Spyware Sucks : Internet Explorer 7, Security, safety and privacy on the Internet

ALERT: Out of band security patch to be released tomorrow, 17 December at 10.00am Pacific time

sandi — Tue, 16 Dec 2008 21:14:56 GMT

Announcement here:
http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx

The patch resolves the actively exploited vulnerability that has been in the press so much in recent days, and which is the subject of this Security Advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx

Don't take the bait - Internet Explorer 7 tools help you recognize phishing scams

sandi — Sun, 05 Aug 2007 02:06:21 GMT

My latest column for the Windows Help and How-to Community is now live.

"With more and more people using Internet banking and other online financial services, the number of con artists trying to separate us from our hard-earned savings has grown. People who are new to these services—including some of my own family members and friends—can find it hard to recognize e‑mail phishing scams that try to steal their personal and financial information. Such "street smarts" are only gained through time and experience, and even people with that experience can still be fooled.

So, how can you protect yourself and your close relations from theft and deceit in the online world, especially if you've never encountered a phishing scam? For starters, you can use Windows Internet Explorer 7 and its built-in Phishing Filter."

You can see the rest of the article here
http://windowshelp.microsoft.com/Windows/en-US/Help/88c0193b-ccdc-4242-90d3-bce75f4368b71033.mspx

Update on IE7 and MSN/Windows Live Toolbar's Phishing Filter statistics

sandi — Sat, 26 Aug 2006 09:52:00 GMT

Microsoft's Phishing Filter is proving to be quite a success, thanks not only to all of the IE7 and MSN/Windows Live Toolbar users who are actively reporting phishing sites, but also thanks to data sharing between MS and third party data sources.

Recently MS have been adding up to 17,000 URLS a month to its Phishing Filter service. This figure is sure to continue to grow as more people use IE7 and MS adds new data provider partners.

From February to Mid Aug 2006 the Phishing Filter helped block over 800,000 instances of people trying to access reported phishing websites using IE7 or MSN/Windows Live Toolbar. This figure includes almost 500,000 blocks since IE7 Beta 2 was released.

Finally, IE7 users are reporting up to 4,500 potential phishing sites per week.

The Anti-Phishing Working Group reported 12,000 new unique (base URL) phishing sites just during the month of May. It also reported 215 unique variants of phishing based trojans or keyloggers, hosted on 2,100 unique (base URL) phishing sites.

The fact that keyloggers and trojans are becoming more prevalant on phishing sites shows why it is so very important that users don't go anywhere near phishing sites, even if they have absolutely no intention of handing over their personal information, and why services such as Microsoft's Phishing Filter are providing such an important service. It is no longer enough to simply warn somebody about the domain they are on (eg, services such as provides by Spoofstick).

On a related note, Ed Bott checked out Firefox's phishing filter, and the results were not that good (http://www.edbott.com/weblog/?p=1419). Ed says:

"Normally I just delete those phishing messages, but lately I’ve been clicking on every single one to see what happens. Surprisingly, IE7 has nailed one fake site after another. I haven’t kept detailed records, but the hit rate has been nearly 100%.

I’ve only begun using the Firefox beta in the past few days, so I have only a small sample size to work with. But so far it has missed every one of four phishing sites I’ve pointed it to, each of which has been detected by IE7. I’ve tried monkeying with the settings for the anti-phishing option in FF2, with no luck, and I’ve repeated the installation on a separate computer with identical results. (Both computers were running stock installations of Windows XP.)"

Ed also has an excellent Image Gallery comparing IE7 and Firefox's various security features.

I have one important question. Does the Firefox phishing filter block access to known phishing sites, or does it only warn you after the page loads? If the latter, the service is simply not sufficient protection, considering the increasing prevalence of keyloggers and trojans hosted on phishing sites.

I also note that Firefox gives you the option of using a downloadable "regularly updated" blacklist of bad sites or a dynamic checking service via Google. Frankly, I would not use the downloadable list. Phishing sites appear and disappear so quickly that a downloaded blacklist that must be updated, simply isn't sufficient.

Internet Explorer Protected Mode and other stuff...

sandi — Sun, 06 Aug 2006 03:46:00 GMT

For your viewing pleasure.. an excellent video from TechEd

Windows Vista System Integrity Technologies
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=223

Steve Riley is a fun presenter... messy blonde hair, sneakers, red pants, blue shirt, shell fragment necklace, leather wrist bands with tassels and earring

My primary interest, when looking at this video with a mind to highlighting it on my blog, was its relevance to IE7. That being said, there are a lot of gems in Steve's presentation.

I do recommend, if you are technically inclined, that you watch the entire video (but be warned, its more than an hour long). If you don't want to sit through the entire thing, you can jump straight to the section where Steve explains how Protected Mode for Internet Explorer in Windows Vista helps protect users from the bad guys when they are surfing the internet.

Basically, a user will have to approve up to *three* different dialogue boxes for programmes sourced from the Internet. He or she will have to say:

1) Yes, I want to run that programme...
2) Yes, I trust the Web site that I got the programme from...
3) Yes, I want to give that application Full (User) Privileges...

Steve says "what is the problem that we're trying to solve here... when somebody downloads some attachment and it has some sexually formatted subjectline "click here to see the dancing pigs".. those dancing pigs will win every time won't they... people don't know how to be secure so we have to do it for them..."

As much as I *dislike* the phrase, there are people out there who just want to see the "dancing pigs" and will say yes to anything and everything to obtain access to said pigs. For them, three prompts will not be enough to stop them from infecting their machines. Heck, they may even complain about the inconvenience. But you know what? MS can only go so far to protect people from themselves.

After years of very vocal "Windows is too insecure" complaints there are some who complain about how much harder Vista makes things for developers and users - for example:
http://www.msgpluslive.net/news/2006/08/05/opinions-on-windows-vistas-release-date/

Its a little ironic that Patchou is complaining about difficulties when working in Vista, considering the ongoing battle to stop malware being distributed via his sponsor programme (stopping the spread of malware being one of the primary reasons behind the tightening up security in Vista).

I disagree with Patchou... I say bring on Vista. Reality is that malware pushers are not going to go away voluntarily, nor will people stop trying to earn an income from the pop-ups or banner ads that are used as a conduit to computers by the malware pushers. The bad guys are not going to give up their income stream willingly, and they will continue to look for ways to get their wares on to as many machines as possible, including by deceiving those selling pop-up and banner advertising space. There are people who need to generate an income via pop-ups and sponsors and who have every intention of refusing malware pushers access to their advertising space, but reality is the bad guys are getting in there anyway.

Attempted malware download via MP Sponsor Programme generated popups:
http://msmvps.com/blogs/spywaresucks/archive/2006/06/30/103407.aspx

The bad guys use a myspace banner ad to spread malware:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/21/105450.aspx

Myspace again - this time its embedded videos and Zango:
http://www.vitalsecurity.org/2006/07/interview-with-zango-myspace-affiliate.html

During Steve's presentation he talks about how he did not reduce the privileges granted to his wife's user account, which was a local administrator account, and how his wife's computer was therefore vulnerable to, and ended up being infected by, malware ... Steve mentions that Jesper makes his wife and children run as guest), but Jesper's willingness to lock down his systems is an exception, rather than standard operating procedure out there in the world.
http://blogs.technet.com/jesper_johansson/archive/2006/06/22/438316.aspx

We have to get used to UAC and no longer being King on our computers. As Steve said, there is no such thing as perfect, hack proof or impenetrable (tell that to some of the Linux/Firefox apologists). He also says "For every way you can think of to stop a bad guy the bad guy will think of another way. You can't. You cannot know everything that is bad. But what do you know? You know everything that is good... So why not make a statement of what you allow based on what you know is good and then by default block everything else."

His comments remind me of Peter Tippett and what he said years ago (Peter Tippett, by the way, apparently developed the product that eventually became Norton Antivirus).

Back in May 2005 I reported on an magazine article about Peter in which Peter said:

"The first version I produced stopped any virus that could be produced. 'No updates required' was the byline. It recorded the state of all software on your system and anything new just wouldn't run ... As an afterthought we added virus signature scanner and sold it to Symantec. ... Symantec felt that nobody could understand the generic new software-blocking stuff, so that feature quietly dropped away.”

http://msmvps.com/blogs/spywaresucks/archive/2005/05/05/45762.aspx

We have now reached the stage where needing to stop the bad guys outweighs the need to make things easy for those who cannot understand the "generic new software-blocking stuff" or want to be King on their computer.

Thanks Ian! I enjoyed the giggle :)

sandi — Fri, 23 Jun 2006 00:00:00 GMT

One of my loyal readers pointed me to this site, coincidentally after reading my blogpost about the Bit9 assessment which placed Firefox 1.0.7 as the most dangerous non-malicious software out there:
http://www.cweiske.de/

It seems the owner/author doesn't like IE and is blocking access to IE users. That's his prerogative but its awfully short sighted. Why? Because IE7 is a massive improvement in security and CSS compliance - because Firefox is becoming a bigger target and the bad guys are targetting it more often and if not kept right up to date leaves its users at risk - because even Opera is exploited (recent example)

On further thought, although I did giggle when I first saw the page, now that I've thought further about it the giggling has stopped.

The author says Opera and Firefox are "better" - how are they better? Better CSS compliance? IE7 has taken great strides in addressing that problem. Are the alternative browsers "safer"? No they are not. As has been said in the past, all the bad guys need is *one* exploit. Firefox and Opera can be and have been targeted - in fact just recently there was a hostile circulating that was targetting IE *and* Firefox exploits.

It is dangerous to tell somebody to stop using IE because it is a "paradise for virus programmers" and point them to Opera and Firefox without also warning them to regularly check for security updates for those browsers and practice safe hex. Firefox and Opera are also subject to exploits and vulnerabilities - it concerns me when I see sites that forget to mention that fact. At least with Internet Explorer, if you have Automatic Updates enabled you will be notified of the latest security updates.

The fanboys need to stop saying "use this - its better". They need to say "use this - its better - but make sure you check back regularly for security updates and patches, and always practice safe hex". Windows Update does not patch Firefox or Opera or any other alternative browser. You have to look after yourself. Remember that. If your friends are using an older version of Firefox, especially one that does not have an inbuilt update ability, warn them that they have to go out and get those updates.

Fix: Internet Explorer freezes when using the drop-down address bar list when the fix described in KB908531 is installed

sandi — Fri, 14 Apr 2006 05:28:00 GMT

Note, HP and Kerio are NOT the only software affected by the problems described in the KB article 918165. Older NVIDIA software is also implicated, and as the KB article states, there may be other third party COM controls or shell extensions causing a problem. In short, don't assume that just because you don't have NVIDIA, HP or Kerio that you'll be safe or that your problems can't be caused by the MS06-015 update. I have personal experience of people being hit by this problem who have none of that software:
http://support.microsoft.com/kb/918165

(I have no idea why Stephen ***'s surname doesn't appear properly - all I see is three stars instead of a surname...)

Stephen *** of Microsoft has posted to ie6.browser newsgroup regarding a known problem with MS06-15 / KB908531 wherein Internet Explorer may freeze when you attempt to use the drop-down list in the Address Bar. MS have tracked down the cause of the problem, and it is wide spread enough to be deserving of publicity. I am sure Stephen will forgive me for quoting him verbatim rather than sending you off to the newgroup via Outlook Express or the Communities Web Interface.

<quote> We've determined that the majority of the issues people are having with MS06-015 / KB908531 are due to a bad interaction between the security update and a software component included with various HP hardware devices, including but not limited to printers, scanners, and cameras.

Here are two fixes which should fix problems caused by the interaction with the HP software:

Option 1 - Modify the registry
------------------------------

- (If you have multiple user accounts set up) Log onto the computer using an account with Administrator privileges

- Click the Start button, then click Run and type "regedit" at the prompt, without the quotes; this will start Registry Editor

- Locate the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached key in Registry Editor

- Right click on the key and select New / DWORD Value

- Rename the resulting value "{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401", without the quotes

- Right click the value, select Modify, and type "1" into the Value Data field

- Close Registry Editor

Option 2 - Kill the HP process
------------------------------

- Wait until Internet Explorer, Windows Explorer, or whichever component is encountering problems is in an unresponsive state

- Click the Start button, then select Run and type "taskmgr" at the prompt, without the quotes; this will start Task Manager

- Locate any instances of hpgs2wnd.exe or hpgs2wnf.exe in Task Manager, then right click on them and select End Process

(Note: Option 2 this may disable some HP device-specific functionality until you restart your computer.)

If your computer is not currently unresponsive, you should only have to do Option 1 or Option 2, not both. If your computer is currently unresponsive, you should be fixed by doing Option 2.

I'm very sorry about the inconvenience this has caused you all; hopefully this will get things back on track. Please note that MS06-015 fixes a critical security vulnerability, so it's very important that you reinstall it as soon as possible if you've uninstalled it. Please also keep in mind that disabling Auto Update will leave your computer unprotected even after we release security updates. I understand that this experience has been very frustrating for many of you, but I really must still strongly recommend that you leave Auto Update enabled for your own safety. </quote>

Addendum: <quote> Actually, it appears that I spoke too soon. Option 2 will correct the problem for the logged-in user, but not for all users on a computer with multiple user accounts. For that reason, Option 1 is the preferred option. </quote>

The eEye hack for the createTextRange vulnerability

sandi — Tue, 28 Mar 2006 23:25:00 GMT

Summary: My advice? Don't install it.

(Please forgive any grammatical or logical flow errors - I'm running real short of time but wanted to get this live before starting my work day).

Two MS security bloggers have mentioned the eEye "patch" that protects against the createTextRange vulnerability.

http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/ms_schweiz_security_blog/default.aspx

Both bloggers recommend that the patch not be installed.

Ok, I admit - the vulnerability is being exploited. That's bad. But, at the same time we need to have a realistic look at what is going on and compare risk to reward. On balance, after considering all the information I'm privy to (public and private) I have to say that I agree - do not install the third party patch.

Historically, third party patches and hacks have been problematic. Let's look at a couple of recent examples.

WMF Exploit hack
The WMF exploit patch was messy - to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection). The changed file was also causing Windows Update to offer old security patches. Deregistering shimgvw.dll stopped Windows Picture and Fax Viewing from working.

The IE6/IE7 side by side hack
The IE6/IE7 side by side hack caused various symptoms, including opening a browser window that promptly hangs IE, opening links that render blank, and multiple windows opening when initiating a browser session.

The eEye hack (I refuse to call it a patch) doesn't fix the CreateTextRange vulnerability... it messes around with how Windows works. We have no way of knowing what may be broken by this change.

"Ah, but at least I'll be safe" I hear you say. "Safe from what?" says I. Let me explain.

First, according to http://www.microsoft.com/technet/security/advisory/917077.mspx "Antivirus companies indicate that attacks that exploit this vulnerability are being effectively mitigated by antivirus software with up-to-date signatures". The antivirus companies that have confirmed they provide protection against known vectors include:

Symantec
Computer Associates
McAfee
F-Secure Corporation
Panda Software International
Aladdin
Sophos
Eset Software
Trend Micro
Windows Live OneCare

Do you have up-to-date antivirus? Does it detect files that attempt to exploit the vulnerability? If so, why take the risk with a third party hack?

Second, sure there are lists going around warning that there are hundreds of sites that are taking advantage of the exploit. But, actually hitting one of those sites is needle-in-a-haystack stuff. Seriously. I've seen real-world, whats-actually-happening statistics that convince me that the risk of being hit by the exploit is not sufficient to risk damage that may be caused to a system's operation by the eEye changes.

On balance, considering the fact that MS and law enforcement have been very proactive in getting exploit sites shut down, considering the fact that there are not "hundreds" of sites out there (the number is far lower than that), considering the list of antivirus programmes that protect against known vectors, considering the fact that you'll have to be *real* unlucky to hit one of the sites that is still live without being taken by the hand and shown how to get there, and considering there are safer ways to protect yourself against the risk of exploit (disable active scripting or set to prompt), I say don't install the patch.

BTW, SANS Internet Storm Centre agrees - not with me per se, but with the risk assessment that the eEye patch shouldn't be installed:
http://www.incidents.org/diary.php?storyid=1226

Confirmed: createTextRange vulnerability is being exploited

sandi — Sat, 25 Mar 2006 11:21:00 GMT

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=P

I do note on the diagram that it stipulates that only the "January edition" of Internet Explorer 7 Beta 2 Preview is vulnerable.

There has been a lot of confusion about whether the March build (that is, 5335.5) is vulnerable to the createTextRange exploit because, despite the MS Security Blog and the Technet article noting that IE7 Beta 2 Preview Mix06 Build is not affected, other sites stated that the IE7 Beta 2 Preview was affected without stipulating build, and some stated IE7 Beta 2 (not the Preview) was vulnerable ... umm, guys... IE7 Beta 2 hasn't been released to the public yet.

Now, if only MS would update their own advisory (http://www.microsoft.com/technet/security/advisory/917077.mspx) which, although it states that IE7 build released on March 20 is not affected, does not list earlier versions of IE7 in the "Related Software" list.

TrendMicro Antispyware for the Web causing issues again - this time nuking the Windows Genuine Validation Tool

sandi — Sat, 11 Mar 2006 00:46:00 GMT

Important Update: http://msmvps.com/blogs/spywaresucks/archive/2006/03/15/86345.aspx

------------------------------------------------------------------------------

This could prove to be a very serious problem.

The Windows Genuine Advantage Validation Tool *must* be installed before many downloads are made available to users via Windows Update and the Download Centre.

Trend Micro Antispyware for the Web is detecting the Windows Genuine Advantage Validation Tool KB892130 CLSID as Adware_iSearch. Once the CLSID is deleted by TMAS, the user will be re-prompted to download KB892130 the next time he or she goes to Windows Update.

Check out this thread:
http://aumha.net/viewtopic.php?t=18492&postdays=0&postorder=asc&start=0

I'm going to pass this on to George and Andy at Trend... we need to make sure that SMB product is not being affected in the same way - I'm betting it is.

Generally the Corporate (SMB) version is updated very quickly when false positives like this are found. Those responsible for the consumer space, including online web scan are much slower to react. Trend's history of delay in fixing false positives in the consumer versions of Antispyware will be a big problem this time. Please guys, let's get this sorted damned fast.

Charles (aka Chasbox in the aumha.net forum) did very well to draw the connection between TMAS and the Windows Update problem he is seeing. I've confirmed the problem on several PCs.

Here is the alert.

The threat details:

The CLSID key being flagged:

The key you see is the *only* entry in the Ext folder, therefore must be the source of the alert.

DO NOT ALLOW THE TREND PROGRAMME TO DELETE THE CLSID

BTW, Trend Micro Antispyware on the Web seems to be broken in IE7, at least it is for me... had to fire up IE6 on another PC on my network to confirm the false positive. Its a bit hard to select 'Start Scan' when there's no scan button to click on... ;o)

------------------------------------------------------------------------------

Update - 12 March 06, 12.10am Perth, WA time (+0800): The false positive has, apparently, been fixed for the packaged product (pattern 3.31) since 10 March, but NOT the online scan. I know, because I tested the online scan 10 minutes ago.

This is a source of ongoing frustration to me. The packaged product is fixed quickly when a false positive, but the online scan can be left, at times, for months. I despair.

Follow the leader: Firefox and Phishing Filters

sandi — Thu, 09 Mar 2006 11:59:00 GMT

Ok, so Firefox is going to introduce a "Phishing Shield":
http://news.com.com/Firefox+to+get+phishing+shield/2100-1029_3-6047610.html?part=rss&tag=6047610&subj=news

I'm trying *really* hard to behave myself, but I can't resist asking if the decision to include a phishing filter has been influenced by Internet Explorer 7 - heaven knows the Firefox fanatics accuse MS of reacting to and stealing ideas from Firefox on a boringly regularly basis therefore I reckon we deserve equal time.

IE-VISTA information about the IE7 phishing filter:
http://www.ie-vista.com/phishing.html

My Internet Explorer Community Column about same:
http://www.microsoft.com/windows/IE/community/columns/phishing.mspx

The news.com.com article mentions that Opera 8 has a 'similar functionality' to IE7, described at another article as "display[ing] the underlying security certificate of each site--an icon of a yellow padlock on trustworthy sites--to help users judge reliability. The browser will also show where pop-ups come from."

http://news.com.com/Opera+8+aims+for+simpler+browsing/2100-1032_3-5676413.html?tag=nl

No. what is being described for Opera 8 is **not** a phishing filter. Opera is simply exposing the security certificate, nothing more - IE7 does that in addition to, and separate from, the phishing filter:

http://www.ie-vista.com/secure.html

Exposing security certificate data is not sufficient. I, for one, remember when a certain company issued certificates to "Microsoft" erroneously. Don't believe me? Fire up IE. Go to Tools, Internet Options, Content Tab. Click on the Certificates button then examine the far right tab entitled "Untrusted Publishers". See those two entries for "Microsoft"? The fact that Verisign messed up big time is one very telling example of why we cannot depending on "Security Certificates" or lock icons to prove that a site is legitimate and trustworthy.

All the lock icon proves is that the certificate matches the site. It is not guarantee of honest, integrity or security.

Ok, so now to the Netscape equivalent... it uses a "list of sites that are known to be malicious and of trusted sites" that, according to the article, is updated 3 times a day. Guess who one of the sources of 'trusted' information is... you guessed it.. Verisign.

http://news.com.com/Netscape+update+takes+aim+at+phishing/2100-1032_3-5712798.html?tag=nl

The IE phishing filter does not depend on a thrice a day updated list that must be downloaded to a user's PC. IE's filter is far more dynamic. Only a 'white list' is stored on the user's PC.. the 'blacklist' is constantly updating and is not stored on the user's PC. What is the benefit of this? Well, the phishers move fast... very fast... by having a dynamic, as up to the minute as possible, constantly updating external list, users are protected faster than would otherwise be possible.

What will Firefox do? Well, the article is a little short on specifics.

Antiphishing Working Group has a very interesting analysis of phishing trends, up to and including how long sites stay live before moving on:

http://www.antiphishing.org/

Oh, and by the way, the "high assurance certificate" mentioned for Firefox? IE7 already has that too ;o)