Malicious SWFs, hacked websites, denial of service attacks.. where will it end?
Basically, it won't end. I'm going to cover a few different things in this blog entry.
1. The malicious 1-800-petmeds SWF
Ok, so I've had a look at the 1-800-petmeds SWF and its the same old same old. The SWF contains reference to the malicious URL iexplorer-security.org/?id=324400102.
2. Hacked web sites
Of equal if not greater importance, at the moment, is the ongoing hacking of many web sites and the injection of malicious code that tries to infect visitors via various exploits, the latest being MSNBC Sports.
There's no way we can predict which site will be hit next, but we can do all we can to make ourselves as safe as possible. With sites such as TrendMicro's virus encyclopedia, McAfee's site, MSNBC Sports, ZDNET, Archive.org, Wired.com, History.com and myriad other sites being compromised, we really do have to assume that any site may be a risk.
That being said, it is not all doom and gloom - we can fight back, or at least minimize the risk of exposure.
Remember - the criminals are trying to take advantage of known exploits, many of which have been patched - eg MS06-014 MS07-004, MS06-067 and MS06-057 - and let me tell you, there's some pretty old exploits in that list. I can only hope that all of my readers are long since patched and safe from such exploits. If you are not ***WHY THE HELL NOT???***
The criminals are also trying to take advantage of exploits affecting many different web applications and activex controls therefore it is no longer enough to simply run the latest Web browser and update Windows. *All* web applications (Flash, Java, QuickTime, RealPlayer and anything else you can think of) must be updated regularly and all toolbars, add-ons and activex controls must be treated as a potential security risk.
IE7 and IE8 have a "Manage Add-Ons" feature. Use it. Check everything that has been installed. If you don't need it, or don't know if you need it, disable it. If you need it, check for an update.
BTW, IE8 makes it easy to research and identify entries in the Manage Add-Ons window. Simply highly an add-on, then click on Search for this add-on via default search provider.
What about Firefox?
Users of Firefox, Flock, Seamonkey and other mozilla-based browsers are often advised to install noscript (http://noscript.net/) BUT (there is always a but) I am concerned when I see noscript being held out as a panacea - it is certainly an excellent improvement but it is no cure. Why? Because of the risks introduced by normal human behaviour and social engineering.
For example, do you trust MSNBC Sports? ZDNET? TrendMicro? McAfee? forum.avast.com? Computer Associates? Monster.com? The official United Nations web site? spreadfirefox.com? Circuitcity? Audi Taiwan? Asus Taiwan? Yahoo India? Neowin? *All* of those sites have been compromised.
For what it's worth, I say the same thing to people who advocate locking down Internet Explorer's Internet Zone by setting very high security levels, thereby forcing their users to add myriad sites to IE's trusted zone so that they will work properly - again, what happens when a "trusted" site is compromised?
3. Denial of service attacks
I'm sure we all remember how CastleCops suffered under a sustained DDOS. Tonight I read that DSLreports.com is being attacked.
You can see their alert here:
And, more interestingly, a list of the IP addresses of the attacking computers here:
Manage Add-Ons in IE7 (btw, the reason there are only two controls in the IE7 screenshot is because it is a screenshot taken from an almost-bare-metal machine image which I use for testing malicious banner advertisements).
Manage Add-Ons IE8 - note how several that I do not have a current use for are disabled.