Firefox

Google Safe Browsing Diagnostic Page

Thanks to Google, there’s a tool you can use to check any site and see if Google lists it as hosting any suspicious files or acting as a malware intermediary. Yes, I know there’s a Firefox extension and that the Google Toolbar for Firefox incorporates the tool, but what if you’re out in the field on a machine that doesn’t have the tool installed and you want to check a site? Simple. Use this URL:

“http://google.com/safebrowsing/diagnostic?site=[URL of site you want to check]” (Leave off the http://).

For example, this URL produced the report shown in the screen shot (click on the image to view it full size):

http://google.com/safebrowsing/diagnostic?site=itknowledgeexchange.techtarget.com

Try it out for yourself on your favorite sites. You might be surprised at what you find out.

(Thanks to Steve Gibson and Leo Laporte of Security Now! for presenting a reader comment that brought this to my attention.)

What do you think? Leave a comment!

Malvertising an Ever-expanding Threat

As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.

The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “qiweroqw.com” (that’s a randomly generated name if there ever was one), ITmeter INC, and “ote2008.info” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.

Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).

As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.

Caveat araneo-fluitator! (Let the web-surfer beware!)

What do you think? Leave a comment!

I Use LastPass

OMG! I just opened that box that Pandora gave me. I have often said that I don’t like password managers because I don’t consider them secure. That goes double for the password managers built into the browsers. I don’t like anything to reside directly on my system, so that leaves a remote location. These days, “remote location” equates to “The Cloud.”

That’s why I use LastPass and have been using it for more than a year now. All of my passwords are stored online, encrypted, and I only have to remember one master password to unlock the vault. I don’t have to carry anything with me on a thumb drive or install any programs on someone else’s computer in order to access my stuff when I’m not using my own PC.

Don’t take my word for it, check out this list of features. And then decide for yourself.

Oh, by the way, you can generate very secure passwords with LastPass and you don’t have to worry about remembering them, because LastPass will do it for you. Firefox and IE add-ons make things even easier. When you come to a new site you need to set up an account with, LastPass offers to generate a password for you. Then, when you log in, LastPass offers to save all information for the site. If you do that and then come back to the site later, LastPass will give you the option to either auto-fill the information or perform an auto login.

Highly recommended if you don’t want to do your own password management. You can still use all of the methods I’ve proposed for generating secure passwords, but you’ll never have to worry about remembering them.  Use my methods to generate the most secure password you can for your LastPass master password and encode it so you can write it down securely, but use LastPass for all your password management needs.

Search for Screensavers at Your Own Risk

Enter “screensavers” into any major search engine and there’s better than a fifty percent chance that any result you click on will land you on a malicious website. According to McAfee’s recently released report “The Web’s Most Dangerous Search Terms,“ that search term carries a maximum risk of 59.1 percent. Furthermore, lyrics and anything that includes the word “free” have a high risk of exposing users to malicious or fraudulent web sites. Health-related search terms have the lowest risk profile. Check out The Web’s most dangerous keywords to search for on ZDNet.com.

One of the biggest problems is that the bad guys, using Black Hat SEO techniques, grab onto the trending search terms of the moment and use their popularity to get links to compromised sites placed high in the search engine rankings. This, coupled with the fact that 77% of Websites carrying malicious code are legitimate sites, make for an increasingly dangerous environment for the casual surfer.

This is yet another reason to continue to beat my drum: If you use IE, disable scripting and ActiveX (IE8 has increased security, so consider upgrading). Better yet, switch to Firefox and use the NoScript plugin. Tell the users who trust you to do the same, will you? And make sure they have the latest security patches on their systems. Most people are trusting souls; on the web, they shouldn’t be. Let’s instill the “trust no one” (except for us white hats, of course) mentality into everyone we can.

NoScript Blocks Latest Firefox Bug

Got NoScript? If not, get it–the latest Firefox bug, an XML tag remote memory corruption vulnerability released on Wednesday, is mitigated by having the NoScript addon installed.

The bug can be exploited by a malicious website and can cause the browser to execute malware with no user intervention. All 3.0.x versions of Firefox running on Windows, Mac, and Linux operatintg systems are vulnerable. According to the Mozilla Wiki, the patched version, Firefox 3.0.8, “…is a high-priority firedrill security update to Firefox 3.0.x” and will be rolled out April 1.

The 3.0.8 release also fixes the Pwn2Own bug discovered at CanSecWest 2009, an issue that NoScript also mitigates.

I’ve said it before (see “Software for Secure Computing: Firefox & NoScript“); now’s a good time to say it again: install NoScript, and enjoy secure computing.

SecurityFocus bulletin: http://www.securityfocus.com/bid/34235/info.
The Register article: http://www.theregister.co.uk/2009/03/26/new_firefox_exploit/.
Mozilla Security Blog post: http://tinyurl.com/mozillasecurityblog

Firefox 3.0.7 Released, Addresses Multiple Vulnerabilities

Mozilla Foundation released Firefox 3.0.7 today to address multiple vulnerabilities. According to the Security Advisories, the vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. Mozilla says that the vulnerabilities also affect Thunderbird and SeaMonkey. No updates have been released for these applications at this time.

The following Security Advisories are addressed in Firefox 3.0.7:

• Mozilla Foundation Security Advisory 2009-07: “Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
• Mozilla Foundation Security Advisory 2009-08: “An anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim’s computer.”
• Mozilla Foundation Security Advisory 2009-09: “Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website.”
• Mozilla Foundation Security Advisory 2009-10: “libpng maintainer Glenn Randers-Pehrson reported several memory safety hazards in PNG libraries used by Mozilla. These vulnerabilities could be used by a malicious website to crash a victim’s browser and potentially execute arbitrary code on their computer. libpng was upgraded to a version which contained fixes for these flaws.”
• Mozilla Foundation Security Advisory 2009-11: “Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.”

Everyone should immediately upgrade to Firefox 3.0.7 to mitigate these issues.

There is no "Super Secure" Browser

Security is a complicated process, leaving many to desire a magic bullet. Unfortunately, there isn’t one. No matter how much security developers build into software, the behavior of the person seated in the chair will always be the weak link. Truth be told, all of the major browsers are safer than the browsing habits of their users. I have advocated safe computing practices for years, especially when it comes to keeping operating systems and applications patched. Sure enough, the best protection against malware is a fully patched system.

Recently, Roger A. Grimes of InfoWorld posted “Browser Security Wars” in his Security Advisor blog. For several months, Grimes tested the five most popular Web browsers: Chrome, Firefox, Internet Explorer, Opera, and Safari. His conclusion is no surprise:

So which one is guaranteed to make your Internet browsing experience perfectly safe?

None, of course. If you have the need for high security on a computer you manage, don’t allow it to surf on the public Web. It’s that simple. Internet browsers are highly complex pieces of software interacting with millions of combinations of highly complex active content and programming code, much of it not so friendly. There is no “super secure” browser.

Not exactly a great revelation; however, there is one surprising discovery: In Grimes’s testing, none of the browsers allowed malware to silently install as long as they were running on fully patched systems. Instead, most of them relied on tricking the user into intentionally running an infected executable:

Almost all the malicious Web sites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable — not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. [Emphasis added]

You’ll find a comprehensive rundown of security features and faults of all the aforementioned browsers in InfoWorld’s special report, “InfoWorld Test Center’s guide to browser security.”

No More Security Updates for Firefox 2

Security Fix reports that on December 16, Mozilla released its final update to Firefox 2, and plans no further updates for this version. From the Firefox 2 Release Notes page:

Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 2.0.0.19 does not include Phishing Protection.

Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.

If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.

So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.

Have a safe and happy holiday season, both on and off the web!

Internet Explorer Targeted by Zero-day Attack

Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about “one in three times,” Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw. …

In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.

According to a blog post by Symantec:

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0×0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users against this exploit.

I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
•  oiuytr.net
• laoyang4.cn
• cc4y7.cn

In its security advisory 961051, Microsoft presents the following mitigating factors:

• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.

•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

•Currently known attacks cannot exploit this issue automatically through e-mail.

Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:

We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.

Clickjacking Attacks Are Ocurring in the Wild

Less than a month after the clickjacking exploit came to light, sporadic reports of users falling victim to the attack are beginning to surface. Dennis O’Reilly’s column in Windows Secrets Newsletter, Issue 172, contains this report from a reader:

Yep, clickjacking is in the wild. I build, fix, and de-badware computers for family, friends, and businesses. I had a friend complain that his eBay page kept popping up with auctions when he hadn’t accessed eBay. So, dutifully, I went to see what was going on and found that he had been trawling through some [game] crack sites.

When he clicked some links, he would also pop his eBay page up (he had his eBay cookie set). Bingo! The crack-page vendors had scored his login details. I quickly apprised him of the risks of visiting said pages and, of course, quickly reset his eBay password and scanned, cleaned, and disinfected his computer.

Just yesterday, I received a report from another engineer at our office that he had witnessed a clickjacking attempt on his own machine when he clicked a button on an antivirus blog. Instead of going to the previous page, as expected, he receive a pop-up for the “Antivirus XP 2009” malware download. I had him disable IFRAME handling in Internet Explorer and install NoScript on Firefox. That fixed the issue.