Security researchers warned Web surfers to be on their guard after uncovering evidence that widespread Web server compromises have turned corporate home pages into points of digital infection.
Corporate Web servers infecting visitors’ PCs
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I didn’t even have to scroll down to see the “security myth” story that claimed Windows was no more insecure then anything else. Show me a statistic, and I can interpret it ten different way.
On a pisitive note, the press finally reffers to these criminals as *criminals*, which is what they are, instead of dragging “hacker” through the mud again. It gets so tiring having to explain to people that the idea of a “hacker” reffering to a criminal who breaks into computers was invented by the media.
That was supposed to be “On a positive note…”
BTW, anyone else chuckle at the quote at the end?
———————————————
NetSec’s Houlahan advocated drastic action.
“I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now,” he said.
———————————————
LOL! Or she could just not use IE!
It was on Joel on Software forum. They have further links there as well:
http://discuss.fogcreek.com/joelonsoftware/
Pretty scary, indeed.
Its time, to ban that browser from the web, until the following conditions are met:
1) Absolutely no integration into the OS. Like Firefox & Opera.
2) Disable Activex completely. Its the main entrance for these
malwares to autoinstall themselves (shock, horror! How was this possible in the first place, from just viewing a webpage?).
I advise anyone to not use internet explorer or their respective shells such as MyIE and Avant Browser, and look at http://www.opera.com and http://www.mozilla.org for alternative browsers. Do only use IE if absolutely neccessary, such as home banking with banks not currently supporting any browsers than IE.
I am shocked at the lack of security in Internet Explorer – it should not even be remotely possible for an infection by merely viewing a webpage. This is unforgiveable.
Dude, the idea of “hacker” being some purist Jedi computer person has long been dead, leave it alone.
BTW, the article mentions spamware, I think many people looking at technical solutions to spam underestimate just how many infected desktops are used to send spam. There is too much focus on designing specs to secure the valid mail servers when the spammers are just creating their own networks of unrestricted rogue relays.
Look at this ironport link to see how many client systems match even comcasts MTA’s!
http://www.senderbase.org/?searchString=comcast.net&searchBy=domain
AFAIK Yahoo’s spec, microsofts caller-id, and SPF all pretty much ignore this problem.
The solution could be to simply start adding DNS records for MTA’s in the same manner as mail exchangers are already listed.
Companies could have MX records for mx1.company.com and an MTA record for mta1.company.com
If I get mail from a company.com IP all I have to do is check to see if is listed in the MTA DNS record.
A large ISP might have 5 million subscribers, but only 20 valid SMTP servers, is it really that hard for to have someone spend 15 seconds to add 20 lines to a file that everyone on the net needs to suffer for it?
Annoying isn’t it? The internet is there for many things, and a minority once again ruin it for the rest of us. It’s about time these issues were taken more seriously, I applaud the writers of the article on bringing this to mass attention.
No, it’s not really mass attention.
What needs to happen is that news/television needs to get out what’s happening in a non-sensational way, as well as telling average users how to prevent this.
Too many Windows users think that they’re prefect secure as long as they visit windows update, and need to be persuaded otherwise.
My first computer had no hard drive. The OS was loaded off a floppy and what ever program you wanted to run was loaded off another floppy. Maybe we all simply need to leave the OS off the hard drive. Load the OS and programs we want to use from CDs and stricktly use the hard drive for mass file storage.
If you want to run another program, it has to be loaded from another disk or a custom disk that you create with your OS and what ever programs you want to run from it. Nothing can be added unless it were reburned to a new CD and the computer rebooted with that CD. I think maybe like those live CD distributions of Linux, only do it with Windows so a person could have what ever Windows programs they need.
I use a router/firewall computer that runs from a live cd. You boot the computer from the CD, and it reads its config files off a floppy. After it boots, you pop out the floppy so a “criminal” can’t change the config files. What ever configuration changes you make need to be saved to the floppy and no change can take place without rebooting — no floppy, no reboot.
Why couldn’t something like that happen? It couldn’t be any worse than having to reboot Windows every time you turn around any way.
Just a thought
“1) Absolutely no integration into the OS. Like Firefox & Opera.”
Well, the fact that IE is so integrated is why I like it so much. The fact that I can be browsing my hard drive, and then just hop onto to web I find very handy. I hope this never goes away. I do agree that IE could be more secure, but on one hand, I have never had a problem with viruses, spyware, or other infections on my computer either…
Well, the fact that IE is so integrated is why I like it so much. The fact that I can be browsing my hard drive, and then just hop onto to web I find very handy. I hope this never goes away. I do agree that IE could be more secure, but on one hand, I have never had a problem with viruses, spyware, or other infections on my computer either…
And this is different from Konqueror in KDE how exactly? OS integration does not mean what you think it means. It means that IE has access to a host of internal windows calls which a browser really should not have access to. It’s a fundamental design decision which cannot be easily patched or fixed. And it’s why IE is a fundamentally insecure browser, which no sensible Windows user should use, except on those few remaining sites which still require it. Even those sites which still require IE, only do so precisely because they are making use of the very features that make IE insecure!
That’s like saying “I don’t mind about other people; they can get their computer and life screwd, as long as it doesn’t affect me.”
I use mozilla flavored browsers since 99, but these IE flaws are getting too serious, even if I don’t use IE. What’s worse, is that some programs launch Internet Explorer, even if I use Firefox exclusively. I wish there was an easy way of completely removing IE.
http://www.msnbc.msn.com/id/5290386/
A bit sketchy on the details. This says that it’s a problem with Javascript. It doesn’t say anything specific about whether this problem affects only IE, or if Mozilla browsers are affected too.
Oops. my mistake on the last post. Looks like the CNet post answers my question.
“Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger.”
Don’t Use Microsoft Browser.
Has the news too:
http://www.infoworld.com/article/04/06/24/HNnewattack_1.html
Anonymous likes to browse his hard drive then hop on the web. Problem: a lot more bad guys on the web would like to hop on his PC and browse his hard drive. I don’t like that so I firewall off Windows Explorer completely and set it so it always asks when IE6 wants to use the web. That way I know something funny is going since i only use it for windows update (oh and the first thing i did after installing XP SP2 was disable the firewall. it’s still not as powerful as zonealarm and I don’t understand the point since anyone who is savvy enough to download SP2 probably already has a firewall)
“I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now,” he said.
Yeah, right… downloading 4.7Mb* of easily installed and easily migrated browser is just too difficult…
*I* will continue to happily use the Internet without worrying about adware, popups and spyware, thank you.
Bye, Renato
* yes, I am referring to Firefox 0.9 for windows.
/me quickly installs sophos AV on his mac to protect aginst all those nasty viruses for Windows.
My first computer had no hard drive. The OS was loaded off a floppy and what ever program you wanted to run was loaded off another floppy.
My first computers also had no hard drive, yet there were viruses for them as well, some rather malicious ones in fact. Even if we run the OS from read-only CD, it needs some sort of storage space for malleable data (virtual memory management for example), or the registry (snort — chuckle) in Windows, and if the security isn’t very good, it will be easy to sneak a virus onto the computer.
If you want to run another program, it has to be loaded from another disk or a custom disk that you create with your OS and what ever programs you want to run from it. Nothing can be added unless it were reburned to a new CD and the computer rebooted with that CD.
Once the virus has infected your computer, it’s a simple matter to attach itself to those files. Now you’ve got a virus on CD, and you think you’re safe, but you’re not.
As I recall, that’s how the original viruses worked: attaching themselves to files that circulated on floppy disks as well as bulletin board systems.
The solution is easy “firewall”. Unfortunately not many users are aware. I use IE 100% and have never had any problems but in the background I have a full time firewall running. I don’t even use an AV as I know exactly what I am doing.
Just for the record, MYIE2 now can use the Gecko rendering engine. Just like it uses the IE one. Although, some features are not available with Gecko, still MYIE2 does a good job when combined with Gecko. I’d say better then Firefox in responsiveness, speed and features. (personal opinion)
Yeah the first virusses worked like this:
They were often found on BBS systems, probably at the local warez HQ, when run of the disk, like a cractro or whatever, it would go into a mode called TSR (Terminate, stay resident). Which means it was still alive in memory, whenever you inserted a new floppy it would detect that, and infect any executable file on the floppy. Some very vicious ones were out that time. Its funny its still possible to create a TSR for windows, that is completely hidden from the system (some even go into ring0). Windows/DOS – doesent really matter, its still as insecure as it was yesteryear. The threat is not new, even my amiga got virusses, actually i remember one quite well, it had a ringing sound and an ambulance
– not harmfull i think, hehe.
Would a firewall stop this? It appears that it infects servers running IIs, and I’d imagine they would be running a firewall.
If your IE initiates the connection with the server, would a firewall not assume the traffic is legitimate?
Yes it would. And he would be infected regardless, however, the malware would likely not be able to “phone home” without him knowing, except if it used IE itself. Its an outrage that Microsoft abandoned IE development after XP shipped, this means that the browser millions of people depends on, did not get an overhaul in features, security and design for so many years. Its practically half a decade! Remember how fast internet paved its way into our computers? The equivalent of that time, is the equivalent of time microsoft abandoned IE, and left it to rot on the battlefield of the browserwar. Good to see innovation lives on in Opera and The Mozilla foundation.
Cross-Domain Redirect Vulnerability in Internet Explorer
http://www.us-cert.gov/cas/techalerts/TA04-163A.html
II. Impact
‘By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.’
Question – If the user is not running as admin, but as a user with no privileges to install software. Wouldn’t the user be safe form this kind of attack?
Yup, i’ve seen this comming. It was only a matter of time. With MSIE containing so many, _known_, _unfixed_ vulnerabilities it was only a matter of time till someone took advantage of this one which i’ve also theoretically described — even on this site.
How about you learn how to use the fucking computer yourself? I’ve been using Windows since 2.0 and have gone through 3.1 and Windows 95 before switching tracks to NT 4, 2000 and now XP. I haven’t gotten a virus on my computer since using Windows 95 and the only reason I got those was by using the computer labs on campus (had to for my animation, digital imaging, and midi classses) and using zips and floppies to transfer data back and forth.
How do I keep my system free from these problems? I run MBSA every now and then, I have Widows download and notify me when updates are ready, I check Windows Update about twice a month as well, I use Norton AntiVirus to scan my system once a week and have LiveUpdate check for and install new updates every day, I have an MN700 Firewall/ Router and I use the Windows Firewall as a back-up and notification utility, and lastly I set IE security properly so as to avoid these problems altogether (goes for Outlook as well).
I am by no means a computer geek, I am simply a graphic designer who relies on my PC to work on a daily basis and so far it has flawlessly. If you don’t want to take the time to learn how to use Windows, fine, but don’t tell the world that Windows sucks when you simply have no clue what you are talking about. I spend maybe an hour a month on all of this because most of it checks my system in the background without my involvement. If you can’t be bothered to spend an hour a month on securing your system then nothing, and I do mean nothing, is going to stop you from getting viruses, trojans, and spyware. And yes, I use Outlook, IE and Windows XP exclusively.
Keep telling yourself “it can’t happen to me, it can’t happen to me…”
Besides Opera will let you browse your drive if you “MUST”.
“and lastly I set IE security properly so as to avoid these problems altogether (goes for Outlook as well)”
Woops! Doesn’t exclude all vulnerabilities. If you were aware of the current vulnerabilities a bit more, you’d not chose at least MSIE (can’t speak much regarding Outlook because i don’t know several details).
‘Nothing can be added unless it were reburned to a new CD and the computer rebooted with that CD. I think maybe like those live CD distributions of Linux, only do it with Windows so a person could have what ever Windows programs they need.‘
I’ve been thinking about this sort of thing recently as a possible security measure against viruses. It seems to me it could be possible to have some sort of a high-speed device (hard-drive or compact-flash or something) that was large enough to carry your basic OS- and put a read-only hardware switch on it (like the old 3.5″ floppies). So, basically, you set up your OS the way you want it, flip the hardware switch, and then nothing can alter it. (by ‘hardware switch’, I just mean something that a virus couldn’t switch itself)
You then have a high capacity hard-drive for data storage. The general idea being that you can have something with the security benefits of a live-cd, but with greater speed, and the ability to change settings, but with direct user intervention. You could already do something like this with linux- namely, have your root device mounted read-only and “/home” directory read-write, but one of the problems with windows is that it CONSTANTLY wants to be able to write to system files. I don’t even know why, but try making everything but your profile read-only, and Windows won’t run.
A couple of points to think about.
A firewall will not stop an IE exploit. It can’t. It would have to block IE completely or be aware of each and every exploit at the firewall level.
If you are going to insist on running something as inherently insecure as Windows you can get rid of IE. Go to http://www.litepc.com. Depending on which version of Windows you have, either download, or buy the appropriate version for your Windows and follow the simple install to get rid of IE. Microsoft lied about it being inseparable.
I use Linux almost exclusively. I do have one drive, 1 2gb, with WinXP on it. I am using the XPLite product from LitePC and do not have IE on it at all. I run Mozilla and Opera on it. Since I only use it for a PPTP connect to my work network I have no other use for Windows.
Those who think they can continue to use something as insecure as IE because they have taken precautions should take up Russian Roulette. Its safer.
Thank’s again Bill !!!!
Boy, that’s a pretty hostile tone. I think there are a couple of issues you’re neglecting. First, look at the amount of extra effort and extra software you have had to install, by your own admission, to make browsing with IE safe. Granted, a computer user should be aware of the dangers of connecting to a WAN, but it is also partially the responsibility of the software company to produce software that is secure as possible.
Second, while your system may be safe, the hundred of millions (literally) of IE users who haven’t taken the steps you have are infected. This isn’t hyperbole, this is fact. You may not really care what happens to other users, except that we’re all connected to the biggest WAN there is (the internet), and that means we all share traffic. Even if your system is as tight as a drum, there are hundreds of millions of systems on your WAN belching out viri, malware, and spam. This creates network congestion; it creates an unsafe browsing environment where letting your guard down for a moment means almost certain infection.
So, if you plan on using the internet, you have to care, to some degree, about the other users out there. It is similar to driving. I am a very safe driver; however, I still have to care about the other drivers out there, because if enough other drivers are bad, the roads become unusable.
In the future, try not to make the tone of your post so aggressive. This isn’t a personal attack, this is a discussion forum.
<Disclaimer> This is a joke </Disclaimer>
Warning: The M$ Butterfly Guy has warned that using Linux may be slow, insecure, and dangerous to your computer health. Constant updating and patching are required to protect your system’s intergrated browser from the evil and communistic Penquins.
<Back to reality>
It’s nice to know I will have more work on Monday when I get back to the machines I am responsible for. M$ is job security in this regard. Patch, Upgrade, Rebuild, Patch, Upgrade, Rebuild… n .
” I didn’t even have to scroll down to see the “security myth” story that claimed Windows was no more insecure then anything else. Show me a statistic, and I can interpret it ten different way. ”
This has nothing to do with Windows security. If you use Netscape,Mozilla, Opera or FireFox you are fine if this was an attack against Windows it wouldnt matter what browser you used. IE and IIS are the targets, either way Microsoft should have some fixes out here very soon.
I dont see Windows as either more secure or less secure than Linux and this doesnt change my views either way.
XPLite looks neat. Kinda sucks though that on top of the fact that I have paid $300 for XP pro, now I have to pay another $40 to make it run like I want it to.
THAT SUCKS!
Well I am not sitting here worried about getting infected by some crazy website.
I am still waiting to hear about Linux machines getting spyware. Or for that matter Windows machines running another browser other then IE.
I am sorry but M$ had tons of money and yet Windows is still compared to Linux (Which is being developed by small companies and for free), Free BSD and the Mac OS. All the people and groups combined don’t have 1/10th the money M$ does yet Windows is no better!
Sad!
“I dont see Windows as either more secure or less secure than Linux and this doesnt change my views either way.”
The way I see it is that if some of a company’s products are consistently flawed with regard to security, you should be suspicious of all their products.
If the only way to make Microsoft operating systems secure is by avoiding running their applications on it, it does call their competence into question.
Also, as it’s virtually impossible to remove mshtml from a Windows installation and still have all your software function correctly, it’s debatable that it should be considered an application at all.
…Windows is more secure that macosX for techworld
“First, look at the amount of extra effort and extra software you have had to install, by your own admission, to make browsing with IE safe.”
I installed an AV app, MBSA, a firewall, and a hardware firewall/router. ANY Windows installation should have an AV app running. Norton 2003 does a pretty good of stopping malicious scripts, spyware, and viruses amongst other things that cause harm to your system.
Windows ships with a software firewall and while it’s not perfect, it’s a step in the right direction and XPSP2 will improve the firewall greatly, making it a good choice for software firewalls. This wasn’t an extra purchase, it was simply a small, proactive step to turn it on in the control panel. XPSP2 is going to add a tray icon you can click to get even easier access to the security settings of your system.
More and more people are going to 24/7 DSL and Cable broadband connections and having a hardware firewall is not a bad idea. They’re dead easy to setup unless you’re planning on running a server and even then they’re not difficult to deal with. With more of these people connecting multiple computers in their household to the net these firewall/routers are becoming a requirement, especially if you’re using a wireless network. My MN700 is an 802.11g plus four port 10/100 cat5 plus a firewall (and it run Windows CE) and it’s been no trouble at all.
MBSA is the only app I had to really track down and install of my own interest in security. I wish Windows shipped with it installed by default and added a link in the new Security panel. That being said, if you do install this app it’s easy to use and will point out areas of security that are lacking on your system, including missing hot fixes and poor security practices such as IE settings being too insecure or accounts not being disabled. MBSA also lists suggestions for ways to correct these problems.
If every Windows user ran an AV utility, set their IE security settings properly, and turned on at least the Windows firewall included with their OS then most of these problems would not spread as fast or as far as they do. What’s really sad is many of these stories are about corporations whose IT staff doesn’t have the presence of mind to run these apps and install this hardware.
“ANY Windows installation should have an AV app running.”
That is why you are a graphics designer. I’ve never had a virus also and I think most AV progies are worse that some of the Viruses you might get not having one. They are huge and run like 4 or 5 tasks on startup.
98 didn’t need a 3rd party firewall if you were running just TCP/IP without netBIOS etc.
The XP firewall blocks every remote attack that has been out since its release, and if you update those are not a problem anyway.
My desktop computer is Linux but my workstation is not vulnerable because it is running SP2.
Besides, just becasue you are on Windows does not mean you are forced to use Outlook and IE. Use Firefox and Pocomail.
If you want an AV application but don’t want it taking up CPU, check out http://free-av.com and run it when you need to check.
This has nothing to do with Windows security. If you use Netscape,Mozilla, Opera or FireFox you are fine if this was an attack against Windows it wouldnt matter what browser you used.
It has everything to do with MS-Windows security, MSIE is part of MS-Windows. If MSIE could be removed from MS-Windows without third-party software, it would be different matter.
Personally I don’t care whether it is an MS-Windows issue or an MSIE issue, just so long as the mainstream media don’t refer to it as problem affecting all computers.
IE and IIS are the targets, either way Microsoft should have some fixes out here very soon.
Unless I’m mistaken, these vulnerabilities have been known for a month. It’s taking them quite a long time already, given the severity of the bug.
I dont see Windows as either more secure or less secure than Linux and this doesnt change my views either way.
Of course not. Nothing would. Not the fact that the integrated browser can somehow give control of your machine to hackers, or that a file can be executable simply through its file extension, etc.
Carry on, true believer!
ANY Windows installation should have an AV app running.
I have a problem with paying for a product and a yearly subscribtion because of insecurities in a badly-designed product. I would not be THAT surprised if antiviruses companies were hiring viruses writers.
The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed.
Windows bozes are incredibly easy to compromise and a virus can use it to flood the network with more attacks on other machines to compromise them. No one physically needs to break into anything – that’s the point.
Of course Windows viruses spread over networks and through compromised web sites. Where the hell have these people been?
“We won’t list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched,” the group stated on its Web site.
Patching isn’t going to save you, and you don’t presume anything with these things. Many companies treat their web sites and their e-commerce departments like dirt and as necessary evils, farm them out to incompetent companies and generally have little to do with them.
“I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now,” he said.
You could tell your clients to get the hell away from IIS as fast as possible and tell your wife to use another browser, or preferably OS.
Simply Remove Internet Explorer from your computer. I installed 98lite and my computer is faster, and more stable. I use Opera, and get no viruses, or adware.
“A firewall will not stop an IE exploit. It can’t.”
A layer-7 packet filter is able to do such.
This article suggests that users “could download an alternate browser, such as Mozilla or Opera” as one of the few options available, implying that these browsers are a weak alternative. They’re not. They almost always provide a better experience than IE, except for the odd site that relies on IE’s lack of following the w3 standards.
Replacing your browser should be the first thing you do with Windows, rather than some last resort.
Replacing your browser should be the first thing you do with Windows, rather than some last resort.
One huge advantage that IE has over Mozilla (and probably Opera too, but I haven’t used it enough to say) is the ease in which plugins can be installed. With Mozilla, it can be a pain in the ass for novice users to get this stuff up and running. (I still haven’t found a way to get videos on Launch.com to play in Mozilla.) Heck, I usually end up setting this up for close friends and family. Another thing that pisses me off inparticular about Firefox is they keep breaking themes/extensions from release-to-release, pretty much ensuring that I can’t just send people an email and say “Ok, download this setup file and run it.”
One huge advantage that IE has over Mozilla (and probably Opera too, but I haven’t used it enough to say) is the ease in which plugins can be installed. With Mozilla, it can be a pain in the ass for novice users to get this stuff up and running. (I still haven’t found a way to get videos on Launch.com to play in Mozilla.) Heck, I usually end up setting this up for close friends and family. Another thing that pisses me off inparticular about Firefox is they keep breaking themes/extensions from release-to-release, pretty much ensuring that I can’t just send people an email and say “Ok, download this setup file and run it.”
I’ve never had that problem with other browsers. Using an alternative browser on windows it installed flash right from the start. It detected Java and added the appropriate plugin as well it did this for any media player apps that are installed in the system
In Linux all I have to do is put a symLink in the plugin directory for java and again flash installes automaticly. For the Other plugins crossover office handles and also automaticaly intergrates anything that you might need.
If a plugin is not avilable then usualy the browser would point you to a plugin page where that plugin that is needed can be downloaded. Whats so hard about that?