to remove.
Danny Sullivan says:
I wouldn’t consider it spyware, but it certainly isn’t friendly ware. But you can understand why some people would think it’s spyware, when their computers seem to be acting in a strange way. Some searches brought up plenty of people who are confused by the software and what it is doing.
One of the most ironic things in all this is to compare what’s happening to the statements Dell and Google have made about consumer choice in the past. When the deal came out in May 2006, Dell said:
Our motivation is to deliver customers tools that enable them to search and organize information quickly and easily, right out of the box…Dell customers will have the option of choosing Microsoft as their default if they prefer. Source: Google & Dell’s Revenue-Generating URL Error Pages Drawing Fire
As Danny said, Google says they just have to change the defaults in IE 7, if they prefer, but that is something that Google said in the past was too hard for people to do. They even argued that Microsoft was taking the choice away from consumers by setting the search default to Microsoft’s search engine, something Google does in Firefox and now Dell computers. Pot meet kettle, kettle meet pot. They said their motivation was to allow their customers to search and organize information quickly, something this search results page does not do, it is geared for the quick cash.
Ryan Naraine says he has pinged Google to ask them about it, and he asks, what if the software has an exploitable software vulnerability? Something I am sure we will find out soon enough.
If you used the phishing filter that was included with IE7, you probably noticed it slowed the browsing experience down a lot, and may have even disabled it, like I did. Microsoft says they have fixed it and have released a patch, that your computer may have already installed depending on your Windows Update settings. The problem was frames, or, just too damn many of them. If you browsed a webpage with lots of frames, or, browsed many frames in a short period of time, it caused the phishing filter to slow down.
To fix this problem, install the latest cumulative security update for IE7 from this webpage, The computer may respond very slowly as the Phishing Filter evaluates Web page contents in Internet Explorer 7, all versions are listed at the bottom of the page.
Alternatively, you can disable the phishing filter, here are the steps involved:
1. Start Internet Explorer 7.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab, and then click Disable Phishing Filter in the Settings list.
4. Click Apply, and then click OK.
5. Restart Internet Explorer 7.
Categories: IE7 Tags:
A security vulnerability in how Windows renders cursors and icons is being investigated by Microsoft, this vulnerability affects Windows 2000, 2003, Windows XP, and Windows Vista, but, if you already have IE7, you should be okay as the protected mode will protect you. Also, if you use Outlook 2007 you are okay as it uses Microsoft Word to display email messages.
Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.
As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources. Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability. Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks. Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. Source: Microsoft Security Advisory (935423) Vulnerability in Windows Animated Cursor Handling
Microsoft suggests reading your email in plain text as a work around.
Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.
Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
The changes are applied to the preview pane and to open messages.
Pictures become attachments so that they are not lost.
Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
McAfee Avert Labs Blog has posted a video here.
Do you wish IE7 came with a spell checker? Would you like to be able to open your last closed tab? How about a preview of the webpage you are getting ready to visit? How about inline search? All of these are available as add-ons to Internet Explorer 7, and many more. Firefox is not the only browser you can trick out and make better, there are many other add-ons to IE7 at the Windows Market Place.
No web browser is perfect, and no web browser does everything just the way everyone wants it to.
Enter add-ons. Also called extensions or plug-ins, add-ons let third-party companies and users with programming skills extend the browser’s functionality in different ways. They are your ticket to a customized web.
Mozilla Firefox is known as the world’s most extensible web browser, which is a big reason for its appeal among web geeks. But users of Microsoft’s Internet Explorer 7, Windows Vista’s native browser, need not be left out in the cold when it comes to add-ons.
Here’s our roundup of the seven best ways to trick out IE7. Source: Seven Best Add-Ons for IE7
Categories: IE7 Tags:
Verisign has started offering bounties for flaws found in IE7 and Windows Vista, and even offering more for demonstration code, as long as it did not contain a malicious payload that is. They are offering the reward to hackers to get them to join their pay for flaw or Vulnerability Contributor Program
“Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products,” iDefense said in a note announcing the bounty.
The company said the motive of the challenge is to “help assuage this uncertainty.”
The rules are straightforward: iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products.
Only the first submission for a given vulnerability will qualify for the payout, and iDefense will award no more than six payments of $8,000.
“If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award,” the company said, stressing that the iDefense team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award.
To qualify, the vulnerability “must be remotely exploitable and must allow arbitrary code execution in a default installation of Vista or IE 7.0. It [must] also exist in the latest version of the two products, with all available patches/upgrades applied.”
Flaws in release candidate or beta versions do not qualify, and iDefense’s rules make it clear that the vulnerability “must be original and not previously disclosed either publicly or to the vendor by another party.”
In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000, based on reliability, quality, readability and documentation, for working exploit code that exploits the submitted vulnerability. “The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge,” the company said. Source: eWeek
This is similar to 3com’sTipping Point which runs the Zero Day Initiative, it pays researchers for their unpublished vulnerabilities or exploit code, and the researchers give advanced notification. Microsoft, of course, feels this is not the best approach to security, especially since you know it will encourage a little more research, especially if they can figure them out very quickly.
Okay, this is the third time I have written about this vulnerability, twice today, so I can probably say for sure, this will be the last time, until next time, hehe.
It must be important to Secunia, because they opened up a blog today, just for this I assume, since it is the only post.
On Monday 30th October, Secunia published an advisory describing a vulnerability in IE7, which appears to be a legacy from IE6 – and which back in 2004 turned out to affect virtually every single browser on the market.
The vulnerability allows a malicious site to change the content of arbitrary pop up windows.
In 2004 the organizations behind Firefox, Netscape, Opera, Konqueror, OmniWeb, and Safari all confirmed the “Windows Injection” issue to be a vulnerability and subsequently issued fixes for this issue.
IE6 users had to change the “Navigate sub-frames across different domains” setting to protect themselves.
Today, in IE7 this setting has been disabled by default – that is a good thing – but it doesn’t work – that is a bad thing!
That in itself qualifies for at least a “security bug”. Source: Secunia “Security Watchdog” Blog
Microsoft said in their blog entry this wasn’t a vulnerability then and it isn’t one now, even so, they added the address bar so you could actually see the url, in case someone did try to hijack your browser, and in 2004, users could change the “Navigate sub-frames across different domains” setting to protect themselves. This is disabled in IE7 by default, yet the browser is still vulnerable to the window injection.
We believe that Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks – isn’t this what Microsoft advertises that IE7 does better than it’s predecessors?
Yes they should. But, this can’t be to serious of a problem for people, Secunia’s solution says,
“Do not browse untrusted sites while browsing trusted sites.”
Umm, can I be the first to say, duh huh. If you don’t trust a site, why are you there to start with?
Anyway, will be interesting to see what Microsoft says, etc, etc. Welcome to the blogosphere Secunia.
Microsoft responds to the latest vulnerability report from Secunia, we covered it here yesterday, in a post at the Microsoft Security Response Center Blog titled Information on New Address Bar Issue. Apparently, this was a known issue with the way browsers are designed in that browsers are allowed to load pages in browser windows from other sites, this allows them to reuse windows. You’ve all seen it, you click a link, it opens in another window, you go back to click another link, or go to another page and click a link and it opens in the same window, unless you’ve closed it.
Like we always do, we investigated that claim thoroughly in 2004. We found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page?s address (because there was no address bar) and without verifying an SSL connection (like we recommend on our website). In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn?t represent a security vulnerability as we have defined it on our website. Source: Microsoft Security Response Center Blog
Microsoft even said in their post that they looked at how they could make this better for users, and since the user would have to ignore or not see the address bar, if the page changed, that they would add the address bar even in popup windows, so you could always the actual url. A lesson to be learned would be you can’t always trust every website you are on.
Now, yesterday, when I posted it, I admit I did not read the whole posting, so I did not realize that it was an old “vulnerability”, I assumed, as many did I’m sure, that it was a new issue. So, I helped spread a little bit of this nonsense, but Secunia should bear most of the responsibility. In their quest to report vulnerabilities, they made it look like it was a new one, at least in my eyes. I will be more observant in the future when looking at their reports. Thanks to Spyware Sucks for letting me know I did not report the whole story.
Secunia has posted another vulnerability in Internet Exlorer 7, this one is called Internet Explorer 7 Window Injection Vulnerability, and this is related to a previous vulnerability from IE 6.0, here.
A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites.
The problem is that a website can inject content into another site’s window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website. Source: Secunia via Faill.com
They have constructed a vulnerability test here, and this has been tested on a fully patched system running Windows XP SP2 and IE7.
The folks over at Read/Write Web just posted an article, Web Browser Face-off, comparing web browsers, including the recent upgrades, IE7 and Firefox 2.0. It’s more of a “roundup” than a face-off, this is not a big review of each browser, just a comparison of their pros and cons. They look at [tag]IE7[/tag], Firefox 2.0, [tag]Safari[/tag], [tag]Opera[/tag], [tag]Flock[/tag] and [tag]Maxthon[/tag]. Anyway, if a good quick comparison of web browsers with no one picked as a winner is what you are looking for, read on.
The last few weeks have been packed with browser action and the two market leaders, Internet Explorer and Firefox, have launched major new versions. So to round out our recent browser coverage, we present the Web Browser Face-off – looking at how all the main browsers compare with each other in terms of features and innovation. We are basically looking for what is unique, interesting – and missing – in each browser.
Right now Microsoft still holds onto its huge market lead, but Firefox is gaining more ground every month. Probably more importantly, there are other major innovators in the browser space – such as the social browser Flock (a Read/WriteWeb sponsor) and the perennial innovator Opera. The Mac browser Safari of course has many passionate supporters, while new kid Maxthon is one to watch.
Regardless of who will prevail in the ‘browser 2.0 wars’, the users will win. While fighting each other, the browser makers innovate and simplify. They increase our productivity by integrating into the browser web concepts such as search, RSS, OPML, micro formats and more. The core browsers are getting slimmer and faster, while extensions that cover a wide range of services are being developed by external parties. Source: Read/Write Web
Over on PCWorld, they compare IE7 to Firefox 2.0 and come up with a winner, even if their reasoning is because one was first to the table with some of it’s offerings.
Firefox is a global, open-source project, so development has been very swift when compared to Microsoft’s closed-source development of Internet Explorer. We’ve had to wait a very long time between IE6 and IE7, so most users are installing IE7 with high expectations. The good news is that both browsers have seen some significant enhancements in three key areas: user experience, security and web standards. The bad news is that one browser still has better features and standards support than the other.
The better browser is Firefox 2 for two reasons: innovation and ease of use.
Both browsers are loaded with modern productivity features, but while Microsoft is just introducing these features to its browser, Firefox has already had them long enough to refine them, enhance them and make them even easier to use. While Microsoft has added an integrated search box to IE7, Firefox has added auto-suggest query completion and advanced search engine management to its own familiar search box. IE7 can now handle RSS feeds, but Firefox has several options for adding feeds within the browser, a client or your web service of choice. Source: PCWorld
I’m currently using both browsers and like both equally, but I am used to using the big blue E, so my time is mostly one sided, I need to remember to use Firefox. So, i guess I lean more towards IE7 by default, just as some of these people lean towards Firefox. They are both better browsers so you really can’t go wrong.